Pen used to do a practice exam.

Domain 5 Quiz

Domain 5 Quiz

  1. Your CEO has met with the CEO of another company, and they have agreed to work together to develop a new service. Authentication and identity management will be connected across the two organizations. Given the sensitivity of the development project, user authentication and authorization will use a centralized server running the best available trusted third-party service. Users will receive identity and service tokens from a unified authentication and authorization service, which requires that system clocks be synchronized across the organizations. Applications will be limited to those written with the API of that service. What do you need?
    1. BPA
    2. Federation
    3. Kerberos
    4. KDC
    5. NTP
    6. Kerberization
    This is a very difficult type of question because it isn't primarily a cybersecurity question. You have to understand the cybersecurity terms and concepts, but it's really testing your ability to analyze English prose. All choices are relevant and correct in some sense, I put them in the same order to make this easier:
    1. BPA = the CEOs met
    2. Federation = connecting IAM
    3. Kerberos = best available 3rd party authentication service
    4. KDC = Key Distribution Center, the Kerberos server
    5. NTP = Network Time Protocol
    6. Kerberization = (re)writing an application with the Kerberos API, making it Kerberized
    Figure out the answer by analyzing the verbs. Most of this is a narrative story, explaining what has or will happen. The question is "What do you need?", and the verb require is associated with synchronizing system clocks. NTP is required, we need NTP; everything else is the story.
  2. Your hospital must protect the privacy of its patients and personnel regarding personal, health, and financial information. A variety of federal and state/provincial laws apply as regulatory requirements. Select a decision-guidance tool you could use to inventory, prioritize, and mitigate privacy issues in programs and systems.
    1. ROI
    2. PII
    3. PIA
    4. PHI
    Everything but the last sentence is a distraction, describing the context but it doesn't matter here. PIA is a Privacy Impact Analysis. The hospital will be concerned getting a reasonable ROI, and it will need to protect both PII and PHI, but none of those are decision-guidance tools.
  3. Mandy is the director of the HR department. In order to cut costs, she has decided to select some good training material that everyone can benefit from, and send all personnel through the same risk management training. The HR department only needs to buy one set of material. If all events contain the same content, just one or a few personnel out of each department can attend a session, meaning that all groups can continue normal operations. But which security advantage has been lost?
    1. Role-based
    2. Risk-prioritized
    3. Agile-based
    4. Morale-boosting
    The last two aren't security advantages. Training should be role-based so it's relevant, addresses job-specific risks, and retains the staff's attention.
  4. Jacqueline, a cybersecurity analyst at a major hospital, has been tasked with a quantitative risk analysis of data loss in the patient billing system. Initial measurements show an EF of 0.5, an ARO of 3, and an ALE of 60,000. How much should the hospital expect to lose in a typical year?
    1. 20,000
    2. 30,000
    3. 60,000
    4. 180,000
    Sometimes the question simply tells you what the answer is, if you know the acronyms. ALE stands for Annualized Loss Expectancy, a fancy way of saying "expected loss per year".
  5. Your corporation is considering moving some operations into the cloud. Amy's manager is worried that the cloud provider being considered might not meet the performance and quality requirements of the project. What should Amy suggest using to solve the problem?
    1. MOU
    2. BPA
    3. SLA
    4. ISA
    The Service-Level Agreement should specify the expectations and requirements. Of course it can't be an absolute guarantee, but an SLA typically defines what the provider will pay if the requirements aren't met.
  6. Pat was required to attend mandatory security awareness training before starting his new job, to learn about protecting highly sensitive corporate secrets and customer data. This is part of the              stage.
    1. NDA
    2. OPSEC
    3. Non-compete
    4. On-boarding
    5. Off-boarding
    Pat is learning about OPSEC, and may have to sign an NDA, but the question is really "Which stage is this?" He is starting a new job, not leaving, so it's on-boarding.
