ISC2 CC Exam Questions With 100% Correct Answers 2024/CC ISC2 Flashcards. 139 Questions and Correct Answers, With Complete Solution.

ISC2 CC Exam Questions With 100% Correct Answers 2024/CC ISC2 Flashcards. 139 Questions and Correct Answers, With Complete Solution. What is MAC (Mandatory Access Control)? The operating system determines who gets access to resources. Much more restricted, not used as much. Which of the following is a detection control?: Bollards Turnstiles Firewalls Smoke sensors Smoke sensors. By definition, smoke detectors are fire protection devices employed for the early detection of fire. Firewalls are devices that filter incoming traffic, and are a type of logical preventive control. Bollards and turnstiles are types of physical preventive controls. Which of the following is NOT an ethical canon of the ISC2? -Advance and protect the profession -Act honorably, honestly, justly, responsibly and legally -Protect society, the common good, necessary public trust and confidence, and the infrastructure -Provide active and qualified service to principal Provide active and qualified service to principal. In the code of ethics, we read "Provide diligent and competent service to principals", and not "Provide active and qualified service to principals."; all the other options are valid canons of the code of ethics (see ISC2 Study Guide Chapter 1, Module 5). Which of the following is a data handling policy procedure? -Transform -Destroy -Encode -Collect Destroy. The data handling procedures are 'Classify', 'Categorize', 'Label', 'Store', 'Encrypt', 'Backup', and 'Destroy' (see ISC2 Study Guide, chapter 5, module 3). Which of the following properties is NOT guaranteed by Digital Signatures? -Non-Repudiation -Confidentiality -Authentication -Integrity Confidentiality. A digital signature is the result of a cryptographic transformation of data which is useful for providing: data origin authentication, data integrity, and non-repudiation of the signer (see NIST SP 800-12 Rev. 1 under Digital Signature). However, digital signatures cannot guarantee confidentiality (i.e. the property of data or information not being made available or disclosed). Which type of attack has the PRIMARY objective controlling the system from outside? -Cross-Site Scripting -Rootkits -Trojans -Backdoors Backdoors. Trojans and Rootkits are often used to install backdoors. A backdoor is a malicious feature that listens for commands on a specific logical port (TCP or UDP) and executes them on the attacked system or device, thereby giving direct control of the system or device to a malicious outside entity (or program). Cross-Site Scripting can execute code with the same permissions as the scripts generated by the target website, compromising the confidentiality and integrity of data transfers between the website and the client. Which of the following is an example of an administrative security control? -Acceptable Use Policies -No entry signs -Badge Readers -Access Control Lists Acceptable Use Policies. Policies are a type of administrative security controls. An access control list is a type of technical security control. A badge reader and a 'No entry' sign are types of physical security controls (see ISC2 Study Guide, Chapter 1, Module 3). The process of verifying or proving the user's identification is known as: -Integrity -Authentication -Authorization -Confidentiality Authentication. Authentication is the verification of the identity of a user, process or device, as a prerequisite to allowing access to the resources in a given system. In contrast, authorization refers to the permission granted to users, processes or devices to access specific assets. Confidentiality and integrity are properties of information and systems, not processes. A web server that accepts requests from external clients should be placed in which network? DMZ Intranet Internal Network VPN DMZ. In Cybersecurity, a DMZ (demilitarized zone) is a physical or logical subnetwork that contains and exposes external-facing services (such as web services). An Internal Network is an organization-controlled network that is isolated from external access. An Intranet is itself an internal network that supports similar protocols and services to the Internet, but only for the organization's internal use. A Virtual Private Network (VPN) creates a secure tunnel between endpoints (whether between networks, or between networks and devices), allowing traffic to travel through a public network and creating the illusion that endpoints are connected through a dedicated private connection. What is an Intranet? A private internet that is used exclusively within an organization According to the canon "Provide diligent and competent service to principals", ISC2 professionals are to: -Avoid apparent or actual conflicts of interest. -Take care not to tarnish the reputation of other professionals through malice or indifference. -Treat all members fairly and,when resolving conflicts, consider public safety and duties to principals, individuals and the profession, in that order. -Promote the understanding and acceptance of prudent information security measures. Avoid apparent or actual conflicts of interest. The direction for applying the ethical principles of ISC2 states that avoiding conflicts of interest or the appearance