Chapters 118โ121 Practice Exam
Time remaining
25:00
Part A โ Multiple Choice (Questions 1โ20)
Ch 118 ยท Audits & Assessments
Question 1 of 20
Which governance body is responsible for authorizing all internal audits, defining their scope, reviewing all findings upon completion, and ensuring corrective actions are tracked and implemented? A critical exam fact: all internal audits begin AND end with this body's involvement.
โ
D โ Audit committee. The audit committee is the governance body that owns both ends of the internal audit lifecycle: it authorizes audits at the start and reviews findings at the end. This is a critical exam fact โ the CISO has operational security responsibility but does not govern the audit function. The compliance department manages day-to-day regulatory tasks but is not the governance body that starts and stops audits.
Ch 118 ยท Audits & Assessments
Question 2 of 20
A publicly traded company's CEO and CFO must personally sign a formal declaration stating that their financial reporting IT controls are effective and that financial statements accurately represent the company's financial position. Which regulation mandates this, and what is the specific term for this formal personal declaration?
โ
C โ SOX Section 302. The Sarbanes-Oxley Act Section 302 requires CEOs and CFOs of publicly traded companies to personally attest to the accuracy of financial statements and the effectiveness of internal controls over financial reporting. Attestation is the formal professional opinion regarding the accuracy of the organization's posture โ it creates personal criminal liability. Willful false certification carries up to 20 years imprisonment. This is the exam's canonical example of attestation combined with personal accountability.
Ch 118 ยท Audits & Assessments
Question 3 of 20
A company distributes compliance checklists to all departments; each department evaluates its own security controls and submits results to the compliance team. What is the PRIMARY limitation of this approach, and how must organizations address it for regulatory purposes?
โ
B โ Lack of independence. The fundamental limitation of self-assessments is that the evaluating department grades its own work. This creates a conflict of interest that tends toward optimistic results โ departments have incentives to present themselves favorably. External audits are credible precisely because the auditor has no financial stake in the outcome: their professional reputation depends on accurate findings, not favorable ones. Self-assessments are valuable for scaling compliance awareness but cannot substitute for external audit credibility.
Ch 118 ยท Audits & Assessments
Question 4 of 20
A healthcare organization has an exceptional internal audit team that conducts monthly security reviews. When HIPAA's Office for Civil Rights requires an external audit of PHI protections, management argues that their strong internal audit documentation should substitute for the external audit. Which statement correctly evaluates this argument?
โ
A โ The argument fails. External audits are mandated by regulation specifically because independence cannot be achieved by internal staff, regardless of organizational reporting structure. The type, frequency, and scope of external audits is determined by the applicable regulation โ organizations cannot opt out by pointing to internal audit quality. HIPAA, SOX, PCI DSS, CMMC, and FedRAMP all require external assessment; strong internal audits complement but never replace them.
Ch 118 ยท Audits & Assessments
Question 5 of 20
After completing a three-week examination of a financial institution's IT security controls โ reviewing access logs, inspecting server configurations, and interviewing security personnel โ an independent CPA firm issues a signed written statement: "Based on our examination, it is our professional opinion that this institution's security posture accurately reflects its stated compliance status." What is the specific term for this signed statement?
โ
D โ Attestation. Attestation is the formal professional opinion regarding the accuracy or reliability of an organization's security posture. The audit gathers evidence (the examination phase); attestation is the conclusion โ the auditor formally affirming what they found and taking personal accountability for that statement. Key distinction: audit = evidence-gathering process; attestation = the formal conclusion signed at the end. False attestation creates legal liability for the signatory.
Ch 119 ยท Penetration Tests
Question 6 of 20
During a penetration test, a tester uses Netcat to establish a TCP connection to port 22 on a target server. The server immediately responds with "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3." The tester records the SSH version for CVE research. Why is this classified as active rather than passive reconnaissance?
โ
B โ Active reconnaissance. The defining criterion: active reconnaissance sends network traffic to the target's systems, generating entries in logs (firewall logs, server access logs, IDS alerts). Establishing a TCP connection to port 22 sends packets to the target server and creates a log entry. This is the classic active technique called banner grabbing or service identification. Passive reconnaissance uses only publicly available sources without sending any traffic to the target network at all.
Ch 119 ยท Penetration Tests
Question 7 of 20
A company hires a pen testing firm and provides them with a standard employee-level username and password for the HR system before testing begins. No network diagrams, IP inventories, or architecture documentation are provided. The testers must discover the network topology themselves but begin with authenticated access to one application. What type of test environment is this?
โ
C โ Partially known environment (gray box). Gray box provides testers with some but not complete information. User credentials without infrastructure documentation is a classic gray box scenario: it simulates a compromised insider account, a disgruntled employee, or a trusted business partner who has limited legitimate access. The tester starts with one foothold (the credentials) but must discover the rest of the environment independently. This tests whether limited initial access can be escalated to broader compromise.
