Thomas, an employee of an organization, is restricted from accessing specific websites from his office
system. He is trying to obtain admin credentials to remove the restrictions. While waiting for an
opportunity, he sniffed communication between the administrator and an application server to
retrieve the admin credentials. Identify the type of attack performed by Thomas in the above
scenario.
B
Explanation:
The correct answer is B, as it identifies the type of attack performed by Thomas in the above
scenario. Eavesdropping is a type of attack that involves intercepting and listening to the
communication between two parties without their knowledge or consent. Thomas performed
eavesdropping by sniffing communication between the administrator and an application server to
retrieve the admin credentials. Option A is incorrect, as it does not identify the type of attack
performed by Thomas in the above scenario. Vishing is a type of attack that involves using voice calls
to trick people into revealing sensitive information or performing malicious actions. Thomas did not
use voice calls but sniffed network traffic. Option C is incorrect, as it does not identify the type of
attack performed by Thomas in the above scenario. Phishing is a type of attack that involves sending
fraudulent emails or messages that appear to be from legitimate sources to lure people into
revealing sensitive information or performing malicious actions. Thomas did not send any emails or
messages but sniffed network traffic. Option D is incorrect, as it does not identify the type of attack
performed by Thomas in the above scenario. Dumpster diving is a type of attack that involves
searching through trash or discarded items to find valuable information or resources. Thomas did not
search through trash or discarded items but sniffed network traffic.
Reference: Section 2.2
Kayden successfully cracked the final round of interviews at an organization. After a few days, he
received his offer letter through an official company email address. The email stated that the
selected candidate should respond within a specified time. Kayden accepted the opportunity and
provided an e-signature on the offer letter, then replied to the same email address. The company
validated the e-signature and added his details to their database. Here, Kayden could not deny the
company's message, and the company could not deny Kayden's signature.
Which of the following information security elements was described in the above scenario?
B
Explanation:
The correct answer is B, as it describes the information security element that was described in the
above scenario. Non-repudiation is an information security element that ensures that a party cannot
deny sending or receiving a message or performing an action. In the above scenario, non-repudiation
was described, as Kayden could not deny company’s message, and company could not deny Kayden’s
signature. Option A is incorrect, as it does not describe the information security element that was
described in the above scenario. Availability is an information security element that ensures that
authorized users can access and use information and resources when needed. In the above scenario,
availability was not described, as there was no mention of access or use of information and
resources. Option C is incorrect, as it does not describe the information security element that was
described in the above scenario. Integrity is an information security element that ensures that
information and resources are accurate and complete and have not been modified by unauthorized
parties. In the above scenario, integrity was not described, as there was no mention of accuracy or
completeness of information and resources. Option D is incorrect, as it does not describe the
information security element that was described in the above scenario. Confidentiality is an
information security element that ensures that information and resources are protected from
unauthorized access and disclosure. In the above scenario, confidentiality was not described, as
there was no mention of protection or disclosure of information and resources.
Reference: , Section 3.1
Sam, a software engineer, visited an organization to give a demonstration on a software tool that
helps in business development. The administrator at the organization created a least privileged
account on a system and allocated that system to Sam for the demonstration. Using this account,
Sam can only access the files that are required for the demonstration and cannot open any other file
in the system.
Which of the following types of accounts the organization has given to Sam in the above scenario?
B
Explanation:
The correct answer is B, as it identifies the type of account that the organization has given to Sam in
the above scenario. A guest account is a type of account that allows temporary or limited access to a
system or network for visitors or users who do not belong to the organization. A guest account
typically has minimal privileges and permissions and can only access certain files or applications. In
the above scenario, the organization has given Sam a guest account for the demonstration. Using this
account, Sam can only access the files that are required for the demonstration and cannot open any
other file in the system. Option A is incorrect, as it does not identify the type of account that the
organization has given to Sam in the above scenario. A service account is a type of account that
allows applications or services to run on a system or network under a specific identity. A service
account typically has high privileges and permissions and can access various files or applications. In
the above scenario, the organization has not given Sam a service account for the demonstration.