thereof is a consequence of providing diligent and competent service to principals. The Bell and LaPadula access control model is a form of: -RBAC -ABAC -DAC -MAC MAC. The Bell and LaPadula access control model arranges subjects and objects into security levels and defines access specifications, whereby subjects can only access objects at certain levels based on their security level. Typical access specifications can be things like "Unclassified personnel cannot read data at confidential levels" or "Top-Secret data cannot be written into the files at unclassified levels". Since subjects cannot change access specifications, this model is a form of mandatory access control (MAC). In contrast, Discretionary Access Control (DAC) leaves a certain level of access control to the discretion of the object's owner. The Attribute Based Access Control (ABAC) is based on subject and object attributes (not only classification). Finally, Role Based Access Control (RBAC) is a model for controlling access to objects where permitted actions are identified with roles rather than individual subject identities. How many data labels are considered good practice? 2 - 3 1 >4 1-2 2-3. According to the ISC2 Study Guide, chapter 5, module 1, under Data Handling Practices in Labeling, we read that two or three classifications are manageable, but more than four tend to be challenging to manage. Which of these is not an attack against an IP network? -Fragmented Packet Attack -Oversized Packet Attack -Side-channel Attack -Man-in-the-middle Attack Side-channel Attack. Man-in-the-middle Attacks, Oversized Packet Attacks, and Fragmented Packet Attacks are typical IP network attacks (see ISC2 Study Guide, Chapter 4, Module 1, under Security of the Network). Side Channel Attacks are non-invasive attacks that extract information from devices (typically devices running cryptographic algorithms), and therefore do not aim at IP networks. What is a side-channel attack? A side-channel attack is a type of attack that aims to extract secret information from a computer system by analyzing side-channel information, which is information that is indirectly leaked by the system during its normal operation. This can include things like the amount of time it takes for a system to perform a certain operation, or the amount of power it uses, or electromagnetic emanations. This information can then be used to deduce secret information such as encryption keys, passwords, or other sensitive data. Which of the following areas is connected to PII? -Authentication -Integrity -Non-Repudiation -Confidentiality Confidentiality. What is non-repudiation? The ability to not hide your tracks when carrying out actions. Which of the following is not a protocol of the OSI Level 3? -SNMP -IP -ICMP -IGMP SNMP. Internet Protocol (IP) is known to be a level 3 protocol. Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP) are also level 3 protocols. Simple Network Management Protocol (SNMP) is a protocol used to configure and monitor devices attached to networks. It is an application-level protocol (level 7), and therefore the only option that is not from level 3. What is IGMP (Internet Group Management Protocol)? Think IPTV for streaming. IGMP is a way for a large number of people to watch a single video stream at the same time over the internet, without overwhelming the network or the provider's server. It works by allowing each subscriber to join a group that is streaming the video, and when the subscriber wants to stop watching, it allows them to leave the group. What is AUP (Acceptable Use Policy) Acceptable Use Policy (AUP) defines the permissions and limitations that users must agree to while accessing the network and using computer systems or any other organizational resources. What is SSCM (System Security Configuration Management)? A a process that involves adjusting the default settings of an information system in order to increase security and mitigate risk. What is a cryptographic hash function? An equation used to verify the validity of data. It has many applications, notably in information security (e.g. user authentication). Should be non-reversible. A biometric reader that grants access to a computer system in a data center is a: -Authorization Control -Administrative Control -Technical Control -Physical Control Technical Control. Physical controls have to do with the architectural features of buildings and facilities. Administrative controls are connected to the actions of people within the organization. Technical controls are implemented inside of computer systems. Authorization controls relate to the assets to which a user is granted access inside a particular computer system. Risk Transference A risk response strategy whereby the project team shifts the impact of a threat to a third party, for ex insurance policies. What is a standard? Ways to do certain things, such as approved encryption algorithms. Compliance is mandatory. What are guidelines? What you should be doing based on suggestion. Compliance is not manadatory. What are procedures? Instructions which describe how to perform specific tasks to achieve the desired end state. Mandatory. What are policies? Developed over a long period of time, and set the basis for how business operations should go. Not too descriptive. Related to standards.