ECCouncil 712-50 EC-Council Certified CISO (CCISO) Exam Practice Test

Proper budget management

Leveraging existing implementations

Alignment with the business

Effective use of existing technologies

Improve discovery of valid detected events

Enhance tuning of automated tools to detect and prevent attacks

Replace existing threat detection strategies

Validate patterns of behavior related to an attack

The controls in place to secure the system

Name of the connected system

The results of a third-party audits and recommendations

Type of information used in the system

Immediately notify the board of directors of the organization as to the finding

Correct the classifications immediately based on the auditor’s knowledge of the proper classification

Document the missing classifications

Identify the owner of the asset and induce the owner to apply a proper classification

Payment Card Industry (PCI) Data Security Standard (DSS)

ISO 27002

NIST Cybersecurity Framework

The Federal Risk and Authorization Management Program (FedRAMP)

It represents the sum of all capital expenditures

It represents the percentage of earnings that could in part be used to finance future security controls

It represents the savings generated by the proper acquisition and implementation of security controls

It has a direct correlation with the CISO’s budget

ISO 22318 Supply Chain Continuity

ISO 27031 BCM Readiness

ISO 22301 BCM Requirements

ISO 22317 BIA

Standards will include regulations

Standards that aren’t followed are punishable by fines

Regulations are made enforceable by the power provided by laws

Regulations must be reviewed and approved by the business

Recovery Point Objective (RPO)

Mean Time to Delivery (MTD)

Recovery Time Objective (RTO)

Maximum Tolerable Downtime (MTD)

Real-time off-site replication

Daily incremental backup

Daily full backup

Daily differential backup

Chief Financial Officer (CFO)

Chief Software Architect (CIO)

CISO

Chief Executive Officer (CEO)

Phishing Attacks

Misconfigurations

All of these

Social engineering

Anti-phishing tools

Effective Security awareness program

Anti-malware tools

Effective Security Vulnerability Management Program

The DLP Solution was not integrated with mobile device anti-malware

Data classification was not properly performed on the assets

The sensitive data was not encrypted while at rest

A risk assessment was not performed after purchasing the DLP solution

Include a mix of members from different departments and staff levels

Review audit and compliance reports

Ensure that security policies and procedures have been vetted and approved

Be briefed about new trends and products at each meeting by a vendor

SaaS provider’s website certifications and representations (certs and reps)

SOC-2 Report

Metasploit Audit Report

Statement from SaaS provider attesting their ability to secure your data

Security controls group

Governance, risk, and compliance tools

Security Threat and vulnerability management process

Risk assessment process

Public cloud

Private cloud

Community cloud

Hybrid cloud

Patch management

Network monitoring

Ability to provide security services tailored to the business’ needs

24/7 tollfree number

Business Impact Analysis

Cost-benefit analysis

Economic impact analysis

Return on Investment

Unallocated space and masking

Website defacement and log manipulation

Disabled Logging and admin elevation

Encryption, Steganography, and Changing Metadata/Timestamps

IT Management

Internal Audit

IT Security

BOD Audit Committee

Phishing exercises

Use immutable data storage

Blocking use of wireless networks

Application of multiple endpoint anti-malware solutions

The need to change accounting periods on a regular basis.

The requirement to post entries for a closed accounting period.

The need to create and modify the chart of accounts and its allocations.

The lack of policies and procedures for the proper segregation of duties.

Comprehensive Log-Files from all servers and network devices affected during the attack

Fully trained network forensic experts to analyze all data right after the attack

Uninterrupted Chain of Custody

Expert forensics witness

Threat analysis process

Asset configuration management process

Business Impact Analysis

Disaster Recovery plan

security coding

data security system

data classification

privacy protection

Enterprise Risk Assessment

Disaster recovery strategic plan

Business continuity plan

Application mapping document

Baseline the Environment

Maintain and Monitor

Organization Vulnerability

Define Policy

Shared key

Asynchronous

Open

None

non-repudiation

conflict resolution

strong authentication

digital rights management

Cold site

Hot site

Warm site

Mobile backup site

Containment

Recovery

Identification

Eradication

It is an IPSec protocol.

It is a text-based communication protocol.

It uses TCP port 22 as the default port and operates at the application layer.

It uses UDP port 22

Trusted and untrusted networks

Type of authentication

Storage encryption

Log retention

Secure the area and shut-down the computer until investigators arrive

Secure the area and attempt to maintain power until investigators arrive

Immediately place hard drive and other components in an anti-static bag

Secure the area.

Session encryption

Removing all stored procedures

Input sanitization

Library control

Covert government networks

War driving maps

Government networks in Tora

Virtual network tunnels

The IT support team.

