What physical security control would be used to broadcast false emanations to mask the presence of true electromagentic emanations from genuine computing equipment?
- A . Faraday cage.
- B . Unshielded cabling.
- C . Copper infused windows.
- D . White noise generation.
In software engineering, what does ‘Security by Design”mean?
- A . Low Level and High Level Security Designs are restricted in distribution.
- B . All security software artefacts are subject to a code-checking regime.
- C . The software has been designed from its inception to be secure.
- D . All code meets the technical requirements of GDPR.
C
Explanation:
https://en.wikipedia.org/wiki/Secure_by_design#:~:text=Secure%20by%20design%20(SBD)%2C,the%20foundation%20to%20be%20secure.&text=Malicious%20practices%20are%20taken%20for,or%20on%20invalid%20user%20input.
Which of the following is the MOST important reason for undertaking Continual Professional Development (CPD)within the Information Securitysphere?
- A . Professional qualification bodies demand CPD.
- B . Information Security changes constantly and at speed.
- C . IT certifications require CPD and Security needs to remain credible.
- D . CPD is a prerequisite of any Chartered Institution qualification.
What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?
- A . Red Team Training.
- B . Blue Team Training.
- C . Black Hat Training.
- D . Awareness Training.
What advantage does the delivery of online security training material have over the distribution of printed media?
- A . Updating online material requires a single edit. Printed material needs to be distributed physically.
- B . Online training material is intrinsically more accurate than printed material.
- C . Printed material is a ‘discoverable record’ and could expose the organisation to litigation in the event of an incident.
- D . Online material is protected by international digital copyright legislation across most territories.
Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?
- A . Under the European Convention of Human Rights, the interception of telecommunications represents aninterference with the right toprivacy.
- B . GDPR overrides all previous legislation on information handling, so new laws were needed to ensure authorities did not inadvertentlybreak the law.
- C . Police could previously intercept without lawful authority any communications in the course of transmission through a public post ortelecoms system.
- D . Surveillance of a conversation or an online message by law enforcement agents was previously illegaldue to the 1950 version of the Human Rights Convention.
Which algorithm is a current specification for the encryption of electronic data established by NIST?
- A . RSA.
- B . AES.
- C . DES.
- D . PGP.
B
Explanation:
https://www.nist.gov/publications/advanced-encryption-standard-aes
When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?
- A . Risk = Likelihood * Impact.
- B . Risk = Likelihood / Impact.
- C . Risk = Vulnerability / Threat.
- D . Risk = Threat * Likelihood.
In a security governance framework, which of the following publications would be at the HIGHEST level?
- A . Procedures.
- B . Standards
- C . Policy.
- D . Guidelines
Which term is used to describe the set of processes that analyses code to ensure defined coding practices are being followed?
- A . Quality Assurance and Control
- B . Dynamic verification.
- C . Static verification.
- D . Source code analysis.
How does network visualisation assist in managing information security?
- A . Visualisation can communicate large amounts of data in a manner that is a relatively simple way for people to analyse and interpret.
- B . Visualisation provides structured tables and lists that can be analysed using common tools such as MS Excel.
- C . Visualisation offers unstructured data that records the entirety of the data in a flat, filterable ftle format.
- D . Visualisation software operates in a way that is rarely and thereby it is less prone to malware infection.
What type of attack could directly affect the confidentiality of an unencrypted VoIP network?
- A . Packet Sniffing.
- B . Brute Force Attack.
- C . Ransomware.
- D . Vishing Attack
What form of attack against an employee has the MOST impact on their compliance with the organisation’s "code of conduct"?
- A . Brute Force Attack.
- B . Social Engineering.
- C . Ransomware.
- D . Denial of Service.
Which of the following uses are NOT usual ways that attackers have of leveraging botnets?
- A . Generating and distributing spam messages.
- B . Conducting DDOS attacks.
- C . Scanning for system & application vulnerabilities.
- D . Undertaking vishing attacks
Whatis the name of the method used to illicitly target a senior person in an organisation so as to try to coerce them Into taking an unwanted action such as a misdirected high-value payment?
- A . Whaling.
- B . Spear-phishing.
- C . C-suite spamming.
- D . Trawling.
Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?
- A . TOGAF
- B . SABSA
- C . PCI DSS.
- D . OWASP.
Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?
- A . TOGAF
- B . SABSA
- C . PCI DSS.
- D . OWASP.
Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?
- A . TOGAF
- B . SABSA
- C . PCI DSS.
- D . OWASP.
Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?
- A . TOGAF
- B . SABSA
- C . PCI DSS.
- D . OWASP.
Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?
- A . TOGAF
- B . SABSA
- C . PCI DSS.
- D . OWASP.
Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?
- A . TOGAF
- B . SABSA
- C . PCI DSS.
- D . OWASP.
Preventive.
- A . 1, 2 and 4.
- B . 1, 2 and 3.
- C . 1, 2 and 5.
- D . 3, 4 and 5.
Which term describes the acknowledgement and acceptance of ownership of actions, decisions, policies and deliverables?
- A . Accountability.
- B . Responsibility.
- C . Credibility.
- D . Confidentiality.
