Domain 7 CISSP Exam: Security Operations

Explanation: Need-to-know is about controlling access to specific information while least privilege is about giving users the minimum access required to perform their job function. Both concepts are foundational to access management, but they have different focuses. Need-to-know is more about compartmentalization while least privilege is about minimizing access. Compartmentalization is important when there are multiple users with different need-to-know requirements using the same system. Thus, need-to-know and least privilege are different concepts with different uses, but they are both important access control concepts for SecOps.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 645 in PDF)

Explanation: The primary benefit of job rotation for an organization from a CISSP perspective is providing more resilience to the organization. Job rotation supports business continuity (BC), disaster recovery (DR), and resilience capabilities as it ensures that multiple employees have knowledge of a particular job and can fill in for those job duties when required. If one person is on vacation or unavailable, others can fill in for those job duties. This availability aspect is a reason a CISSP should consider implementing job rotation within an organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 650 in PDF)

Explanation: The one voice principle is essential to crisis communications and dictates that the organization should have a unified voice when communicating, especially with outside stakeholders like press or the public. Multiple accounts from different personnel, even if given with the best of intentions, can be confusing or possibly dangerous.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 697 in PDF)

Explanation: A parallel test in disaster recovery involves testing the primary system alongside the alternate system to ensure the alternate system is capable of handling a realistic operational load. This is done in order to reduce the impact on primary systems and find issues that other testing might miss, such as incorrectly configured alternate sites or incomplete data backups.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 705 in PDF)

Explanation: During digital evidence collection, a bitlevel copy is preferred as it makes an exact duplicate of not only the directories and files on a device but also any deleted files, data remnants, and slack space. This type of copy provides more complete evidence, although it takes longer and uses more space than a logical backup that only copies directories and files.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 604 in PDF)

Explanation: Vulnerability scanning is usually an automated activity designed to detect known vulnerabilities like insecure configurations or unpatched software and is often a key detective control to identify patch management failures.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 681 in PDF)

Explanation: The main difference between an interview and an interrogation is that interviewees typically have the legal right to refuse or terminate an interview, while suspects must comply with an interrogation. Interrogations are also typically carried out by law enforcement professionals and are conducted against an individual suspected of a crime, whereas interviews are used to gather information from witnesses or those with knowledge of an incident.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 610 in PDF)

Explanation: The /tmp folder on Linux systems can be a vital source of volatile data, as most Linux systems will delete the data in this directory upon reboot. It is an example of a source of artifacts that could be useful to a forensic investigator on a Linux system.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 619 in PDF)

Explanation: The text does not mention that increased network bandwidth is a required additional control during the access management lifecycle of privileged accounts. The other options are all mentioned as controls in the text.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 648 in PDF)

Explanation: According to the text, the goal of recovery is a resumption of critical business functions, often at a reduced capacity, while the goal of restoration is the return to normal service levels at the primary site. Therefore, C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 699 in PDF)

Explanation: Emergency changes are made as needed to deal with the incident or emergency, and all details are documented for later review. The process of responding to the incident should not be hindered by the need to convene a change management meeting and get approval, or perform copious testing to rule out potential negative impacts of an emergency patch. In these scenarios, change management reviews may be performed retroactively— the change is made as needed to deal with the incident or emergency, and all details are documented for later review.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 684 in PDF)

Explanation: Cryptoshredding or cryptographic erasure is the process of securely destroying the key needed for decryption on a disk containing FDE. This ensures the confidentiality of the data on the disk is preserved. It is an alternative to physical destruction for SSDs and cloud storage solutions where the organization has no physical control over storage media.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 656 in PDF)

Explanation: RAID 0 is a striped array with no fault tolerance, but provides increased read/write performance by breaking incoming data into smaller pieces that are written across multiple drives.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 688 in PDF)

Explanation: The purpose of a formal change approval process in configuration management is to ensure that unwanted configuration changes are not made. Making changes to CI configurations can alter the security posture of a system, so assets under configuration management must go through formal change approval processes to control unwanted configuration changes. Configuration items under management must be maintained in a known good or secure state, and any changes from the secure baseline require the use of a formal change request and approval process. Therefore, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 638 in PDF)

Explanation: The text states that the types and number of controls implemented must be balanced against the value of the asset and associated costs to implement. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 669 in PDF)

Explanation: CIS Benchmarks are published by CIS and usually less restrictive than DISA STIGs. They provide free security benchmark documents covering a wide variety of devices including cloud and server operating systems from Amazon, Microsoft, Apache, and Oracle just to name a few.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 643 in PDF)

Explanation: The purpose of a disaster assessment is to determine the total impact of the disaster or incident. This includes the total financial cost to the organization, including costs to recover and any lost business or productivity, as well as information on how to improve disaster and continuity operations in the future.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 698 in PDF)

Explanation: Recovery Time Objective (RTO) is the amount of time after an incident or disaster that passes before the system or process is recovered using contingency procedures (not full restoration to normal).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 685 in PDF)

Explanation: A bitlevel copy is the preferred method for collecting digital evidence, as it provides an exact duplicate of not only the directories and files on a device, but also any deleted files, data remnants, and slack space. This type of copy takes longer and uses more space than a logical backup that only copies directories and files, but it provides more complete evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 605 in PDF)

Explanation: The primary goal of incident management is to restore the organizations normal operations as quickly as possible and to minimize impacts like lost productivity or revenue.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 657 in PDF)

Explanation: Media should be classified in accordance with the organizations classification policy, and the identified classification level should be used to select appropriate controls for media management. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 653 in PDF)