A forensic analysis.

Incident response

Physical security team.

Wireless Application Protocol (WAP)

Wifi Protected Access version 2 (WPA2)

Wireless Equivalence Protocol (WEP)

Extensible Authentication Protocol (EAP)

Unable to control physical access to the servers

Unable to track log on activity

Unable to run anti-virus scans

Unable to patch systems as needed

3DES

MD5

ECC

RSA

Execute

Read

Administrator

Public

Configure logging on each access point

Install a firewall software on each wireless access point.

Provide IP and MAC address

Disable SSID Broadcast and enable MAC address filtering on all wireless access points.

chain of custody.

electronic discovery.

evidence tampering.

electronic review.

Your public key

The recipient's private key

The recipient's public key

Certificate authority key

Poorly configured firewalls

Malware

Advanced Persistent Threat (APT)

An insider

An expiration date set for passwords

A Single Sign-On requirement

Time in seconds a user is allocated to change a password

The amount of time it takes for a password to activate

Message alteration

Message copying

Message theft

Unauthorized reading

Shoulder surfing

Tailgating

Social engineering

Mantrap

Network connectivity costs

New datacenter to operate from

Upgrade of mainframe

Purchase of new mobile devices to improve operations

The internal accounting department

The Chief Financial Officer (CFO)

The external financial audit service

The managers of the accounts payables and accounts receivables teams

Segmentation controls.

Shadow applications.

Deception technology.

Vulnerability management.

Security Guards posted outside the Data Center

Data Loss Prevention (DLP)

Rigorous syslog reviews

Intrusion Detection Systems (IDS)

Review time schedules

Verify budget

Verify resources

Verify constraints

Post a sign that states, “no tailgating” next to the special card reader adjacent to the secure door

Issue special cards to access secure doors at the company and provide a one-time only brief description of

use of the special card

Educate and enforce physical security policies of the company to all the employees on a regular basis

Setup a mock video camera next to the special card reader adjacent to the secure door

To understand the risk coverage that are being mitigated by the vendor

To establish a vendor selection process

To document the relationship between the company and the vendor

To define the partnership for long-term success

Easiest regulation or standard to implement

Stricter regulation or standard

Most complex standard to implement

Recommendations of your Legal Staff

Non-operating financial liabilities minus expenses

The true profit-making potential of an organization

The sum value of all assets and cash flow into the business

The economic benefit derived by operating a business

National Institute of Standards and Technology (NIST) Special Publication 800-53

Payment Card Industry Digital Security Standard (PCI DSS)

International Organization for Standardization – ISO 27001/2

British Standard 7799 (BS7799)

Obtain funding for all desired controls and then create project plans for implementation

Apply the simpler controls as quickly as possible and use a risk-based approach for the more difficult and

costly controls

Apply the least costly controls to demonstrate positive program activity

Obtain business unit buy-in through close communication and coordination

Annually

Semi-annually

Quarterly

Never

To assure that the portfolio is aligned to the needs of the broader organization

To create executive support of the portfolio

To discover new technologies and processes for implementation within the portfolio

To provide independent 3rd party reviews of security effectiveness

Board of directors

Risk assessment

Patching history

Latest virus definitions file

Tokenization combined with hashing is always better than encryption

Encryption can be mathematically reversed to provide the original information

The token contains the all original information

Tokenization can be mathematically reversed to provide the original information

Security Governance

Compliance management

Vendor management

Disaster recovery

Information security theory

Roles and responsibilities

Incident response contacts

Desktop configuration standards

International encryption restrictions

Compliance to Payment Card Industry (PCI) data security standards

Compliance with local government privacy laws

Adherence to local data breach notification laws

Security regulations

Asset classification

Information security policy

Data classification

At the time the security services are being performed and the vendor needs access to the network

Once the agreement has been signed and the security vendor states that they will need access to the network

Once the vendor is on premise and before they perform security services

Prior to signing the agreement and before any security services are being performed

Tell the team to do their best and respond to each alert

Tune the sensors to help reduce false positives so the team can react better

Request additional resources to handle the workload

Tell the team to only respond to the critical and high alerts

Allow the business units to decide which controls apply to their systems, such as the encryption of sensitive data

Create separate controls for the business units based on the types of business and functions they perform

Ensure business units are involved in the creation of controls and defining conditions under which they must be applied

Provide the business units with control mandates and schedules of audits for compliance validation