  7. Tony, a new auditor at the company, has been evaluating security and conducting interviews. He has discovered that doorways into sensitive areas, and applications accessing sensitive data, are frequently accessed via widely known combinations and shared accounts. What desirable security attribute has been lost?
    1. Accountability
    2. Responsibility
    3. Deterrence
    4. Assurance
    Accountability lets you map actions to specific people. Responsibility is related to that concept, but it is different. Deterrence would be a mechanism to frighten or intimidate people into behaving a certain way. Assurance might be the ability to provide a logical proof or mathematical calculation of the strength of the proposed defense.
  8. Top management at the company has written a COO policy stating that no more than 4 hours of down-time is allowed for web sales operations. Holly is a web server system administrator, and is responsible for meeting this corporate policy. Which statistic or requirement does this 4 hour figure refer to?
    1. MAD
    2. RPO
    3. RTO
    4. MTTR
    Management has set a requirement or goal, so it's RTO. MAD (or MTD), Maximum Allowable (or Tolerable) Downtime is an estimate of what length of outage would be fatal to the organization. They will estimate MAD/MTD first, and then specify an RTO less than that. RPO is about tolerable loss, usually in terms of how often to make backups. MTTR tells us how quickly recoveries have been happening.
  9. Min, a system engineer with the storage department, has been tasked with planning the creation of a DRP that will lead to implementing clustering and RAID. What should be her first step?
    1. BIA
    2. Risk analysis
    3. Vulnerability assessment
    4. Penetration testing
    5. Service discovery
    A Business Impact Analysis is the first step, as it figures out what is in the critical path, what must be protected. It must be done before risk analysis, which will lead to the desired Disaster Recovery Plan (or Policy).
  10. Management has set a policy specifying the acceptable amount of data loss, which will be used to design the backup process. Which of these has been defined?
    1. RTO
    2. RPO
    3. RAD
    4. MAD
    5. MOU
    If you do backups every night, you could lose up to 24 hours' worth of data. That's your Recovery Point Objective, "the way it was last night."
  11. The company's software development, customer service, and order processing operations are based at three separate facilities. Top management has determined that if there were a massive outage at the sales site, the customer service facility would best be able to assist sales operations. Which of these are they advocating?
    1. Tabletop exercises
    2. Walk-through exercises
    3. Failover
    4. Alternate business practices
    5. Redundancy
    This plan might have its origins in a tabletop or walk-through exercise, and you might say that this could be considered as a form of failover. And it is redundant capability in a way. But "Alternate (or Alternative) Business Practices" is the official CompTIA term.
  12. Brian, manager of the IT department, periodically moves help desk staff from one support category to another. Which security goal will this achieve?
    1. Fraud detection
    2. Fraud prevention
    3. Fraud analysis
    4. Fraud mitigation
    An complex and effective fraud will take a while to research, plan, and set up. The would-be fraudster doesn't have enough time to get entrenched. The employees know of this policy so it would also act as a deterrent, but that isn't a choice. In the CompTIA universe, it's mandatory vacation that does fraud detection.
  13. Gene works with patch management for production systems. Jane, his supervisor, has directed him to deploy a major upgrade to the database server by the end of the week. Gene wants to be able to implement the upgrade, verify its functionality and performance, and then, if needed, roll back. How should he proceed?
    1. Deploy the upgrade, create a snapshot, and monitor the upgraded system.
    2. Create a snapshot, deploy the upgrade, and monitor the upgraded system.
    3. Copy the server's registry, deploy the upgrade, and monitor the upgraded system.
    4. Create an ephemeral snapshot, upgrade it, and if functionality and performance are adequate, apply those updates to the production system.
    That is the only choice that makes a snapshot or backup to which you could roll back before making changes.
  14. Beth, a system administrator, is training Jerry, a new data maintenance technician, in how to restore backup data into production use. Which of the following should they be using?