Option C is incorrect, as it does not identify the type of account that the organization has given to
Sam in the above scenario. A user account is a type of account that allows regular access to a system
or network for employees or members of an organization. A user account typically has moderate
privileges and permissions and can access various files or applications depending on their role. In the
above scenario, the organization has not given Sam a user account for the demonstration. Option D is
incorrect, as it does not identify the type of account that the organization has given to Sam in the
above scenario. An administrator account is a type of account that allows full access to a system or
network for administrators or managers of an organization. An administrator account typically has
the highest privileges and permissions and can access and modify any files or applications. In the
above scenario, the organization has not given Sam an administrator account for the demonstration.
Reference: , Section 4.1
Myles, a security professional at an organization, provided laptops for all the employees to carry out
the business processes from remote locations. While installing necessary applications required for
the business, Myles has also installed antivirus software on each laptop following the company's
policy to detect and protect the machines from external malicious events over the Internet.
Identify the PCI-DSS requirement followed by Myles in the above scenario.
C
Explanation:
The correct answer is C, as it identifies the PCI-DSS requirement followed by Myles in the above
scenario. PCI-DSS is a set of standards that aims to protect cardholder data and ensure secure
payment transactions. PCI-DSS has 12 requirements that cover various aspects of security such as
network configuration, data encryption, access control, vulnerability management, monitoring, and
testing. PCI-DSS requirement no 5.1 states that “Protect all systems against malware and regularly
update anti-virus software or programs”. In the above scenario, Myles followed this requirement by
installing antivirus software on each laptop to detect and protect the machines from external
malicious events over the Internet. Option A is incorrect, as it does not identify the PCI-DSS
requirement followed by Myles in the above scenario. PCI-DSS requirement no 1.3.2 states that “Do
not allow unauthorized outbound traffic from the cardholder data environment to the Internet”. In
the above scenario, Myles did not follow this requirement, as there was no mention of outbound
traffic or cardholder data environment. Option B is incorrect, as it does not identify the PCI-DSS
requirement followed by Myles in the above scenario. PCI-DSS requirement no 1.3.5 states that
“Restrict inbound and outbound traffic to that which is necessary for the cardholder data
environment”. In the above scenario, Myles did not follow this requirement, as there was no mention
of inbound or outbound traffic or cardholder data environment. Option D is incorrect, as it does not
identify the PCI-DSS requirement followed by Myles in the above scenario. PCI-DSS requirement no
1.3.1 states that “Implement a firewall configuration that restricts connections between publicly
accessible servers and any system component storing cardholder data”. In the above scenario, Myles
did not follow this requirement, as there was no mention of firewall configuration or publicly
accessible servers or system components storing cardholder data.
Reference: Section 5.2
Ashton is working as a security specialist in SoftEight Tech. He was instructed by the management to
strengthen the Internet access policy. For this purpose, he implemented a type of Internet access
policy that forbids everything and imposes strict restrictions on all company computers, whether it is
system or network usage.
Identify the type of Internet access policy implemented by Ashton in the above scenario.
A
Explanation:
The correct answer is A, as it identifies the type of Internet access policy implemented by Ashton in
the above scenario. An Internet access policy is a set of rules and guidelines that defines how an
organization’s employees or members can use the Internet and what types of websites or services
they can access. There are different types of Internet access policies, such as:
Paranoid policy: This type of policy forbids everything and imposes strict restrictions on all company
computers, whether it is system or network usage. This policy is suitable for organizations that deal
with highly sensitive or classified information and have a high level of security and compliance
requirements.
Prudent policy: This type of policy allows some things and blocks others and imposes moderate
restrictions on company computers, depending on the role and responsibility of the user. This policy
is suitable for organizations that deal with confidential or proprietary information and have a
medium level of security and compliance requirements.
Permissive policy: This type of policy allows most things and blocks few and imposes minimal
restrictions on company computers, as long as the user does not violate any laws or regulations. This
policy is suitable for organizations that deal with public or general information and have a low level
of security and compliance requirements.
Promiscuous policy: This type of policy allows everything and blocks nothing and imposes no
restrictions on company computers, regardless of the user’s role or responsibility. This policy is
suitable for organizations that have no security or compliance requirements and trust their
employees or members to use the Internet responsibly.