Explanation: Protecting media involves applying the security controls indicated by the datas classification. Processes and procedures to apply the necessary controls must be documented, users must be trained, and the controls must be implemented. This is a key consideration in protecting media.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 654 in PDF)

Explanation: CIS Benchmarks are based on global best practices and provide free security benchmark documents covering a variety of desktop and mobile devices, networking devices, and cloud and server operating systems from a wide range of vendors. As compared to DISA STIGs, they are usually less restrictive.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 643 in PDF)

Explanation: An Incident Response plan must identify any key third-party vendors or external service providers like digital forensics and incident response providers, cyber insurance carriers, legal or communication experts, and data breach specialists that may need to be involved with an incident response. The IR plan must also contain contact information for these third parties to ensure the organization can engage any services needed during an incident. Third parties whose services need to be utilized in emergencies should be included in the IR plan. Each providers contact information should be documented for easy reference, as well as the circumstances that require the provider to be involved. Roles and responsibilities of the third party should also be documented, so it is clear to the team which tasks must be performed internally and which tasks will be handled by the third party.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 660 in PDF)

Explanation: Video and audio recording tools are primarily used in digital forensics work to document evidence of a crime or incident, as well as to support the integrity of any evidence by documenting the investigation teams activities. This allows the analyst to easily review the steps taken during forensic analysis without relying on written notes or memory.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 612 in PDF)

Explanation: Hashing data written to removable media during transit is done to ensure that data was not altered during transit. When the data reaches the destination, the datas current hash can be compared to the original hash to ensure that the data has not been tampered with. This is an important control for securing media in transit.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 655 in PDF)

Explanation: Threat intelligence is a proactive activity that allows security practitioners to identify threats and threat actors targeting their organization. In contrast, patch management is a reactive activity aimed at identifying and addressing vulnerabilities, while vulnerability scanning focuses on the identification of vulnerabilities within a system. Risk management requires a holistic understanding of risk, comprising vulnerabilities that can be exploited by threats.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 633 in PDF)

Explanation: The purpose of egress monitoring is to monitor and restrict data and storage devices leaving controlled environments. This is accomplished through data loss or data leakage prevention (DLP) tools that can recognize sensitive information and restrict the actions of the user based on the sensitivity of the data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 629 in PDF)

Explanation: NetFlow analysis provides a picture of the IP traffic flow and volume across a network device, typically a switch. It can be used to identify details of the communication such as ports, protocols, and addresses being used for communication.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 620 in PDF)

Explanation: Vulnerability scanning is only able to detect known vulnerabilities for which a signature has been created. On the other hand, red teaming involves targeted testing for vulnerabilities and can find previously unknown vulnerabilities that are not detected by vulnerability scanning tools. This is a key difference between the two approaches.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 682 in PDF)

Explanation: Stateful firewalls offer the ability for the firewall to understand context regarding communication. They can remember previously authorized communications, making it easier to identify authorized traffic while blocking unauthorized traffic based on its state. This allows them to provide more intelligence and flexibility, though they have higher processing overhead and cost.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 671 in PDF)

Explanation: Data centers require special construction of walls designed to block electromagnetic fields (EMF), known as a Faraday cage, to protect the sensitive information stored in them. This is a unique security consideration specific to data centers.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 715 in PDF)

Explanation: Although reporting is a single IR phase, the text mentions that reporting is done continuously throughout the IR process, as various stakeholders will require information updates throughout the process, both for situational awareness and to provide resources needed for the IR team to carry out its duties. While there are formal reporting requirements, this does not negate the need for continuous reporting throughout the process.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 664 in PDF)

Explanation: Physical access controls should be implemented to segregate areas in the facility based on user authorization, with physical devices like badge readers or locks controlling access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 714 in PDF)

Explanation: NIST SP 800-92 recommends writing log files to high integrity storage media like write once, read many (WORM) disks and segregating log files on systems with different access permissions to ensure integrity. Forwarding log files to a SIEM tool where system administrators have no access is also recommended to avoid tampering and ensure an intact chain of custody. This helps protect log data, particularly those that need to be relied upon in forensics.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 632 in PDF)

Explanation: Threat intel vendors create data feeds of relevant information by performing threat hunting and research and that provide the data in an easily consumable feed. These feeds can be integrated with SIEM and SOAR tools.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 634 in PDF)

Explanation: Using code words or phrases with coworkers can allow for detection of duress without increasing the danger faced by the individual. Subtle means of indicating duress, such as entering a special code on an electronic lock or using a code word or phrase with a co-worker, are effective controls to detect duress.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 719 in PDF)

Explanation: The text states that vulnerability scanning is usually automated and detects known vulnerabilities, while red teaming involves human testers who try to find previously unknown vulnerabilities and evade the organizations defenses.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 681 in PDF)

Explanation: Recovery point objective (RPO) is the amount of data loss tolerable when a disaster occurs, usually expressed as a number of transactions or data points. It is one of the key metrics for measuring recovery. The BIA is a process for identifying critical assets and capabilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 685 in PDF)

Explanation: Coordination with responders, stakeholders and communication experts is an essential element that security practitioners need to ensure to plan for, communicate and convey important security control requirements in emergency management procedures

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 718 in PDF)

Explanation: Just-in-time privileged access management allows users to gain temporary access to privileged credentials for a limited time and by following auditable procedures. It is a way to reduce the time of having an account with elevated privileges, so it is more controlled and monitored. This is a process that requires the identification of users that require privileged access, following additional request and review procedures. The credentials used to grant access to that privileged account should be time-bound and automatically expire. This makes it more difficult for attackers to misuse these accounts, and it is auditable to track the activities of privileged accounts that were granted access during a specific time frame.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 649 in PDF)

