WEDNESDAY: 3 August 2022. Afternoon paper. Time Allowed: 2 hours.
Answer ALL questions. Each question is allocated two (2) marks.
1. One of the following is NOT a cybersecurity framework function area. Which one?
D. Respond (2 marks)
2. Below are some of the abilities that the cyber security framework provides to its stakeholders, EXCEPT?
A. Understand and use the Framework to assess and improve their cyber resiliency.
B. Implement their previous IT policies.
C. Identify gaps in their existing cybersecurity risk management programs.
D. Identify current, sector-specific tools and resources that map to the Framework. (2 marks)
3. The Government of Kenya as hired highly skilled hackers for providing cyber security for the country during the electioneering period. These types of hackers are referred to as _________________
A. State sponsored hackers
B. CIA triad
C. Special Hackers
D. Government Hackers (2 marks)
4. The hacking approach where cyber-criminals design fake websites and web pages for tricking or gaining additional traffic is called?
D. Spamming (2 marks)
5. Which of the following ethical hacking technique is used for determining which operating system (OS) is running on a remote computer?
A. Operating System fingerprinting
B. Operating System penetration testing
D. Machine printing (2 marks)
6. Which of the following types of access control seeks to discover evidence of unwanted, unauthorised, or illicit behavior or activity?
D. Corrective (2 marks)
7. Which of the following attacks is a denial-of-service (DoS) attack?
A. Pretending to be a technical manager over the phone and asking a receptionist to change their password
B. While surfing the web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU
C. Intercepting network traffic by copying the packets as they pass through a specific subnet
D. Sending message packets to a recipient who did not request them, simply to be annoying (2 marks)
8. Triton security personnel understand that security is established by understanding the assets of an organization that need protection and understanding the threats that could cause harm to those assets. In addition, controls are selected that provide protection for the CIA Triad of the assets at risk. What are the elements of the CIA Triad?
A. Contiguousness, interoperable, arranged
B. Authentication, authorization, accountability
C. Capable, available, integral
D. Availability, confidentiality, integrity (2 marks)
9. The General Data Protection Regulation (GDPR) has defined several roles in relation to the protection and management of personally identifiable information (PII). Which of the following statements is TRUE?
A. A data processor is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organisation.
B. A data custodian is the entity that performs operations on data.
C. A data controller is the entity that makes decisions about the data they are collecting.
D. A data owner is the entity assigned or delegated the day-to-day responsibility of proper storage and transport as well as protecting data, assets, and other organisational objects. (2 marks)
10. Kabaka Incorporation systems administrator is setting up a new data management system. It will be gathering data from numerous locations across the network, even from remote offsite locations. The data will be moved to a centralized facility, where it will be stored on a massive RAID array. The data will be encrypted on the storage system using AES-256, and most files will be signed as well. The location of this data warehouse is secured so that only authorized personnel can enter the room and all digital access is limited to a set of security administrators.
Which of the following describes the data?
A. The data is encrypted in transit.
B. The data is encrypted in processing.
C. The data is redundantly stored.
D. The data is encrypted at rest. (2 marks)
11. The _____________ is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization.
A. Data owner
B. Data controller
C. Data processor
D. Data custodian (2 marks)
12. A recently acquired piece of equipment is not working properly. Stella Kenya Ltd does not have a trained repair technician staff, so they have to bring in an outside expert. What type of account should be issued to a trusted third- party repair technician?
A. Guest account
B. Privileged account
C. Service account
D. User account (2 marks)
13. Security should be designed and integrated into the organization as a means to support and maintain the business objectives. However, the only way to know if the implemented security is sufficient is to test it. Which of the following is a procedure designed to test and perhaps bypass a system’s security controls?
A. Logging usage data
B. War dialling
C. Penetration testing
D. Deploying secured desktop workstations (2 marks)
14. Otieno has been tasked with overseeing the security improvement project for Triple M ltd. The goal is to reduce the current risk profile to a lower level without spending considerable amounts of money. Otieno decides to focus on the largest concern as mentioned by the CEO. Which of the following is considered the weakest link?
A. Software products
B. Internet connections
C. Security policies
D. Humans (2 marks)
15. After repeated events of retraining, a particular worker was caught for the fourth time attempting to access documents that were not relevant to their job position. The CEO decides this was the last chance and the worker is to be fired. The CEO reminds you that the organization has a formal termination process that should be followed. Which of the following is an important task to perform during the termination procedure to reduce future security issues related to this ex-employee?