In the above scenario, Ashton implemented a paranoid policy that forbids everything and imposes
strict restrictions on all company computers, whether it is system or network usage. Option B is
incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the
above scenario. A prudent policy allows some things and blocks others and imposes moderate
restrictions on company computers, depending on the role and responsibility of the user. In the
above scenario, Ashton did not implement a prudent policy, but a paranoid policy. Option C is
incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the
above scenario. A permissive policy allows most things and blocks few and imposes minimal
restrictions on company computers, as long as the user does not violate any laws or regulations. In
the above scenario, Ashton did not implement a permissive policy, but a paranoid policy. Option D is
incorrect, as it does not identify the type of Internet access policy implemented by Ashton in the
above scenario. A promiscuous policy allows everything and blocks nothing and imposes no
restrictions on company computers, regardless of the user’s role or responsibility. In the above
scenario, Ashton did not implement a promiscuous policy, but a paranoid policy.
Reference: , Section 6.2
Zion belongs to a category of employees who are responsible for implementing and managing the
physical security equipment installed around the facility. He was instructed by the management to
check the functionality of equipment related to physical security. Identify the designation of Zion.
C
Explanation:
The correct answer is C, as it identifies the designation of Zion. A guard is a person who is responsible
for implementing and managing the physical security equipment installed around the facility. A guard
typically performs tasks such as:
Checking the functionality of equipment related to physical security
Monitoring the surveillance cameras and alarms
Controlling the access to restricted areas
Responding to emergencies or incidents
In the above scenario, Zion belongs to this category of employees who are responsible for
implementing and managing the physical security equipment installed around the facility. Option A is
incorrect, as it does not identify the designation of Zion. A supervisor is a person who is responsible
for overseeing and directing the work of other employees. A supervisor typically performs tasks such
as:
Assigning tasks and responsibilities to employees
Evaluating the performance and productivity of employees
Providing feedback and guidance to employees
Resolving conflicts or issues among employees
In the above scenario, Zion does not belong to this category of employees who are responsible for
overseeing and directing the work of other employees. Option B is incorrect, as it does not identify
the designation of Zion. A chief information security officer (CISO) is a person who is responsible for
establishing and maintaining the security vision, strategy, and program for an organization. A CISO
typically performs tasks such as:
Developing and implementing security policies and standards
Managing security risks and compliance
Leading security teams and projects
Communicating with senior management and stakeholders
In the above scenario, Zion does not belong to this category of employees who are responsible for
establishing and maintaining the security vision, strategy, and program for an organization. Option D
is incorrect, as it does not identify the designation of Zion. A safety officer is a person who is
responsible for ensuring that health and safety regulations are followed in an organization. A safety
officer typically performs tasks such as:
Conducting safety inspections and audits
Identifying and eliminating hazards and risks
Providing safety training and awareness
Reporting and investigating accidents or incidents
In the above scenario, Zion does not belong to this category of employees who are responsible for
ensuring that health and safety regulations are followed in an organization. Reference: Section 7.1
In an organization, all the servers and database systems are guarded in a sealed room with a single-
entry point. The entrance is protected with a physical lock system that requires typing a sequence of
numbers and letters by using a rotating dial that intermingles with several other rotating discs.
Which of the following types of physical locks is used by the organization in the above scenario?
B
Explanation:
It identifies the type of physical lock used by the organization in the above scenario. A physical lock
is a device that prevents unauthorized access to a door, gate, cabinet, or other enclosure by using a
mechanism that requires a key, code, or biometric factor to open or close it. There are different types
of physical locks, such as:
Combination lock: This type of lock requires typing a sequence of numbers and letters by using a
rotating dial that intermingles with several other rotating discs. This type of lock is suitable for
securing safes, lockers, or cabinets that store valuable items or documents.
Digital lock: This type of lock requires entering a numeric or alphanumeric code by using a keypad or
touchscreen. This type of lock is suitable for securing doors or gates that require frequent access or
multiple users.
Mechanical lock: This type of lock requires inserting and turning a metal key that matches the shape
and size of the lock. This type of lock is suitable for securing doors or gates that require simple and
reliable access or single users.
Electromagnetic lock: This type of lock requires applying an electric current to a magnet that attracts
a metal plate attached to the door or gate. This type of lock is suitable for securing doors or gates
that require remote control or integration with other security systems.
In the above scenario, the organization used a combination lock that requires typing a sequence of
numbers and letters by using a rotating dial that intermingles with several other rotating discs.