Provide developer security training

Deploy Intrusion Detection Systems

Provide security testing tools

Implement Compensating Controls

Security

Business units

Board of Directors

Audit and compliance

User awareness training for all employees

Installation of new firewalls and intrusion detection systems

Launch an internal awareness campaign

Integrate security requirements into project inception

Provide security reporting to all levels of an organization

Create effective security awareness to employees

Manage risk within the organization

Assure regulatory compliance

Develop a detailed internal organization chart

Develop a telephone call tree for emergency response

Develop an isolinear response matrix with cost benefit analysis projections

Develop a Responsible, Accountable, Consulted, Informed (RACI) chart

Risk averse

Risk tolerant

Risk conditional

Risk minimal

Upper management support

More frequent project milestone meetings

Stakeholder support

Extend work hours

Ensure security budgets enable technical acquisition and resource allocation based on internal compliance requirements

Develop a culture in which users, managers and IT professionals all make good decisions about information risk

Provide clear communication of security program support requirements and audit schedules

Create security awareness programs that include clear definition of security program goals and charters

Download open source security tools and deploy them on your production network

Download trial versions of commercially available security tools and deploy on your production network

Download open source security tools from a trusted site, test, and then deploy on production network

Download security tools from a trusted source and deploy to production network

Customer demand

Cost and time to replace

Insurability tables

Risk of exposure

Quarterly

Semi-annually

Annually

Bi-annually

When organizational resources are limited

When the benefits of outsourcing outweigh the inherent risks of outsourcing

On new, enterprise-wide security initiatives

On projects not forecasted in the yearly budget

Risk Management

Risk Assessment

System Testing

Vulnerability Assessment

The company lacks a risk management process

The company does not believe the security vulnerabilities to be real

The company has a high risk tolerance

The company lacks the tools to perform a vulnerability assessment

Risk management governance becomes easier since most risks remain low once mitigated

Resources are not wasted on risks that are already managed to an acceptable level

Risk budgets are more easily managed due to fewer identified risks as a result of using a methodology

Risk appetite can increase within the organization once the levels are understood

Distance learning/Web seminars

Formal Class

One-One Training

Self –Study (noncomputerized)

Vendor’s client list of reputable organizations currently using their solution

Vendor provided attestation of the detailed security controls from a reputable accounting firm

Vendor provided reference from an existing reputable client detailing their implementation

Vendor provided internal risk assessment and security control documentation

Grant her access, the employee has been adequately warned through the AUP.

Assist her with the request, but only after her supervisor signs off on the action.

Reset the employee’s password and give it to the supervisor.

Deny the request citing national privacy laws.

A security organization that is adequately staffed to apply required mitigation strategies and regulatory compliance solutions

A clear set of security policies and procedures that are more concept-based than controls-based

A complete inventory of Information Technology assets including infrastructure, networks, applications and data

A clearly identified executive sponsor who will champion the effort to ensure organizational buy-in

Board of directors

Third party vendors

CISO

Help Desk

Perform a vulnerability scan of the network

External penetration testing by a qualified third party

Internal Firewall ruleset reviews

Implement network intrusion prevention systems

Penetration testers

External Audit

Internal Audit

Forensic experts

Number of callers who report security issues.

Number of callers who report a lack of customer service from the call center

Number of successful social engineering attempts on the call center

Number of callers who abandon the call before speaking with a representative

Nonlinearities in physical security performance metrics

Defense in depth cost enumerated costs

System hardening and patching requirements

Anti-virus for mobile devices

Classifying an information system as part of a risk assessment

Installing an appropriate fire suppression system in the data center

Conducting an audit of the configuration management process

Establishing procurement standards for cloud vendors

placing underperforming units on notice for failing to meet standards

determining whether or not resources will be allocated to remediate a finding

adding controls to ensure that proper oversight is achieved by management

revealing the “root cause” of the process failure and mitigating for all internal and external units

At the end of the day once the employee is off site

During the monthly review cycle

Immediately so the employee account(s) can be disabled

Before an audit

The number of actionable items in the recommendations

How it exposes the risk tolerance of the company

How the recommendations directly support the goals of the company

The number of security controls the company has in use

Threat Level, Risk of Compromise, and Consequences of Compromise

Risk Avoidance, Threat Level, and Consequences of Compromise

Risk Transfer, Reputational Impact, and Consequences of Compromise

Reputational Impact, Financial Impact, and Risk of Compromise

Daily

Hourly

Weekly

Monthly

Qualitative analysis

Quantitative analysis

Risk mitigation

Estimate activity duration

Use within an organization to formulate security requirements and objectives

Implementation of business-enabling information security

Use within an organization to ensure compliance with laws and regulations

To enable organizations that adopt it to obtain certifications

Procedural control

Organization control

Technical control

Management control

Plan-Check-Do-Act

Plan-Do-Check-Act

Plan-Select-Implement-Evaluate

SCORE (Security Consensus Operational Readiness Evaluation)

Weekly

Monthly

Quarterly

Daily

Date and time of the event

Failure of the event

Originating IP-Address

Authentication type

The asset is more expensive than the remediation

The audit finding is incorrect

The asset being protected is less valuable than the remediation costs

The remediation costs are irrelevant; it must be implemented regardless of cost.