Explanation: The key metrics used to measure recovery capability are Recovery time objective (RTO), Recovery point objective (RPO), and Maximum tolerable or allowable downtime (MTD or MAD). None of the given statements mentions Maximum acceptable loss (MAL), hence option D is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 685 in PDF)

Explanation: An IDS is a passive device that analyzes traffic or activity and generates an alert when activity is detected that matches a known malicious pattern, deviates from normal or expected system operations or both. On the other hand, an IPS can not only detect but can also automatically take preventative action in response.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 672 in PDF)

Explanation: Web application firewall (WAF) and API gateway are a highly specialized form of network access control devices designed to handle specific types of traffic, unlike a generic firewall that handles all network traffic. WAFs and API gateways analyze traffic destined specifically for a web application or an applications API and can be useful for mitigating complex attacks such as SQL injection.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 671 in PDF)

Explanation: The defining feature of internal security controls is the extent of control the organization can exert over areas that are under direct control of the organization. Most facilities will need to be designed with human life and safety in mind. Therefore, internal security controls are designed to specifically safeguard physical facilities such as buildings, data centers, and other on-premise assets.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 714 in PDF)

Explanation: The main difference between network-based and host-based systems for intrusion detection and prevention is the deployment location. Network-based systems are often dedicated appliances that scan all network traffic to look for signs of attack and should be placed in crucial chokepoints of a network, while host-based systems are designed to be deployed on a specific network endpoint like a server or a workstation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 622 in PDF)

Explanation: The text states that Read-through and tabletop are the least expensive method of testing, both in terms of time and cost, as well as the potential for disrupting normal operations. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 704 in PDF)

Explanation: Immutable infrastructure is torn down each time a system is deployed and then rebuilt using IaC definition files. Changes to the infrastructure require this teardown and rebuild process, which is automated and less error-prone and labor-intensive than legacy system-by-system upgrades.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 644 in PDF)

Explanation: According to the text, a bitlevel copy is preferred when collecting digital evidence to make an exact duplicate of directories, files, and any deleted files, data remnants, and slack space, providing more complete evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 605 in PDF)

Explanation: When monitoring public areas, it is important to ensure there is clear visibility and adequate lighting. This allows security personnel to observe any suspicious activities and helps deter criminal behavior. It is also important to use cameras capable of covering large areas like wide angle or pan-tilt-zoom cameras to maximize the coverage area. Since public areas are open to everyone, there are usually no restrictions on the use of monitoring tools in public areas. Restricting the use of monitoring tools in public areas would be counterproductive to security efforts.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 711 in PDF)

Explanation: SIEM tools offer a number of key services related to centralizing, normalizing, correlating, and analyzing log data, which can lead to actionable intelligence that can be used to address potential security incidents or other IT problems. Centralizing log files is especially important in large IT environments where individual systems can generate hundreds or thousands of log entries per day. Normalization helps ensure that data from different systems can be correlated and analyzed, while correlation makes it possible to detect potentially suspicious activity. Finally, generating alerts can help free up human resources to focus on more critical thinking and analysis tasks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 624 in PDF)

Explanation: Allow list/deny list can be used in network security, as well as within other tools such as operating systems, app stores, and email clients. Using allow/deny lists for explicitly approved/denied apps, blocking traffic from certain countries, and filtering traffic from malicious domains or email servers are all examples of how allow list/deny list can be implemented in network security.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 673 in PDF)

Explanation: According to the text, one of the benefits of AI and ML in security tools is faster detection of and response to incidents, as no time is needed for them to sleep or take vacations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 678 in PDF)

Explanation: Data recovery tools assist investigators in recovering files and information that have been deleted or overwritten but not actually deleted. Deleted file contents remain on the disk, and these tools help in reading the information on each sector of the drive to recover deleted files or information. Depending on the type of media, it may even be possible to use highly specialized physical equipment to reconstruct data after a disk has been overwritten.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 612 in PDF)

Explanation: Security practitioners can guide the process of identifying changes that need to be reflected in the BC or DR plans. For example, changes to staff, processes, or lessons learned from prior incidents or contingencies may require plan updates. Once the updates are completed, the integrity and availability of the plan document must be considered. A new copy of the plan should be made available to all relevant stakeholders, including offline copies in case the information systems are not accessible. Old copies must also be recovered and destroyed to ensure no outdated or incorrect information is utilized during an actual emergency.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 708 in PDF)

Explanation: One of the best practices for collecting digital evidence is to prevent unwanted changes by using copies of data, which can be discarded without losing evidence if an unwanted change is made, and using hardware or software to prevent changes to data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 605 in PDF)

Explanation: Apples iOS is an example of a software-enforced sandbox, which sandboxes apps to restrict the data and functions they can access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 675 in PDF)

Explanation: Operational threat hunting activities are focused on understanding the TTPs of attackers. This involves identifying the methods used by attackers to gain access to systems so that organizations can better protect their assets against future attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 634 in PDF)

Explanation: The 3-2-1 backup strategy recommends that at least three copies of data should be kept: two copies stored locally or onsite, including the main copy of the data, and one copy stored offsite. This way, simple data issues or hardware failures can be easily solved with the local backup, and more drastic issues like the destruction of a facility can be addressed by restoring from the offsite backup. This strategy ensures that data is protected and recoverable in case of any unforeseen disasters.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 686 in PDF)

Explanation: The purpose of conducting a postmortem or after-action report after a disaster has been resolved is to identify opportunities for improvement and drive changes to the BCDR process. This process is not designed to place blame or point fingers at individuals but rather to improve the BCDR planning and processes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 701 in PDF)