A
Explanation:
https://hr.nd.edu/assets/17442/behavior_model_4_ratings_3_.pdf
When a digital forensics investigator is conducting art investigation and handling the original data, what KEY principle must they adhere to?
- A . Ensure they are competent to be able to do so and be able to justify their actions.
- B . Ensure they are being observed by a senior investigator in all actions.
- C . Ensure they do not handle the evidence as that mustbe done by law enforcement officers.
- D . Ensure the data has been adjusted to meet the investigation requirements.
Which of the following is NOT a valid statement to include in an organisation’s security policy?
- A . The policy has the support of Board and the Chief Executive.
- B . The policy has been agreed and amended to suit all third party contractors.
- C . How the organisation will manage information assurance.
- D . The compliance with legal and regulatory obligations.
Which of the following is NOT considered to be a form of computer misuse?
- A . Illegal retention of personal data.
- B . Illegal interception of information.
- C . Illegal access to computer systems.
- D . Downloading of pirated software.
What Is the PRIMARY reason for organisations obtaining outsourced managed security services?
- A . Managed security services permit organisations to absolve themselves of responsibility for security.
- B . Managed security services are a de facto requirement for certification to core security standards such as ISG/IEC 27001
- C . Managed security services provide access to specialist security tools and expertiseon a shared, cost-effective basis.
- D . Managed security services are a powerful defence against litigation in the event of a security breach or incident
In terms of security culture, what needs to be carried out as an integral part of security by all members of an organisation and is an essential component to any security regime?
- A . The ‘need to knownprinciple.
- B . Verification of visitor’s ID
- C . Appropriate behaviours.
- D . Access denial measures
Which term describes a vulnerability that is unknown and therefore has no mitigating control which is immediately and generally available?
- A . Advanced Persistent Threat.
- B . Trojan.
- C . Stealthware.
- D . Zero-day.
D
Explanation:
https://en.wikipedia.org/wiki/Zero-day_(computing)
Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?
- A . System Integrity.
- B . Sandboxing.
- C . Intrusion Prevention System.
- D . Defence in depth.
D
Explanation:
https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?
- A . System Integrity.
- B . Sandboxing.
- C . Intrusion Prevention System.
- D . Defence in depth.
D
Explanation:
https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?
- A . System Integrity.
- B . Sandboxing.
- C . Intrusion Prevention System.
- D . Defence in depth.
D
Explanation:
https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?
- A . System Integrity.
- B . Sandboxing.
- C . Intrusion Prevention System.
- D . Defence in depth.
D
Explanation:
https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?
- A . System Integrity.
- B . Sandboxing.
- C . Intrusion Prevention System.
- D . Defence in depth.
D
Explanation:
https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?
- A . System Integrity.
- B . Sandboxing.
- C . Intrusion Prevention System.
- D . Defence in depth.
D
Explanation:
https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Data Protection & Privacy.
- A . 1, 2 and 3
- B . 3, 4 and 5
- C . 2, 3 and 4
- D . 1, 2 and 5
Which of the following controls would be the MOST relevant and effective in detecting zero
day attacks?
- A . Strong OS patch management
- B . Vulnerability assessment
- C . Signature-based intrusion detection.
- D . Anomaly based intrusion detection.
B
Explanation:
https://www.sciencedirect.com/topics/computer-science/zero-day-attack
What form of risk assessment is MOST LIKELY to provide objective support for a security Return on Investment case?
- A . ISO/IEC 27001.
- B . Qualitative.
- C . CPNI.
- D . Quantitative
Which of the following cloud delivery models is NOT intrinsically "trusted" in terms of security by clients using the service?
- A . Public.
- B . Private.
- C . Hybrid.
- D . Community
Which of the following is MOST LIKELY to be described as a consequential loss?
- A . Reputation damage.
- B . Monetary theft.
- C . Service disruption.
- D . Processing errors.
Which of the following testing methodologies TYPICALLY involves code analysis in an offline environment without ever actually executing the code?
- A . Dynamic Testing.
- B . Static Testing.
- C . User Testing.
- D . Penetration Testing.
When considering the disposal of confidential data, equipment and storage devices, what social engineering technique SHOULD always betaken into consideration?
- A . Spear Phishing.
- B . Shoulder Surfing.
- C . Dumpster Diving.
- D . Tailgating.
One traditional use of a SIEM appliance is to monitor for exceptions received via syslog.
What system from the following does NOT natively support syslog events?
- A . Enterprise Wireless Access Point.
- B . Windows Desktop Systems.
- C . Linux Web Server Appliances.
- D . Enterprise Stateful Firewall.
Which of the following types of organisation could be considered the MOST at risk from the theft of electronic based credit card data?
- A . Online retailer.
- B . Traditional market trader.
- C . Mail delivery business.
- D . Agricultural producer.
Which security framework impacts on organisations that accept credit cards, process credit card transactions, store relevant data or transmitcredit card data?
- A . PCI DSS.
- B . TOGAF.
- C . ENISA NIS.
- D . Sarbanes-Oxiey
A
Explanation:
https://digitalguardian.com/blog/what-pci-compliance