Local privacy laws

Industry best practices

Risk Management frameworks

Audit best practices

Validate that security awareness program content includes information about the potential vulnerability

Conduct a thorough risk assessment against the current implementation to determine system functions

Determine program ownership to implement compensating controls

Send a report to executive peers and business unit owners detailing your suspicions

Preventive actions

Inspection

Defect repair

Corrective actions

Nothing, this falls outside your area of influence.

Close and chain the door shut and send a company-wide memo banning the practice.

Have a risk assessment performed.

Post a guard at the door to maintain physical security

Meet regulatory compliance requirements

Better understand the threats and vulnerabilities affecting the environment

Better understand strengths and weaknesses of the program

Meet legal requirements

The IT team is not familiar in IT audit practices

This represents a bad implementation of the Least Privilege principle

This represents a conflict of interest

The IT team is not certified to perform audits

Control Objectives for IT (COBIT)

Payment Card Industry-Data Security Standard (PCI-DSS)

International Organization Standard (ISO) 27002

National Institute of Standards and Technology (NIST) SP 800-30

How vulnerabilities can potentially be exploited in systems that impact the organization

How the security operations team will behave to reported incidents

How the firewall and other security devices are configured to prevent attacks

How the incident management team prepares to handle an attack

An independent Governance, Risk and Compliance organization

Alignment of security goals with business goals

Compliance with local privacy regulations

Support from Legal and HR teams

information security metrics.

knowledge required to analyze each issue.

baseline against which metrics are evaluated.

linkage to business area objectives.

They are objective and can express risk / cost in real numbers

They are subjective and can be completed more quickly

They are objective and express risk / cost in approximates

They are subjective and can express risk /cost in real numbers

Organizational budget

Distance between physical locations

Number of employees

Complexity of organizational structure

Risk Management and Operations

Corporate Culture and Job Expectations

Operations and Regulations

Technology and Vendor Management

In promiscuous mode and only detect malicious traffic.

In-line and turn on blocking mode to stop malicious traffic.

In promiscuous mode and block malicious traffic.

In-line and turn on alert mode to stop malicious traffic.

Audit and Legal

Budget and Compliance

Human Resources and Budget

Legal and Human Resources

Chief Information Security Officer (CISO)

Security Operations Center (SO

Disaster Recovery (DR) manager

Incident Response Team (IRT)

A high threat environment

A low risk tolerance environment

I low vulnerability environment

A high risk tolerance environment

Ensure that security policies are read.

Encourage security-conscious employee behavior.

Meet legal and regulatory requirements.

Put employees on notice in case follow-up action for noncompliance is necessary

The organization uses exclusively a quantitative process to measure risk

The organization uses exclusively a qualitative process to measure risk

The organization’s risk tolerance is high

The organization’s risk tolerance is lo

Subscribe to vendor mailing list to get notification of system vulnerabilities

Deploy Intrusion Detection System (IDS) and install anti-virus on systems

Configure firewall, perimeter router and Intrusion Prevention System (IPS)

Conduct security testing, vulnerability scanning, and penetration testing

all organizational assets

critical business processes and /or revenue streams

intellectual property released into the public domain

against distributed denial of service attacks

Ensure efficient recovery and reinstate repaired systems

Create effective policies detailing program activities

Communicate details of information security incidents

Provide current employee awareness programs

Ensure all infrastructure and applications are available in the event of a disaster

Allow all technical first-responders to understand their roles in the event of a disaster

Provide step by step plans to recover business processes in the event of a disaster

Assign responsibilities to the technical teams responsible for the recovery of all data.

That all information in an organization must be protected equally.

The information required to be protected by regulatory mandate does not have to be identified in the organizations data classification policy.

That the protection of some information such as National ID information is mandated by regulation and other information such as trade secrets are protected based on business need.

There is no relationship between the two.

Contacting the Internet Service Provider for an IP scope

Getting authority to operate the system from executive management

Changing the default passwords

Conducting a final scan of the live system and mitigating all high and medium level vulnerabilities

Audit validation

Physical control testing

Compliance management

Security awareness training

Threat identification

Risk monitoring

Risk treatment

Risk tolerance

Poses a strong technical background

Understand all regulations affecting the organization

Understand the business goals of the organization

Poses a strong auditing background

Risk assessment

Security program budget

Business continuity plan

Compliance and regulatory analysis