A. Return the exiting employee’s personal belongings
B. Review the nondisclosure agreement
C. Evaluate the exiting employee’s performance
D. Cancel the exiting employee’s parking permit (2 marks)
16. Match the term to its definition:
I. The weakness in an asset, or the absence or the weakness of a safeguard or countermeasure
II. Anything used in a business process or task
III. Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited
IV. The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result
V. Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset
A. 1-II, 2-V, 3-I, 4-III, 5-IV
B. 1-I, 2-II, 3-IV, 4-II, 5-V
C. 1-II, 2-V, 3-I, 4-IV, 5-III
D. 1-IV, 2-V, 3-III, 4-II, 5-I (2 marks)
17. Katuku is assessing his organization’s obligations under data breach notification laws. Which one of the following pieces of information would generally not be covered by a data breach notification law when it appears in conjunction with a person’s name?
A. Social Security number
B. Driver’s license number
C. Credit card number
D. Student identification number (2 marks)
18. One of the following is the BEST protection against the loss of confidentiality for sensitive data and information?
A. Data labels
B. Data classifications
C. Data handling
D. Data degaussing methods (2 marks)
19. Administrators regularly back up data on all the servers within SysLogic organization. They annotate an archive copy with the server it came from and the date it was created, and transfer it to an unstaffed storage warehouse. Later, they discover that someone leaked sensitive emails sent between executives on the internet. Security personnel discovered some archive drives are missing, and these drives probably included the leaked emails. Of the following choices, what would have prevented this loss without sacrificing security?
A. Mark the media kept off site
B. Don’t store data off site
C. Destroy the backups off site
D. Use a secure off-site storage facility (2 marks)
20. You are updating Emacs systems data policy, and you want to identify the responsibilities of various roles. Which one of the following data roles is responsible for classifying data?
D. User (2 marks)
21. Stephen is performing an annual review for Accra Systems ltd data policy, and he has come across some confusing statements related to security labelling. Which of the following could you insert to describe security labelling accurately?
A. Security labelling is only required on digital media.
B. Security labelling identifies the classification of data.
C. Security labelling is only required for hardware assets.
D. Security labelling is never used for nonsensitive data. (2 marks)
22. System Administrators of ABC Ltd regularly back up all the email servers within the company, and they routinely purge on-site emails older than six months to comply with the organization’s security policy. They keep a copy of the backups on site and send a copy to one of the company warehouses for long-term storage. Later, they discover that someone leaked sensitive emails sent between executives over three years ago. Of the following, what policy was ignored and allowed this data breach?
A. Media destruction
B. Record retention
C. Configuration management
D. Versioning (2 marks)
23. The management of Zacharia Institute is concerned that users may be inadvertently transmitting sensitive data outside the organization. They want to implement a method to detect and prevent this from happening. Which of the following can detect outgoing, sensitive data based on specific data patterns and is the best choice to meet these requirements?
A. Antimalware software
B. Data loss prevention systems
C. Security information and event management systems
D. Intrusion prevention systems (2 marks)
24. Evan recently received an email message from Carol. What cryptographic goal would need to be met to convince Evan that Carol was actually the sender of the message?
D. Integrity (2 marks)
25. One of the following statements BEST defines a security model. Which one?
A. A security model states policies an organization must follow.
B. A security model provides a framework to implement a security policy.
C. A security model is a technical evaluation of each part of a computer system to assess its concordance with security standards.
D. A security model is used to host one or more operating systems within the memory of a single host computer or to run applications that are not compatible with the host OS. (2 marks)
26. As an application designer for ABC bank, you need to implement various security mechanisms to protect the data that will be accessed and processed by your software’s. What would be the purpose of implementing a constrained or restricted interface?
A. To limit the actions of authorized and unauthorized users
B. To enforce identity verification
C. To track user events and check for violations
D. To swap datasets between primary and secondary memory (2 marks)
27. While designing the security for Kalweo ltd, you realize the importance of not only balancing the objectives of the organization against security goals but also focusing on the shared responsibility of security. Which of the following is NOT considered an element of shared responsibility?
A. Everyone in an organization has some level of security responsibility.
B. Always consider the threat to both tangible and intangible assets.
C. Organizations are responsible to their stakeholders for making good security decisions in order to sustain the organization.
D. When working with third parties, especially with cloud providers, each entity needs to understand their portion of the shared responsibility of performing work operations and maintaining security. (2 marks)
28. You have been tasked with designing and implementing a new security policy for John enterprises to address the new threats introduced by the recently installed embedded systems. Of the following which one is NOT a security risk commonly found in a standard PC?
A. Software flaws
B. Access to the internet
C. Control of a mechanism in the physical world
D. Power loss (2 marks)
29. Ruby are working on improving the organization’s policy on mobile equipment. Because of several recent and embarrassing breaches, the company wants to increase security through technology as well as user behavior and activities. What is the most effective means of reducing the risk of losing the data on a mobile device, such as a laptop computer?
A. Defining a strong logon password
B. Minimizing sensitive data stored on the mobile device
C. Using a cable lock
D. Encrypting the hard drive (2 marks)
30. What method is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements when evaluating the security of a facility or designing a new facility?