Ch 119 ยท Penetration Tests
Question 8 of 20
A server room contains a database server with full-disk encryption, MFA-protected login, and a dedicated firewall blocking all unauthorized external network connections. A red team member bypasses the server room's physical lock and gains direct access to the hardware. Why does physical access make the server's software and network security controls largely irrelevant?
โ
A โ Physical access bypasses all software and network controls. An attacker with physical access to a server can: modify BIOS/UEFI boot order to boot from USB, boot a live Linux environment that mounts the drive without OS-level authentication, install a pre-boot keylogger to capture the full-disk encryption passphrase, or physically replace hardware. Even full-disk encryption can be defeated if the attacker can capture the passphrase before decryption. This is why servers live in locked, access-controlled data centers โ physical access is the most fundamental security boundary.
Ch 119 ยท Penetration Tests
Question 9 of 20
Before an authorized penetration test, a researcher spends a week gathering intelligence: reviewing the target company's engineering blog posts and press releases, reading employee LinkedIn profiles, finding technology stack details in public job postings, examining Shodan results for the organization's IP ranges, and reviewing GitHub commits from company email addresses. No packets are sent to the target organization's systems. This entire activity is classified as:
โ
A โ Passive reconnaissance. The defining test: did any traffic reach the target organization's network? No โ LinkedIn, blogs, job postings, Shodan, and GitHub are all third-party public sources. The target's firewall never sees these queries. Passive reconnaissance is nearly undetectable because the target's monitoring tools have no visibility into what a researcher reads on public websites. This is why organizations struggle to defend against it: the information is already publicly available.
Ch 119 ยท Penetration Tests
Question 10 of 20
During a penetration engagement, the passive reconnaissance phase takes 3 days and produces zero entries in the target's network logs. The subsequent active reconnaissance phase takes 1 day and produces 847 entries across the target's firewall logs and IDS alerts. Which statement most accurately compares the value and nature of these two phases?
โ
D โ Each phase produces different intelligence with different detectability tradeoffs. Passive reconnaissance (human/organizational intelligence: employee roles, technology stack hints, OSINT) leaves no trace in target logs โ it is essentially undetectable. Active reconnaissance (technical intelligence: which hosts are live, which ports are open, which services and versions run) is precise and directly enables CVE matching, but every probe appears in the target's logs. Professional engagements use passive first to minimize exposure, then active to get the technical precision needed for exploitation.
Ch 120 ยท Security Awareness
Question 11 of 20
An automated security monitoring system generates an alert at 2:17 AM: an employee account has replaced the Windows hosts file on their workstation with a version that redirects the corporate authentication server's domain name to an external IP address. Which anomalous behavior category applies, and why?
โ
C โ Risky behavior. The three categories require different analytical lenses. Risky behavior: the action itself is inherently dangerous regardless of intent (modifying the hosts file, replacing OS files, exfiltrating data). Unexpected behavior: normal action in wrong context (foreign login). Unintentional: accident (typo, misplaced device). Replacing the hosts file to redirect an authentication server is inherently dangerous โ it creates a credential interception opportunity. The 2 AM timing is suspicious context, but the classification key is the action type: dangerous action = risky behavior.
Ch 120 ยท Security Awareness
Question 12 of 20
A CISO presents to the board: six months ago, 29% of employees clicked simulated phishing links. After targeted training for those who clicked, the rate dropped to 5%. The board questions whether to continue quarterly simulation campaigns or replace them with training videos only. What is the strongest argument for continuing the simulation campaigns?
โ
B โ Simulations measure behavior; videos teach concepts. The phishing click rate is the primary metric from simulated campaigns because it measures what employees actually do under simulated attack conditions โ not what they say they would do, or what they learned in a video. Continued quarterly campaigns serve two purposes: (1) verify that the 5% improvement is sustained over time and (2) identify new susceptibility as new employees join, roles change, and attack techniques evolve. Without ongoing measurement, behavioral regression goes undetected.
Ch 120 ยท Security Awareness
Question 13 of 20
At 11:45 PM on a Sunday, a software engineer's account accesses a financial processing code repository the engineer has never worked on and downloads the complete source code (2.1 GB). The engineer normally accesses only the front-end UI repository and works Monday through Friday, 9 AM to 5 PM. Which anomalous behavior category applies?
โ
C โ Unexpected behavior. Unexpected behavior is characterized by deviations from established normal patterns โ the action itself (accessing a repository) is normal, but the context is entirely wrong on multiple dimensions: wrong time (11:45 PM Sunday vs. weekday business hours), wrong repository (financial processing vs. front-end UI), wrong volume (2.1 GB vs. typical incremental access). Multiple simultaneous deviations from baseline are a strong indicator of credential compromise โ an attacker operating from a different time zone with access to the account. This is distinct from risky behavior, which focuses on the action type rather than the pattern deviation.