Explanation: Log analysis tools like SIEM tools are often useful to investigators as a way to reconstruct the series of events that led up to an incident. These tools can be used to correlate and analyze log data from different sources to uncover hidden patterns or indicators of compromise (IoCs).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 612 in PDF)

Explanation: The chain of custody for digital evidence preserves the integrity of the evidence and ensures that any changes to it were done in a controlled manner that did not interfere with its informations integrity and authenticity. It does not prove that the evidence has not changed in any way or that it has been analyzed by trained professionals, but it does prove the reliability of the evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 606 in PDF)

Explanation: The text describes an example of a simulation that can be used to test an organizations disaster response capabilities. Activating an alternate facility, recalling data from offsite storage, and loading it requires the DR team to ensure that the system can be restored according to defined RTO and RPO metrics, and that the backup data integrity is intact. This type of simulation is important for validating and improving an organizations ability to respond to a disaster scenario.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 705 in PDF)

Explanation: The obvious benefit to multiple processing sites is the redundancy built in. In the event that one site experiences a disaster or outage, the other site can take over and ensure business continuity.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 690 in PDF)

Explanation: Performing integrity checks of data after it is written to backup media and performing test restorations to verify the data are best practices for ensuring the integrity of data backed up to media like hard disks or tape drives. Although dedicated backup systems offer the capability to perform integrity checks of data after it is written to backup media, performing test restorations to verify the data is also recommended. This double-checks the integrity of the data and ensures the correct data has been backed up.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 687 in PDF)

Explanation: According to the text, defining auditable events should be done based on the organizations threat intelligence and risks. If the organization is facing increased phishing attempts, then increased logging of unusual account activity is justified.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 631 in PDF)

Explanation: One of the principles that evidence and documentation must adhere to in order to be considered reliable is comprehensibility. While digital information often requires specific technical knowledge to understand, presenting it in an understandable format is crucial to ensure the audience can relate to the details of the events without the need for subjective interpretation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 608 in PDF)

Explanation: Signature-based anti-malware tools look for signatures associated with known malware, such as specific files or patterns of activity. This is a common method used by these tools to detect malware.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 677 in PDF)

Explanation: Data durability refers to the proactive management of data to preserve integrity and availability in cloud computing backup strategies. This includes ensuring that the data is replicated, backed up, and protected from loss or corruption.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 688 in PDF)

Explanation: Correlation refers to discovering relationships between data in a SIEM tool. It helps to detect potentially suspicious events that deviate from the norm or expected behavior, such as a users account being compromised and used to exfiltrate data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 625 in PDF)

Explanation: During the provisioning phase, users who request or need privileged access should be subject to additional request and review procedures. This may require more documentation and multiple levels of review or approval prior to granting access. These reviews may utilize other security processes such as personnel screening, with privileged users subject to a more thorough background investigation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 649 in PDF)

Explanation: Unlike desktop versions of Windows and macOS, many Linux systems are designed to be run solely using a command-line interface where native graphical tools for accessing artifacts may not exist. Third-party toolkits are required, or the investigator must be familiar with the standard filesystem to find relevant data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 619 in PDF)

Explanation: RAID 1 is a mirrored array that provides fault tolerance by creating copies of data and writing them across multiple drives. It is commonly used to store critical data that cannot afford to be lost.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 688 in PDF)

Explanation: External requests involve gathering information from third parties like an ISP or a government agency in an investigation. These often require legal approvals and processes like warrants and subpoenas, so security practitioners may only be tangentially involved with originating them in an investigation. However, a CISSP may be subject to these processes if called upon to provide evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 610 in PDF)

Explanation: Forensic investigations of smartphones running iOS and Android are difficult due to strong encryption implemented by default on these devices. This encryption makes it difficult or impossible to conduct forensics if investigators do not have the information needed to unlock the device and decrypt its data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 621 in PDF)

Explanation: In a full interruption test, the organizations DR capability is tested as if a real disaster had occurred, which involves high costs and the potential for disrupting normal operations if the test is not successful. The goal of a full interruption test is to identify all possible issues with BCDR plans and procedures.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 706 in PDF)

Explanation: SIEM tools provide a specific set of services related to centralizing and managing log data, as well as extracting useful information from log entries to identify potential incidents. SIEM tools can use abilities on endpoints to send a copy of their log file data to a central location. Endpoints that do not support log forwarding can be equipped with software agents to harvest and forward the logs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 625 in PDF)

Explanation: Standard changes are preapproved and considered low risk, examples include applying standard patches, adding standard assets to address capacity, or installing software from an approved list.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 684 in PDF)

Explanation: RAID 6 is a striping with dual parity, which offers both fault tolerance and improved read/write performance. In the event of single or dual drive failures, the RAID 6 configuration can still provide access to data without loss of functionality.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 688 in PDF)

Explanation: Maximum tolerable or allowable downtime (MTD or MAD) is the maximum amount of time the organization can survive without an asset or process, after which the organization may no longer be viable. It is an important metric used in recovery strategies and is established through a business impact analysis (BIA). RTO should always be less than the MTD; otherwise, recovery is a moot point as the organization will cease to function before it occurs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 685 in PDF)

Explanation: The purpose of a stateful firewall is to understand context regarding communication (known as a state) and apply rules based on previous traffic. A stateful firewall might normally block traffic on high-number ports but allow it for a specific endpoint if that endpoint has previously established a connection using port 20/21 (FTP). Since FTP clients often negotiate a custom port for transferring a file, allowing the higher port makes sense in the context of previous traffic. Stateful firewalls have more intelligence and flexibility, but come with higher processing overhead and cost.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 670 in PDF)