Option A is incorrect, as it does not identify the type of physical lock used by the organization in the
above scenario. A digital lock requires entering a numeric or alphanumeric code by using a keypad or
touchscreen. In the above scenario, the organization did not use a digital lock, but a combination
lock. Option C is incorrect, as it does not identify the type of physical lock used by the organization in
the above scenario. A mechanical lock requires inserting and turning a metal key that matches the
shape and size of the lock. In the above scenario, the organization did not use a mechanical lock, but
a combination lock. Option D is incorrect, as it does not identify the type of physical lock used by the
organization in the above scenario. An electromagnetic lock requires applying an electric current to a
magnet that attracts a metal plate attached to the door or gate. In the above scenario, the
organization did not use an electromagnetic lock, but a combination lock. Reference: , Section 7.2
Lorenzo, a security professional in an MNC, was instructed to establish centralized authentication,
authorization, and accounting for remote-access servers. For this purpose, he implemented a
protocol that is based on the client-server model and works at the transport layer of the OSI model.
Identify the remote authentication protocol employed by Lorenzo in the above scenario.
B
Explanation:
The correct answer is B, as it identifies the remote authentication protocol employed by Lorenzo in
the above scenario. RADIUS (Remote Authentication Dial-In User Service) is a protocol that provides
centralized authentication, authorization, and accounting (AAA) for remote-access servers such as
VPNs (Virtual Private Networks), wireless networks, or dial-up connections. RADIUS is based on the
client-server model and works at the transport layer of the OSI model. RADIUS uses UDP (User
Datagram Protocol) as its transport protocol and encrypts only user passwords in its messages. In the
above scenario, Lorenzo implemented RADIUS to provide centralized AAA for remote-access servers.
Option A is incorrect, as it does not identify the remote authentication protocol employed by Lorenzo
in the above scenario. SNMPv3 (Simple Network Management Protocol version 3) is a protocol that
provides network management and monitoring for network devices such as routers, switches,
servers, or printers. SNMPv3 is based on the manager-agent model and works at the application
layer of the OSI model. SNMPv3 uses UDP as its transport protocol and encrypts all its messages with
AES (Advanced Encryption Standard) or DES (Data Encryption Standard). In the above scenario,
Lorenzo did not implement SNMPv3 to provide network management and monitoring for network
devices. Option C is incorrect, as it does not identify the remote authentication protocol employed
by Lorenzo in the above scenario. POP3S (Post Office Protocol version 3 Secure) is a protocol that
provides secure email access and retrieval for email clients from email servers. POP3S is based on
the client-server model and works at the application layer of the OSI model. POP3S uses TCP
(Transmission Control Protocol) as its transport protocol and encrypts all its messages with SSL
(Secure Sockets Layer) or TLS (Transport Layer Security). In the above scenario, Lorenzo did not
implement POP3S to provide secure email access and retrieval for email clients from email servers.
Option D is incorrect, as it does not identify the remote authentication protocol employed by Lorenzo
in the above scenario. IMAPS (Internet Message Access Protocol Secure) is a protocol that provides
secure email access and management for email clients from email servers. IMAPS is based on the
client-server model and works at the application layer of the OSI model. IMAPS uses TCP as its
transport protocol and encrypts all its messages with SSL or TLS. In the above scenario, Lorenzo did
not implement IMAPS to provide secure email access and management for email clients from email
servers.
Reference: , Section 8.2
Malachi, a security professional, implemented a firewall in his organization to trace incoming and
outgoing traffic. He deployed a firewall that works at the session layer of the OSI model and monitors
the TCP handshake between hosts to determine whether a requested session is legitimate.
Identify the firewall technology implemented by Malachi in the above scenario.
B
Explanation:
A circuit-level gateway is a type of firewall that works at the session layer of the OSI model and
monitors the TCP handshake between hosts to determine whether a requested session is
legitimate.
It does not inspect the contents of each packet, but rather relies on the session
information to filter traffic
Rhett, a security professional at an organization, was instructed to deploy an IDS solution on their
corporate network to defend against evolving threats. For this purpose, Rhett selected an IDS
solution that first creates models for possible intrusions and then compares these models with
incoming events to make detection decisions.
Identify the detection method employed by the IDS solution in the above scenario.
C
Explanation:
Anomaly detection is a type of IDS detection method that involves first creating models for possible
intrusions and then comparing these models with incoming events to make a detection decision.
