Correct answer:

An audit log records details such as who, what, when, and where for any events of interest.

Incorrect answers:

Audit logs cannot determine why someone took an action.

Although an audit log may indicate how an action occurred, the how isn’t definitive.

Additionally, who performed the action is much more important than how.

Correct answer:

Three-factor authentication is stronger than one- or two-factor authentication. It combines authentication mechanisms from each of the factors: something you know, something you have, and something you are.

Incorrect answers:

One-factor authentication uses only one of the factors, and two-factor authentication uses only two factors.

Single sign-on (SSO) allows a user to authenticate once and then use the same credentials when accessing resources in the organization.

Correct answer:

Token-based authentication uses a synchronous token as a one-time password. The user is able to enter a personal identification number (PIN), or password, displayed in a physical token that is also synchronized with a server.

Incorrect answers:

Attribute-based Access Control (ABAC) is an access control model typically used in software-defined networks (SDNs).

Kerberos ticket-granting tickets are reused, so they are not one-time passwords.

A Brewer-Nash architecture (sometimes called a Chinese wall) is an access control model used to prevent a conflict of interest.

Correct answer:

Because most viruses delivered through e-mail come as spam, a spam filter can block most e-mail-delivered viruses. Antivirus software is also useful (although it wasn’t given as a choice).

Incorrect answers:

Neither a packet-filtering firewall nor a proxy server can detect malware or spam.

An e-mail server is needed to deliver all e-mail and is useful for blocking viruses only if it has a spam filter or antivirus software.

Correct answer:

A host-based IDS (HIDS) is installed on a system such as a server or workstation. It monitors activity on the host but does not monitor network activity.

Incorrect answers:

A network-based intrusion detection system (NIDS) monitors traffic going through a network. It uses agents to monitor traffic on routers and switches, and the agents forward the traffic to a central management console.

Antivirus software monitors for malware.

A host-based firewall is installed on a single server and can filter traffic, but it does not monitor for intrusions.

Correct answer:

The Brewer-Nash (sometimes called a Chinese Wall) model is primarily used in financial services organizations and helps prevent a conflict of interest.

Incorrect answers:

The Brewer-Nash model doesn’t address integrity (but Biba does), it doesn’t address confidentiality (but Bell-LaPadula does), and it doesn’t address separation of duties (but Clark-Wilson does).

Correct answer:

The formula Risk = Threat × Vulnerability is commonly used to express risk. When the threat and the vulnerability are combined (a threat exploits a vulnerability), the result is a loss.

Incorrect answers:

Residual risk is calculated as Total Risk – Mitigated Risk, but Mitigated Risk – Total Risk is not a valid formula.

A qualitative analysis used in a risk assessment compares the likelihood and impact.

Threat – Vulnerability is not a valid formula for risk.

Correct answer:

An extranet is a network used to host resources via the Internet but only to trusted entities.

Incorrect answers:

If placed directly on the Internet or in a demilitarized zone (DMZ), the server will be available to all users via the Internet.

If placed on the intranet, it won’t be accessible to any users outside the organization.

Correct answer:

Approved devices that do not meet minimum security requirements should be quarantined. The quarantined network typically includes resources that the devices can access to improve their security posture.

Incorrect answers:

If the devices do not meet the minimum requirements of the MDM solution, they should not be admitted to the network.

While it is appropriate to block access to the regular network, it is better to redirect device to a quarantined network.

Devices in a choose your own device (CYOD) policy are owned by the employees, so it isn’t appropriate to erase them.

Correct answer:

The first step in the incident lifecycle is preparation. Preparation also includes steps to take that can prevent an incident.

Incorrect answers:

Detection comes after preparation and includes analysis and escalation.

Containment occurs after detection, analysis, and escalation.

The lessons learned step is the last one in the incident lifecycle and includes implementation of new countermeasures.