Explanation: Virtual machines (VMs) are useful for investigative purposes as they allow suspected malware to be copied to and run on a VM that is isolated from all other systems, which enables investigation without the threat of infecting other systems.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 613 in PDF)

Explanation: According to Domain 7 of the CISSP exam, digital evidence like log files, recordings, computer files, and computer system components such as memory or hard drives, are examples of evidence that could be collected while investigating a security incident. An example of this is the CCTV footage of a restricted area accessed by the suspect, which could support an assertion of their involvement.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 604 in PDF)

Explanation: Binary analysis tools are designed to observe the functioning of a program at the source-code level.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 613 in PDF)

Explanation: The purpose of separating duties or responsibilities is to limit the potential for misuse of resources or malicious activities by separating process steps among multiple personnel. This is achieved by requiring multiple parties to participate, raising the chance of detecting errors and protecting the authenticity of data by preventing a single user from corrupting it.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 646 in PDF)

Explanation: Normalization in SIEM involves converting log data into a standardized format or applying standard labels for consistency across systems. This makes it easier to search and correlate data across different devices and platforms. For example, normalization can convert numeric user IDs into usernames or standardize timestamp formats. Normalization is important for accurate analysis and detection of potentially suspicious activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 625 in PDF)

Explanation: Building materials should be chosen to support security requirements, such as implementing physical access control for high-sensitivity information processing. Materials for doors and windows should also be considered, both for security and human comfort.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 714 in PDF)

Explanation: The main benefit of UEBA is to provide a targeted and individualized security baseline based on individual users or entities. This allows for more granular enforcement and better adaptability to unique user and organizational requirements. UEBA identifies a unique organizational baseline and generates alerts for behavior that deviates from that baseline, leading to more effective and efficient security operations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 636 in PDF)

Explanation: Sensors deployed at ingress and egress points are used to detect temperature or infrared light, motion, or pressure, to identify the presence or movement of people, and identify unwanted activity that could trigger a response such as a guard investigating or summoning law enforcement.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 712 in PDF)

Explanation: Hashing tools are essential to investigators to prove the continued integrity of data that is collected and analyzed. Hash values and message digests are useful to prove that data like an app or email has not been changed in transit, and hashing can also be used to prove the data was not altered by the investigator. This proves the data can be relied upon in support of any assertions or accusations made.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 613 in PDF)

Explanation: According to the text, if an information system contains multiple files or datasets with different classification levels, the policy should dictate that the media is classified to the highest level of data it contains. This ensures that the highest level of data is protected and that sensitive information is not inadvertently exposed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 654 in PDF)

Explanation: Physically walking through response steps in a walkthrough is done to simulate responding in the actual locations described in the DRP. The goal is to build familiarity for the key participants and helps uncover details, making them respond more quickly during an actual disaster. The text mentions that it is twofold – it challenges assumptions made and offers the opportunity to train staff on emergency procedures.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 704 in PDF)

Explanation: Red teaming involves a targeted form of testing for vulnerabilities, usually against a particular asset. The adversarial relationship between the red team and the blue team is part of the testing, with the red teams success defined by acquisition of a target by exploiting vulnerabilities discovered. Human testers are assisted by automated tools in finding previously unknown vulnerabilities and trying to evade the organizations defenses.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 681 in PDF)

Explanation: Next-generation firewalls (NGFW) combine multiple security functions into a single device, including a stateful firewall and API gateway, and may include advanced analytics based on artificial intelligence or external threat data. NGFWs combine other network security protections like intrusion detection or VPN services as well.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 671 in PDF)

Explanation: Network traffic analysis tools like Wireshark can be used for both network packet capture (pcap) and network traffic analysis by reconstructing the communication sessions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 612 in PDF)

Explanation: An SLA (Service Level Agreement) is a contract or agreement between an organization and a cloud services provider or managed security services provider that specifies the service level requirements or expectations for the provided services.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 651 in PDF)

Explanation: Formal reports or notifications to key decision-makers are usually required to activate other organizational plans like BCDR.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 664 in PDF)

Explanation: Defining a logging strategy is a proactive logging and monitoring activity. It involves determining what events to capture, where to store the data, and mandatory review or monitoring activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 622 in PDF)

Explanation: Tactical details generated by threat hunters are commonly known as indicators of compromise (IoCs), which are gathered during forensic analysis of a security incident. These details can be used for detecting the particular threat targeting other systems, much the same way malware signatures are used to update anti-malware tools to spot known virus files.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 634 in PDF)

Explanation: The controls in place for external facilities should focus primarily on controlling physical access to prevent tampering, as third-party personnel may need access to the equipment or utilities that do not belong to the organization. The text explicitly mentions this as a primary focus for these types of facilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 713 in PDF)

Explanation: To prevent unwanted changes to digital evidence, hardware devices and software known as write blockers should be used. Write blockers prevent the writing of changeable information while maintaining the read-only status of the original information. This will help to preserve the integrity of the evidence collected and ensure that it is admissible in court.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 605 in PDF)

Explanation: DISA STIGs are a set of standard baselines designed for the U.S. Department of Defense, which has strict security standards. While they may not be broadly useful for all organizations as many common functionalities must be disabled to comply with a STIG, organizations may use these as a high-security starting point and then scope and tailor to enable needed functionality.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 643 in PDF)

Explanation: The principle being described is Authenticity. Authentic information or evidence is of undisputed origin, which is proven by the chain of custody. Inauthentic information runs the risk of, at best, demonstrating incompetence and, at worst, calling the presenters credibility into question. Information that is falsified or adulterated should never be used.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 608 in PDF)