It
can detect unknown or zero-day attacks by looking for deviations from normal or expected behavior
Richards, a security specialist at an organization, was monitoring an IDS system. While monitoring,
he suddenly received an alert of an ongoing intrusion attempt on the organization's network. He
immediately averted the malicious actions by implementing the necessary measures.
Identify the type of alert generated by the IDS system in the above scenario.
A
Explanation:
A true positive alert is generated by an IDS system when it correctly identifies an ongoing intrusion
attempt on the network and sends an alert to the security professional.
This is the desired outcome
of an IDS system, as it indicates that the system is working effectively and accurately
Karter, a security professional, deployed a honeypot on the organization's network for luring
attackers who attempt to breach the network. For this purpose, he configured a type of honeypot
that simulates a real OS as well as the applications and services of a target network. Furthermore,
the honeypot deployed by Karter only responds to pre-configured commands.
Identify the type of Honeypot deployed by Karter in the above scenario.
A
Explanation:
A low-interaction honeypot is a type of honeypot that simulates a real OS as well as the applications
and services of a target network, but only responds to pre-configured commands. It is designed to
capture basic information about the attacker, such as their IP address, tools, and techniques. A low-
interaction honeypot is easier to deploy and maintain than a high-interaction honeypot, which fully
emulates a real system and allows the attacker to interact with it. A pure honeypot is a real system
that is intentionally vulnerable and exposed to attackers. A medium-interaction honeypot is a type of
honeypot that offers more functionality and interactivity than a low-interaction honeypot, but less
than a high-interaction honeypot.
An MNC hired Brandon, a network defender, to establish secured VPN communication between the
company's remote offices. For this purpose, Brandon employed a VPN topology where all the remote
offices communicate with the corporate office but communication between the remote offices is
denied.
Identify the VPN topology employed by Brandon in the above scenario.
C
Explanation:
A hub-and-spoke VPN topology is a type of VPN topology where all the remote offices communicate
with the corporate office, but communication between the remote offices is denied. The corporate
office acts as the hub, and the remote offices act as the spokes. This topology reduces the number of
VPN tunnels required and simplifies the management of VPN policies. A point-to-point VPN topology
is a type of VPN topology where two endpoints establish a direct VPN connection. A star topology is a
type of VPN topology where one endpoint acts as the central node and connects to multiple other
endpoints. A full-mesh VPN topology is a type of VPN topology where every endpoint connects to
every other endpoint.
Mark, a security analyst, was tasked with performing threat hunting to detect imminent threats in an
organization's network. He generated a hypothesis based on the observations in the initial step and
started the threat-hunting process using existing data collected from DNS and proxy logs.
Identify the type of threat-hunting method employed by Mark in the above scenario.
C
Explanation:
A data-driven hunting method is a type of threat hunting method that employs existing data
collected from various sources, such as DNS and proxy logs, to generate and test hypotheses about
potential threats. This method relies on data analysis and machine learning techniques to identify
patterns and anomalies that indicate malicious activity. A data-driven hunting method can help
discover unknown or emerging threats that may evade traditional detection methods. An entity-
driven hunting method is a type of threat hunting method that focuses on specific entities, such as
users, devices, or domains, that are suspected or known to be involved in malicious activity. A TTP-
driven hunting method is a type of threat hunting method that leverages threat intelligence and
knowledge of adversary tactics, techniques, and procedures (TTPs) to formulate and test hypotheses
about potential threats. A hybrid hunting method is a type of threat hunting method that combines
different approaches, such as data-driven, entity-driven, and TTP-driven methods, to achieve more
comprehensive and effective results.
An organization hired a network operations center (NOC) team to protect its IT infrastructure from
external attacks. The organization utilized a type of threat intelligence to protect its resources from
evolving threats. The threat intelligence helped the NOC team understand how attackers are
expected to perform an attack on the organization, identify the information leakage, and determine
the attack goals as well as attack vectors.
Identify the type of threat intelligence consumed by the organization in the above scenario.
C
Explanation:
Technical threat intelligence is a type of threat intelligence that provides information about the
technical details of specific attacks, such as indicators of compromise (IOCs), malware signatures,
attack vectors, and vulnerabilities. Technical threat intelligence helps the NOC team understand how
attackers are expected to perform an attack on the organization, identify the information leakage,
and determine the attack goals as well as attack vectors. Technical threat intelligence is often
consumed by security analysts, incident responders, and penetration testers who need to analyze
and respond to active or potential threats.