318 Appendix ■ Answers
Chapter 1: Security and Risk Management (Domain 1)
- D. The final step of a quantitative risk analysis is conducting a cost/benefit analysis to
determine whether the organization should implement proposed countermeasure(s). - The wireless attack terms match with their descriptions as follows:
- Rogue access point: B. An access point intended to attract new connections by using
an apparently legitimate SSID. - Replay: C. An attack that retransmits captured communication to attempt to gain
access to a targeted system. - Evil twin: A. An attack that relies on an access point to spoof a legitimate access
point’s SSID and MAC address. - War driving: D. The process of using detection tools to find wireless networks.
- Rogue access point: B. An access point intended to attract new connections by using
- C. The DMCA states that providers are not responsible for the transitory activities
of their users. Transmission of information over a network would qualify for this
exemption. The other activities listed are all nontransitory actions that require
remediation by the provider. - C. The right to be forgotten, also known as the right to erasure, guarantees the data
subject the ability to have their information removed from processing or use. It may be
tied to consent given for data processing; if a subject revokes consent for processing, the
data controller may need to take additional steps, including erasure. - D. The three common threat modeling techniques are focused on attackers, software, and
assets. Social engineering is a subset of attackers. - A. Most state data breach notification laws are modeled after California’s law, which
covers Social Security number, driver’s license number, state identification card number,
credit/debit card numbers, bank account numbers (in conjunction with a PIN or
password), medical records, and health insurance information. - C. The prudent man rule requires that senior executives take personal responsibility
for ensuring the due care that ordinary, prudent individuals would exercise in the same
situation. The rule originally applied to financial matters, but the Federal Sentencing
Guidelines applied them to information security matters in 1991. - D. A fingerprint scan is an example of a “something you are” factor, which would be
appropriate for pairing with a “something you know” password to achieve multifactor
authentication. A username is not an authentication factor. PINs and security questions
are both “something you know,” which would not achieve multifactor authentication
when paired with a password because both methods would come from the same category,
failing the requirement for multifactor authentication.