    1. Recovery playbook
    2. Order of restoration
    3. Order of volatility
    4. Snapshot guidance
    The Recovery Playbook, in CompTIA's lexicon, documents how to identify and properly restore backup data.
  15. Natalie is a security auditor for a financial institution. They are considering moving some of their operations overseas, where they could pay lower wages and thereby increase profits. What security concern should Natalie point out?
    1. Interoperability problems due to language and character set differences
    2. Portability of data
    3. Use of unauthorized apps
    4. Regulatory compliance
    5. Higher risk of DDoS
    Privacy regulations vary from country to country, and generally are much stricter outside the U.S. With the possibility of a company in country A storing and/or processing data about a citizen of country B in a facility located in country C, this can become very complicated.
  16. Many unexplained payments have been sent to a mysterious vendor. The current model is:
    • Add new vendor: Clerk
    • Approve new vendor: Clerk
    • Pay vendor: Clerk
    • Approve payment: Manager
    What should it be?
      • Add new vendor: Manager
      • Approve new vendor: Clerk
      • Pay vendor: Clerk
      • Approve payment: Manager
      • Add new vendor: Clerk
      • Approve new vendor: Manager
      • Pay vendor: Clerk
      • Approve payment: Clerk
      • Add new vendor: Clerk
      • Approve new vendor: Manager
      • Pay vendor: Clerk
      • Approve payment: Manager
      • Add new vendor: Clerk
      • Approve new vendor: Manager
      • Pay vendor: Manager
      • Approve payment: Manager
    The clerk does the tasks, the manager approves the actions.
  17. Terri is a database administrator in the billing department. Her boss, James, has asked her to estimate the number of security lapses and their cost over the coming year. Which of these should she calculate?
    1. MTBF
    2. SLE
    3. ARO
    4. ALE
    5. EF
    The Annualized Loss Expectancy is the product of the cost of a single breach (the Single Loss Expectancy or SLE) times the number of breaches expected in a typical year (the Annualized Rate of Occurrence or ARO).
  18. Harvey, the director of the Billing Department, worries that one of his employees has found a covert way of committing fraud. He wants to find out if this is true or not, before any fraud gets out of hand and he gets fired or the company fails. What should he implement?
    1. Least privilege
    2. Job rotation
    3. Mandatory vacation
    4. Separation of duties
    Least privilege and separation of duties are preventative (or at least they make the likelihood much less likely). Job rotation is deterrent. Mandatory vacation is the detective measure, as management can observe and even investigate an employee's job setting when they are forced out of the office for several days in a row.
  19. Omar is a database administrator in the online sales department. The operating system, shared libraries, and applications all need patching and reconfiguration. Omar worries about unalterable modifications causing data loss or corruption, or leading to a loss of functionality, all of which would mean lost revenue. What does he need?
    1. Back-out plans
    2. Offsite backups
    3. Live failover
    4. After-action analysis
    A back-out plan restores everything to the way it was. Offsite backups are typically for data only.
  20. Your company is being targeted by numerous spearphishing attempts. Which defense do you recommend?
    1. Security awareness training
    2. Pop-up blocker
    3. Spam filter
    4. Mail application-layer firewall
    5. Network intrusion prevention system
    We need a non-technical defense as it's a non-technical problem.
  21. Kate is a network engineer at a company that is starting a collaboration with another corporation. What document should Kate consult to set up VPN connectivity?
    1. BPA
    2. SLA
    3. MOU
    4. ISA
    All of those may be involved in the collaboration, but the Interconnection Service Agreement defines how the two organizations will connect their networking.
  22. Dale is the manager of the software development group. She has directed her programmers to make a backup of their code and test data at the end of every day, locking the media in a desk drawer, and making sure to lock their office door. What is the greatest concern?
    1. Data remanence
    2. Off-site backups
    3. Data sovereignty
    4. Privacy protection

Passing = 82% of 22 = 18.0

Goal = 91% of 22 = 20.0

To the Cybersecurity Page