Explanation: Access controls should be implemented to segregate areas in the facility based on user authorization, with physical devices like badge readers or locks controlling access. This helps to prevent unauthorized access to sensitive areas and information, which is a critical aspect of physical security in operational facilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 714 in PDF)

Explanation: Standard changes are preapproved and considered low risk, so they reduce operational overhead. Examples include applying standard patches or installing software from an approved list. Normal changes require the full change management process, while emergency changes can be made as needed to deal with a security incident or emergency.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 684 in PDF)

Explanation: According to the text, investigations and digital forensics require highly specialized skills and, in some cases, coordination with appropriate experts. For many CISSP credential holders, the process of supporting investigations and forensics will require coordination with appropriate experts to properly handle an investigation, as there are crucial concerns that require specialized skills and training to prevent corruption or destruction of evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 603 in PDF)

Explanation: The text specifically mentions NIST SP 800-88 revision 1 as the freely available resource that covers specific methods and tools to securely destroy media and data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 653 in PDF)

Explanation: Triage is an early-stage response process designed to identify the criticality and categorization of an incident type. SOAR automates some or all of the response. If the incident can be fully contained by the SOAR, no additional triage is needed. If the incident cannot be fully contained, identifying the impact of the incident is essential, which guides the creation of an IR team with appropriate resources to handle the specific incident.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 661 in PDF)

Explanation: Interrogations are generally carried out by law enforcement professionals and are conducted against an individual suspected of a crime. As such, they are not a main investigative technique a security practitioner should be familiar with.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 609 in PDF)

Explanation: The preferred method of copying digital evidence during incident response is a bit-level copy, which duplicates all directories and files on a device and any deleted files, data remnants, and slack space. This type of copy takes longer and uses more space than a logical backup that only copies directories and files, but it provides more complete evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 605 in PDF)

Explanation: Forensic toolkits are suites of software that provide common tools for a specific purpose like forensic investigation. These toolkits combine multiple resources that are useful to forensic investigators, including system-specific analysis software like Windows Registry analyzers, data recovery and reconstruction apps, and tools discussed earlier like network traffic analyzers and software write blockers.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 613 in PDF)

Explanation: Accuracy is a principle of evidence that requires that evidence and documentation must not contain errors, be in conflict with other evidence, or lack integrity. Since evidence is relied upon to prove a case, any inaccuracies weaken that ability.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 608 in PDF)

Explanation: Static packet inspection (stateless) firewalls are the original type of firewall, designed to inspect network packets and compare them against a ruleset. They analyze traffic and apply rules to determine if the traffic is forwarded (allowed) or dropped (denied).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 670 in PDF)

Explanation: Indicators of compromise (IoCs) refer to forensic details that can be used to detect the particular threat targeting other systems. These tactical details are generated by threat hunters during forensic analysis of a security incident and can be gathered in various ways, such as network traffic analysis, log analysis, and memory forensics.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 635 in PDF)

Explanation: The Windows Event Viewer is a log file that can be accessed to find useful information for forensic investigation. It contains entries for vital system, application, and security events. The other options are either for macOS (Console and Trash) or not relevant (PLIST files).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 619 in PDF)

Explanation: A patch is specifically designed to address a particular software vulnerability or security issue. While some patches may also address functional limitations or bugs, their primary purpose is to fix security issues.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 679 in PDF)

Explanation: During the use phase, it is recommended to implement additional authentication mechanisms for privileged accounts, such as mandatory MFA. This adds an extra layer of security to ensure that only authorized individuals are accessing sensitive information. It is also recommended to use separate accounts for privileged and nonprivileged activities, so option A is incorrect. Timebound credentials are recommended for elevated access, so option C is incorrect. Granting all users elevated access is not a good security practice and creates unnecessary risk, so option D is incorrect.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 649 in PDF)

Explanation: Security practitioners have the responsibility of monitoring data from various tools like SIEM, IDS, and EDR and initiating incident response, which is an important function of the SOC as well. This helps in identifying potential threats or incidents and taking quick action to mitigate the damage. It is a critical role in ensuring the organizations security programs and strategy align with the organization objectives.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 721 in PDF)

Explanation: Host-based firewalls are installed on a specific endpoint and use a ruleset specific to that endpoint. They can be a useful defense-in-depth measure that offers protection if a network-based firewall fails. They can be particularly useful in virtualized environments and enable microsegmentation, whereby individual endpoints exist in their own network segment with customized access rules.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 671 in PDF)

Explanation: The primary goal of recovery is to restore normal operations, as stated in the text The primary goal of recovery is to restore normal operations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 666 in PDF)

Explanation: Correlation refers to discovering relationships between data and detecting potentially suspicious actions. Once data is centralized and normalized, it can be processed to correlate activity across systems and detect potentially suspicious actions. For example, if a user logs in from a unique location at a different time than usual and downloads large volumes of data from applications, this deviation from the norm can be identified and used to detect potentially suspicious events. Therefore, Correlation and detection service of SIEM tools allows for the detection of potentially suspicious events.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 626 in PDF)

Explanation: Personnel security is a foundational concept in SecOps, as it involves vetting and managing employees, contractors, and third-party vendors to ensure they are reliable and trustworthy. This control is essential for preventing insider threats and ensuring that sensitive information is not compromised. Job rotation and Service Level Agreements are overarching concepts that may be implemented across multiple controls or parts of the organization, and logical access controls are a type of control used to limit user access to data or systems. However, personnel security is the only control listed that is a foundational concept in SecOps.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 645 in PDF)

