Question 1

Which of the following is NOT a benefit of maintaining a hardware inventory?

Accepted Answer

D

Explanation: Maintaining a hardware inventory is a fundamental practice in IT asset management. Its benefits include providing a clear record of all physical assets for procurement and lifecycle planning (A), offering the necessary context for effective software license management and compatibility checks (B), and giving technical support teams quick access to device specifications to expedite troubleshooting (C). A hardware inventory is a passive documentation and tracking tool; it does not perform active security functions and cannot, by itself, eliminate the critical and ongoing need for software updates and security patching to protect against vulnerabilities.

Question 2

Which compliance framework lays out guidelines for protecting the privacy of student education records in educational institutions?

Accepted Answer

C

Explanation: The Family Educational Rights and Privacy Act (FERPA) is a United States federal law specifically designed to protect the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records, which transfer to the student when they reach the age of 18 or attend a school beyond the high school level. It governs the access to and release of these records, ensuring they are not disclosed without written consent, with some specific exceptions.

Question 3

What is the purpose of conducting assessments of IT systems in the context of information security and change management?

Accepted Answer

A

Explanation: Assessments of IT systems are a comprehensive and fundamental practice within information security and change management. Their purpose is multifaceted. From a security perspective, assessments are crucial for proactively identifying vulnerabilities and weaknesses that could be exploited (C). From a governance and compliance standpoint, they are used to verify that systems adhere to legal, regulatory, and policy requirements (D). In the context of change management, assessments are essential for evaluating the potential impact of proposed changes on system performance, stability, and availability, thereby mitigating risks associated with modifications (B). Since all these objectives are valid and integral to the assessment process, "All of the above" is the correct answer.

Question 4

Which of the following is an example of a preventive control in computer operations?

Accepted Answer

B

Explanation: A preventive control is a security measure designed to proactively stop an undesirable event or security incident from occurring. A firewall is a prime example of this, as its core function is to inspect and filter network traffic based on a set of security rules. By blocking unauthorized or malicious traffic before it can reach internal systems, the firewall actively prevents potential intrusions, malware infections, and other network-based attacks, thus fulfilling the definition of a preventive control.

Question 5

What does "data integrity" refer to in the context of security?

Accepted Answer

D

Explanation: Data integrity is a fundamental component of the information security model known as the CIA triad (Confidentiality, Integrity, Availability). It refers to the assurance that data is accurate, complete, and has not been altered or corrupted in an unauthorized manner. This principle ensures the trustworthiness and reliability of data throughout its entire lifecycle, protecting it from intentional or accidental modification. Mechanisms like hashing algorithms (e.g., SHA-256) and digital signatures are commonly used to verify data integrity.

Question 6

Which of the following is a characteristic of a denial-of-service (DoS) attack?

Accepted Answer

C

Explanation: A denial-of-service (DoS) attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users. The defining characteristic of a DoS attack is the disruption of services. This is most commonly accomplished by flooding the targeted host or network with superfluous requests in an attempt to overload the system's resources, such as CPU, memory, or network bandwidth. When the system is overwhelmed, it cannot process legitimate requests, effectively denying service to legitimate users.

Question 7

Which of the following is an example of a source of evidence (artifact) in a cybersecurity investigation?

Accepted Answer

A

Explanation: An artifact, in the context of a cybersecurity investigation, is a piece of data that provides evidence of an activity. Firewall logs are a primary example of such an artifact. They contain time-stamped records of network connections that have been permitted or denied, including source/destination IP addresses, ports, and protocols. This information is fundamental for digital forensic investigators to reconstruct the timeline of an incident, trace the path of an attacker, and identify compromised systems. These logs are a direct record of network events, making them a critical source of evidence.

Question 8

Which of the following strategies is recommended for managing communication proactively after an event?

Accepted Answer

B

Explanation: Proactive communication management after a security event requires accurate, timely, and credible information. Conducting a forensic analysis is the systematic process of investigating the incident to determine its scope, impact, and root cause. The factual findings from this analysis are the essential foundation for all subsequent communications. This data allows an organization to inform affected parties, regulators, and law enforcement with precision, thereby controlling the narrative, managing liability, and maintaining trust, rather than reacting to speculation.