Ch 120 ยท Security Awareness
Question 14 of 20
A finance employee intends to wire $50,000 to a vendor but accidentally enters an incorrect IBAN number in the transfer form. The transfer reaches an unrelated account. The source material explicitly uses "typing the wrong domain name" as an example of this same behavior category. What category of anomalous behavior does the accidental IBAN entry represent?
โ
A โ Unintentional behavior. Unintentional behavior = accidental human errors that create security or financial risk despite good user intent. The source material lists "typing the wrong domain name" as the canonical example; an incorrect IBAN in a wire transfer is the financial equivalent โ same pattern, different context. The exam lesson: all three categories (risky, unexpected, unintentional) require security awareness training because even innocent mistakes cause real incidents. Unintentional does not mean harmless.
Ch 120 ยท Security Awareness
Question 15 of 20
A retail chain's security manager proposes implementing security awareness training only for IT staff and store managers: "Cashiers just ring up purchases โ they don't interact with security-relevant systems and don't need security training." Which response best evaluates this proposal?
โ
D โ All employees require minimum awareness training. The minimum awareness level is the security baseline that all employees share, regardless of job function. Attackers specifically target non-technical staff because they are perceived as easier to manipulate. A cashier who enables a social engineer's access to the back office, accepts a skimming device installation, or reveals a colleague's password creates the same breach as a vulnerable server. Role-specific training adds depth on top of this baseline โ it does not replace the baseline for any employee.
Ch 121 ยท User Training
Question 16 of 20
A third-party consulting firm is contracted to perform data analysis on the organization's customer database. The project manager wants to grant the consultant immediate database access to avoid delaying the project start. The consultant has not yet completed any security training. What should happen?
โ
B โ Pre-access training applies to all users, including third parties. The pre-access training requirement is triggered by access level, not employment status. A contractor who will access organizational systems must complete the organization's security training before receiving credentials โ the same as any employee. Read-only access still exposes sensitive data and still requires the user to understand reporting obligations and data handling policies. Professional certifications demonstrate general knowledge but not the organization's specific policies and procedures.
Ch 121 ยท User Training
Question 17 of 20
A USB drive labeled "IT Department โ Annual Review Backup" is left on a break room table. An employee connects it to their laptop to check the contents. Within two seconds, a PowerShell window flashes briefly on screen and closes. What most likely happened and what should the employee have done?
โ
B โ BadUSB attack. BadUSB reprograms a USB device's firmware to masquerade as a different device type โ classically, a keyboard. When connected, the OS trusts it as input hardware (keyboards don't need driver approval) and the device begins typing commands at millisecond speed. The brief PowerShell window that closes instantly is the signature: commands executed and the window was dismissed by the script itself. No visual inspection can detect BadUSB because the malicious logic lives in firmware, not in visible files. The unconditional training rule: never connect unknown USB devices regardless of labeling.
Ch 121 ยท User Training
Question 18 of 20
A network engineer posts on a public developer forum seeking help with a VLAN routing issue. The post includes the firewall model (Cisco Catalyst 9300), PAN-OS version (17.9.4a), the specific error message, and a screenshot showing interface names and IP addressing. No credentials or personal data were included. Which security concern does this behavior represent?
โ
D โ OPSEC (Operational Security) failure. OPSEC is about thinking from the attacker's perspective: what can an adversary learn from this post? Answer: the exact OS version maps to specific CVEs in public vulnerability databases; the VLAN structure reveals network segmentation; the hardware model reveals attack surface. No credentials are needed โ this intelligence alone enables targeted exploitation planning. OPSEC training teaches users to anonymize or generalize technical details before posting publicly, even when seeking legitimate help. The correct post would say "a recent IOS-XE version" not a specific build number.
Ch 121 ยท User Training
Question 19 of 20
A remote employee connects to the company's CRM system from a coffee shop using public Wi-Fi without using VPN, reasoning: "CRM uses HTTPS, so my data is encrypted end-to-end โ VPN is redundant for web applications." From a user training and security policy perspective, is this acceptable?
โ
C โ VPN is required for all corporate system access. HTTPS encrypts the payload in transit but does not protect against session hijacking on the local network segment. On public Wi-Fi, an attacker performing a man-in-the-middle attack can capture session tokens and authentication cookies even when HTTPS is in use, depending on implementation. Beyond the technical risk, VPN routes all traffic through organizational security controls (DLP, web filtering, threat detection) that provide protection beyond what HTTPS alone offers. The policy is unconditional: all corporate system access from outside the office requires VPN, regardless of the perceived sensitivity of the specific task.