Explanation: Operational threat hunting seeks to understand the tools, techniques, and procedures (TTPs) of attackers, which in some cases can be quite technical and in other cases may be as simple as financial services firms are facing increased denial-of-service attacks from a particular country.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 635 in PDF)

Explanation: Vulnerability scanning is usually an automated activity designed to detect known vulnerabilities like insecure configurations or unpatched software and is often a key detective control to identify patch management failures. However, they have one significant defect compared to other methods — they are only able to detect known vulnerabilities for which a signature has been created.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 681 in PDF)

Explanation: When deciding whether to retain an investigation and forensic team internally or to use external vendors, organizations should weigh the cost of in-house talent and resources against the benefit of quicker response times and more customized procedures, and consider the frequency of incidents that require formal investigation because it relates to the demand for forensic expertise.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 611 in PDF)

Explanation: Under most privacy legislation, breach reporting is required to report any unauthorized access to data affecting private information to a regulator within a certain period of time. This time period is typically a certain number of hours after an organization discovers a breach.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 666 in PDF)

Explanation: NIST SP 800-92 provides a set of critical requirements for securely managing log data, as well as processes for standardizing and analyzing the information collected.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 631 in PDF)

Explanation: The automated nature of deploying in an IaC environment leads to less chance for human error, as the process uses text-based definition files to specify virtual system parameters, reducing the need for manual work or hardening checklists, and ensuring systems conform to expected baselines.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 639 in PDF)

Explanation: Unlike desktop versions of Windows and macOS, many Linux systems are designed to be run solely using a command-line interface (CLI). Native graphical tools for accessing artifacts may not exist, so third-party toolkits are required, or the investigator must be familiar with the standard file system to find relevant data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 618 in PDF)

Explanation: The logging and monitoring strategy helps in identifying and alerting on potential incidents as quickly as possible. The tools and processes that are monitoring operations and risks detect the incident and then generate alerts or signals to security analysts.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 661 in PDF)

Explanation: Since privileged accounts have elevated levels of access with a higher risk associated with them, additional authentication mechanisms are appropriate. Mandatory multi-factor authentication (MFA) is a great way to secure privileged accounts.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 650 in PDF)

Explanation: During a crisis situation, people may not always make the best decisions due to stress, urgency, or lack of knowledge. By following prepared reaction guides or playbooks, organizations can reduce the amount of decision-making required and ensure a consistent and effective response to the incident.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 663 in PDF)

Explanation: Faraday containers like bags or boxes are shielded to prevent radio communications to or from a physical device, which can unintentionally alter data, such as an app update being installed that overwrites critical evidence, or the device can be tampered with to destroy evidence by remotely locking or wiping it.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 611 in PDF)

Explanation: Having a designated incident response coordinator is a key element of an incident response plan. The coordinator assesses the situation and identifies the necessary skills and actions needed. The success of an incident response depends heavily on having a coordinated response, which starts with having someone who is designated to lead the response efforts.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 657 in PDF)

Explanation: The text explains that one of the main goals of digital forensics is to identify and gather artifacts, which are digital traces left behind when a user or program interacts with a device. Artifacts tell the story of an incident and are vital in supporting any accusation or case made. Therefore, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 618 in PDF)

Explanation: Interviews are a tool designed to solicit information from individuals, typically witnesses or those with knowledge of an incident. Interviews follow a question-and-answer format where the investigator is asking questions designed to elicit information and recording the answers, though interviewees may also give a statement. In general, interviews should be recorded, if permitted by local law and if appropriate permission from the interviewee has been documented.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 610 in PDF)

Explanation: The text states that Security Operations focuses on maintaining the various aspects of the organizations security controls in a functional state, as well as the processes and procedures needed to maintain security across people, processes, and technology. This is the main goal of Security Operations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 602 in PDF)

Explanation: Lessons learned are documented after an incident is remediated to identify any IR process improvements to be made, and to address any underlying or root causes with the goal of preventing the incident from recurring.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 668 in PDF)

Explanation: Building materials in operational facilities should be chosen with both security and human comfort in mind. While it may be necessary to implement true floor-to-ceiling walls for certain high-sensitivity information processing, it is important to also consider human comfort as well. Both security and human comfort should be balanced in the decision-making process.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 715 in PDF)

Explanation: One of the principles that all evidence should adhere to is comprehensibility. Evidence and documentation should be presented clearly and have all relevant metadata as required by the intended audience, such as a chain of custody required by a court. Evidence being presented to a court is required to meet the most rigorous standards.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 608 in PDF)

Explanation: The most important principle of evidence when presenting it to a court is authenticity. Authentic information or evidence is of undisputed origin, which is proven by the chain of custody. Inauthentic information runs the risk of, at best, demonstrating incompetence and, at worst, calling the presenters credibility into question.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 607 in PDF)

Explanation: DISA STIGs are security baselines designed for the U.S. Department of Defense which are often too strict to be broadly useful, but can be used as a high-security starting point and then tailored to enable needed functionality.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 642 in PDF)

Explanation: Subjectivity is not a principle of evidence that should be adhered to. Evidence must be objective and stand on its own in support of an argument or assertion. Adhering to subjectivity can weaken the credibility of the evidence presented.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 608 in PDF)

Explanation: Personnel who are traveling should have additional security and training on device security practices for devices containing organization data. This includes organization-owned as well as personal devices if a bring-your-own-device (BYOD) program exists. Securing this data might include encryption of all data at rest, provisioning secure network connectivity like a VPN, and additional controls like issuing dedicated devices for use while traveling, which are then wiped and reimaged before being issued to another traveling user.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 717 in PDF)