Question 9

Which of the following control types is focused on identifying vulnerabilities and weaknesses in systems and addressing them?

Accepted Answer

D

Explanation: Corrective controls are implemented to remediate issues after a vulnerability or incident has been identified. Their primary focus is on "addressing" the weakness to restore the system to a secure state. This includes actions such as applying software patches, reconfiguring security settings, or restoring data from backups. While detective controls are responsible for the "identifying" phase, corrective controls are specifically designed for the subsequent action of fixing the identified problem.

Question 10

Which of the following is NOT a component of an incident response policy?

Accepted Answer

D

Explanation: An incident response policy is a high-level document that establishes the organization's framework, authority, and intent for managing security incidents. It typically includes the mission, scope, roles and responsibilities (C), communication plans, and escalation procedures (A). It also mandates the creation and maintenance of detailed incident handling procedures (B). However, detailed backup and recovery processes (D), while essential for the recovery phase of incident handling, are not a direct component of the incident response policy itself. These technical procedures are typically documented in a separate, more detailed Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP), which the incident response plan may reference and activate.

Question 11

Which of the following best defines "Techniques, Tactics, and Procedures (TTP)" in the context of cybersecurity investigations?

Accepted Answer

B

Explanation: Tactics, Techniques, and Procedures (TTPs) describe the modus operandi of a threat actor. Tactics represent the high-level strategic goals of the adversary (e.g., Initial Access, Exfiltration). Techniques are the specific methods used to achieve a tactic (e.g., Phishing, Drive-by Compromise). Procedures are the detailed, step-by-step implementations of a technique, including the specific tools and commands used. Collectively, TTPs characterize an adversary's behavior, allowing security analysts to detect, attribute, and defend against their actions. This "pattern of behavior" is the most accurate and comprehensive definition among the choices.

Question 12

Which technology is commonly used to monitor network data and identify security incidents?

Accepted Answer

A

Explanation: A Security Information and Event Management (SIEM) system is the central technology used in modern security operations to identify security incidents. It functions by collecting, aggregating, normalizing, and correlating log and event data from a wide array of sources across the network, including firewalls, servers, endpoints, and Intrusion Detection Systems (IDS). By analyzing this consolidated data in real-time, a SIEM can identify complex attack patterns, policy violations, and security threats that would be invisible to any single security tool, making it the primary platform for comprehensive incident identification.

Question 13

Vulnerability refers to:

Accepted Answer

D

Explanation: While technically incorrect, this option is the most plausible choice from a flawed set. The correct definition of a vulnerability is a weakness or flaw in a system's design, implementation, or controls that a threat can exploit. Option D describes an "exploit" or an "attack," which is the action taken against a vulnerability. In the absence of the correct definition, this is the most closely associated concept, as a vulnerability is defined by its potential for exploitation.

Question 14

Which of the following helps to ensure the confidentiality of data in computer operations?

Accepted Answer

B

Explanation: Confidentiality ensures that data is not disclosed to unauthorized individuals, entities, or processes. Access Control Lists (ACLs) are a primary mechanism for enforcing this principle. An ACL is a set of rules applied to a resource (like a file, folder, or network connection) that specifies which subjects (users or systems) are permitted to access it and what operations they are allowed to perform. By explicitly defining and restricting access, ACLs directly prevent unauthorized viewing or retrieval of data, thereby ensuring its confidentiality. They are a fundamental preventative security control.

Question 15

Which of the following is an important step during the containment phase of incident handling?

Accepted Answer

C

Explanation: The containment phase of incident handling focuses on limiting the extent of an incident and preventing further damage. Implementing temporary workarounds, such as isolating affected systems from the network, blocking traffic from malicious IP addresses, or disabling compromised services, are core containment strategies. These actions are designed to stop the immediate threat and mitigate the impact, providing the response team with time to perform a more thorough analysis and plan for eradication and recovery. The primary goal is to stop the bleeding before a permanent fix is implemented.

Free Cisco 100-160 Actual Exam Questions