A. Log file audit
B. Critical path analysis
C. Risk analysis
D. Taking inventory (2 marks)
31. Which of the following is a FALSE statement in regard to security cameras?
A. Cameras should be positioned to watch exit and entry points allowing any change in authorization or access level.
B. Some camera systems include a system on a chip (SoC) or embedded components and may be able to perform various specialty functions, such as time-lapse recording, tracking, facial recognition, object detection, or infrared or color-filtered recording.
C. Cameras should be positioned to have clear sight lines of all exterior walls, entrance and exit points, and interior hallways.
D. Security cameras should only be overt and obvious in order to provide a deterrent benefit. (2 marks)
32. A recent security policy update for Nairobi XYZ Ltd. has restricted the use of portable storage devices when they are brought in from outside. As a compensation, a media storage management process has been implemented. Which of the following is NOT a typical security measure implemented in relation to a media storage facility containing reusable removable media?
A. Employing a media librarian or custodian
B. Using a check-in/check-out process
D. Using sanitization tools on returned media (2 marks)
33. Which of the following is FALSE regarding appliance firewalls?
A. They are able to log traffic information.
B. They are able to block new phishing scams.
C. They are able to issue alarms based on suspected attacks.
D. They are unable to prevent internal attacks. (2 marks)
34. In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against fraud and abuse?
A. Encrypting communications
B. Changing default passwords
C. Using transmission logs
D. Taping and archiving all conversations (2 marks)
35. Oketch has been tasked with crafting the organization’s email retention policy. Which of the following is typically NOT an element that must be discussed with end users in regard to email retention policies?
B. Auditor review
C. Length of retainer
D. Backup method (2 marks)
36. Which of the following BEST expresses the primary goal when controlling access to assets?
A. Preserve confidentiality, integrity, and availability of systems and data.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated. (2 marks)
37. According to National Institute of Standards and Technology (NIST), when should regular users be required to change their passwords?
A. Every 30 days
B. Every 60 days
C. Every 90 days
D. Only if the current password is compromised (2 marks)
38. Gabby has a user account and has previously logged on using a biometric system. Today, the biometric system didn’t recognize her, so she wasn’t able to log on. This is referred to as?
A. False rejection
B. False acceptance
C. Crossover error
D. Equal error (2 marks)
39. Which of the following provides authentication based on a physical characteristic of a subject?
A. Account ID
D. PIN (2 marks)
40. XTZ Ltd. security policy states that user accounts should be disabled during the exit interview for any employee leaving the company. Which of the following is the most likely reason for this policy?
A. To remove the account
B. To remove privileges assigned to the count
C. To prevent sabotage
D. To encrypt user data (2 marks)
41. Ann is taking maternity leave and will be away from the job for at least 12 weeks. Which of the following actions should be taken while she is taking this leave of absence?
A. Delete the account.
B. Reset the account’s password.
C. Do nothing.
D. Disable the account (2 marks)
42. Which of the following access control models allows the owner of data to modify permissions?
A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Rule-based access control
D. Risk-based access control (2 marks)
43. Peter a security officer of Lion Holdings is reviewing different access control models. Which of the following BEST describes a rule-based access control model
A. It uses local rules applied to users individually
B. It uses global rules applied to users individually
C. It uses local rules applied to all users equally
D. It uses global rules applied to all users equally (2 marks)
44. Which one of the following is NOT normally included in a security assessment?
A. Vulnerability scan
B. Risk assessment
C. Mitigation of vulnerabilities
D. Threat assessment (2 marks)
45. What information security management task ensures that the organization’s data protection requirements are met effectively?
A. Account management
B. Backup verification
C. Log review
D. Key performance indicators (2 marks)
46. Which security principle involves the knowledge and possession of sensitive material as an aspect of one’s occupation?
A. Principle of least privilege
B. Separation of duties
C. Need to know
D. As-needed basis (2 marks)
47. An administrator of ABC Ltd is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organization?
C. Full access
D. No access (2 marks)
48. You want to apply the least privilege principle when creating new accounts in the software development department in Ouru holdings. Which of the following should you do?
A. Create each account with only the rights and permissions needed by the employee to perform their job.
B. Give each account full rights and permissions to the servers in the software development department.
C. Create each account with no rights and permissions.
D. Add the accounts to the local Administrators group on the new employee’s computer. (2 marks)
49. Which of the following is one of the primary reasons an organization enforces a mandatory leave policy?
A. To rotate job responsibilities
B. To detect fraud
C. To increase employee productivity
D. To reduce employee stress levels (2 marks)
50. Which one of the following processes is most likely to list all security risks within a system?
A. Configuration management
B. Patch management
C. Hardware inventory
D. Vulnerability scan (2 marks)