Explanation: The Event Viewer on Windows systems maintains logs that contain entries for vital system, application, and security events, making it a useful source of information for an investigator.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 619 in PDF)

Explanation: NetFlow analysis can provide a picture of the IP traffic flow and volume across a network device, offers details of the communication such as ports, protocols, and addresses being used for communication. It is a commonly used source of network artifacts for incident investigation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 620 in PDF)

Explanation: Conducting tests and exercises of the IR plan serves two vital functions. First, testing the plan in a nonemergency situation can help to identify gaps, oversights, or issues that could prevent the successful execution of the plan during a real incident. Second, the exercise can be used to train members of the IR team on their duties, which reduces confusion or wasted effort during a real incident because team members are able to respond from memory.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 659 in PDF)

Explanation: Remediation is a long-term strategic activity designed to eradicate any root causes identified for the incident. It addresses underlying vulnerabilities that caused the incident and aims to prevent it from happening again.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 667 in PDF)

Explanation: One of the primary drawbacks of using an MSSP for security services is the risk of sharing sensitive data with the third party. MSSPs typically have access to sensitive information about the organization and, as a result, data security concerns must be addressed. The risk of sharing data like the organizations network architecture must not exceed the benefit of enhanced security capabilities offered by the MSSP.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 674 in PDF)

Explanation: RAID 0+1 and 1+0 are nested RAIDs that implement both functions of RAID 0 and 1 in different orders. 0+1 is a striped array of mirrors, while 1+0 is a mirrored array of stripes. Both RAID configurations provide fault tolerance and increased read/write performance.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 688 in PDF)

Explanation: One of the controls for securing media in transit is hashing data written to removable media and comparing the datas current hash to the original to ensure data was not altered during transit.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 655 in PDF)

Explanation: Data capture includes gathering data such as audit logs or network traffic, as well as specialized techniques such as gathering photographic or video evidence of an incident scene and the associated investigation. Automated capture is done using traditional monitoring tools and may leverage the organizations continuous monitoring infrastructure like a security information and event management (SIEM) tool or recorded camera footage. Manual capture refers to techniques employed by forensic investigators like making copies of data and media and recording the scene of an incident or crime by photos or video.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 609 in PDF)

Explanation: Testing a DRP serves two main purposes: identifying incorrect assumptions or out-of-date information in the plan that, if not corrected, limits the plans effectiveness; and providing vital training opportunities for staff. A rehearsed response, like a fire drill, creates a trained response capability for staff and increases the effectiveness of actions during a real disaster or emergency, as personnel will execute familiar procedures. Therefore, the correct option is A.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 703 in PDF)

Explanation: Packet analysis (often known as pcap), captures both details about communications and the data itself. It is useful as it can capture packets in transit across a network and reconstruct data being sent or received, which can be further analyzed. This can be helpful in identifying the source, content, and destination of data that could be relevant to an investigation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 620 in PDF)

Explanation: Fire detection and suppression are critical in operational facilities to ensure both human safety and protection of valuable equipment. Fire and smoke detectors and corresponding suppression methods can help minimize the impact of a fire and prevent damage to both people and equipment.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 714 in PDF)

Explanation: Write blockers and drive imagers are used to prevent any writing or alteration of data on a storage device during digital forensic analysis, in order to maintain the integrity of the evidence. This allows experts to examine or image a storage device without changing any of the data stored on the device.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 611 in PDF)

Explanation: The text states that fire detection and suppression controls are primarily designed for human safety but can also help minimize damage to valuable equipment in the event of a fire.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 714 in PDF)

Explanation: The most effective physical access control program should consider facilities using a layered model, with multiple layers and chokepoints between the outside world and rooms or offices where high-value assets are stored or handled. Physical access controls should restrict unauthorized users from gaining physical access to facilities or system interfaces like workstations. Badge readers are an example of physical access control that restricts physical access based on authentication and authorization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 709 in PDF)

Explanation: Labeling allows for communication of the classification level of the data, which then drives user behavior with respect to its handling. Proper training helps users to understand the significance of the label and adjust behavior to comply with established handling procedures.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 654 in PDF)

Explanation: Faraday containers like bags or boxes, which are shielded to prevent radio communications to or from a physical device. These are especially useful when digital evidence exists on portable devices like smartphones, tablets, or even laptops since these devices can send and receive commands using wireless protocols like Bluetooth, WiFi, or cellular connections. This can unintentionally alter data, such as an app update being installed that overwrites critical evidence, or the device can be tampered with to destroy evidence by remotely locking or wiping it. Therefore, Faraday containers are used to prevent any such contamination of evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 611 in PDF)

Explanation: The Windows Registry contains records of configuration changes and software installed which is a useful source of information for Windows forensic investigation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 619 in PDF)

Explanation: The text discusses two types of inventory controls: proactive controls and reactive controls. Proactive controls include integrating the inventory with purchase ordering and finance systems, deploying new hardware and software with inventory update services, and updating the inventory manually or automatically when systems are decommissioned. Reactive controls involve discovering previously unknown assets and adding them to the inventory by comparing the list with the existing inventory to identify discrepancies.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 641 in PDF)

Explanation: RAID 5 is a combination of striping with a parity array, which increases read/write performance and provides fault tolerance. This means that data can be split and written across multiple disks to increase read/write speeds, and parity calculations are used to allow striped data to be reconstructed even if some stripes are lost, providing data fault tolerance.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 688 in PDF)

Explanation: A hot site has the same infrastructure and data as the primary site, which is costly but useful for meeting a short RTO or RPO

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 689 in PDF)