Ch 121 ยท User Training
Question 20 of 20
A user receives a phone call: "Hi, this is David from HR. I'm processing W-2 corrections and I need to verify your Social Security Number to ensure your tax documents reach the right address. I see you're listed at [reads the user's correct home address]." The caller's knowledge of the address appears to legitimize the call. Which social engineering technique is this and what should the user do?
โ
A โ Pretexting with social proof. Pretexting = fabricating a plausible scenario to justify an unusual request. Here the pretext is "W-2 correction." The use of the employee's address as "social proof" is a manipulation technique โ addresses are available from data brokers, public records, and prior breaches; an attacker knowing your address does not prove they are from HR. Legitimate HR never asks for SSNs by phone. The defense: refuse, terminate, and independently verify through a known-good contact channel. "Vishing" describes the phone-call delivery mechanism; pretexting is the specific manipulation technique within it.
Part B โ Scenario Questions (unscored โ self-assess)
Ch 118โ119 ยท Scenario
Scenario Question A
A healthcare organization's CISO tells the audit committee: "We completed a thorough internal self-assessment last month and found no critical issues. I recommend we skip the formal external audit this year to reduce costs โ our self-assessment was more comprehensive than any external auditor's review would be." The organization processes PHI for 50,000 patients and is a HIPAA covered entity. Additionally, the organization is considering replacing its annual one-time penetration test with an integrated continuous testing model.
Address: (1) Why is the CISO's recommendation problematic from governance, regulatory, and credibility perspectives? (2) What external audits cannot be waived regardless of self-assessment quality? (3) What are the key differences between a one-time penetration test and integrated continuous testing, and which is more appropriate for this healthcare organization?
Address: (1) Why is the CISO's recommendation problematic from governance, regulatory, and credibility perspectives? (2) What external audits cannot be waived regardless of self-assessment quality? (3) What are the key differences between a one-time penetration test and integrated continuous testing, and which is more appropriate for this healthcare organization?
1. Problems with skipping the external audit:
Governance: The CISO does not have authority to waive external audit requirements โ this decision exceeds the CISO's operational role. The audit committee governs the audit function; regulatory compliance is not a discretionary budget item.
Regulatory: HIPAA requires covered entities to demonstrate PHI protection and the HHS Office for Civil Rights has audit authority. A self-assessment cannot satisfy this because internal staff lack the independence required for credible external verification. The regulation defines what is required; the organization cannot choose to opt out based on internal assessment quality.
Credibility: Self-assessments have inherent conflict of interest โ the evaluating department grades its own work. External auditors' credibility comes precisely from their independence: no financial stake in the outcome, professional reputation at risk if findings are inaccurate. Regulators, patients, and business partners cannot rely on an organization's self-reported compliance.
2. Non-waivable external audits for this organization:
โข HIPAA: HHS OCR audit authority over covered entities โ PHI handling, Security Rule controls, Breach Notification compliance
โข Any business associate agreements requiring external assessment
โข If the organization accepts payment cards: PCI DSS QSA assessment above transaction thresholds
3. One-time vs. integrated penetration testing:
One-time test: Point-in-time snapshot; produces a list of vulnerabilities at a specific moment; findings may be remediated but retesting is not built in; the organization may be re-exposed between annual engagements as the environment changes.
Integrated (continuous) testing: Ongoing red/blue cycle โ red team finds vulnerabilities, blue team remediates, red team retests; self-reinforcing improvement loop; provides ongoing security posture visibility rather than periodic snapshots; converts penetration testing from an annual event into a continuous security operation.
For a healthcare organization: Integrated testing is better suited if resources permit, because the threat environment and system configurations evolve constantly. PHI environments change with new applications, patches, and staff access changes that annual tests miss. The continuous feedback loop ensures that each change is tested rather than waiting for the next annual engagement window.
Governance: The CISO does not have authority to waive external audit requirements โ this decision exceeds the CISO's operational role. The audit committee governs the audit function; regulatory compliance is not a discretionary budget item.
Regulatory: HIPAA requires covered entities to demonstrate PHI protection and the HHS Office for Civil Rights has audit authority. A self-assessment cannot satisfy this because internal staff lack the independence required for credible external verification. The regulation defines what is required; the organization cannot choose to opt out based on internal assessment quality.
Credibility: Self-assessments have inherent conflict of interest โ the evaluating department grades its own work. External auditors' credibility comes precisely from their independence: no financial stake in the outcome, professional reputation at risk if findings are inaccurate. Regulators, patients, and business partners cannot rely on an organization's self-reported compliance.
2. Non-waivable external audits for this organization:
โข HIPAA: HHS OCR audit authority over covered entities โ PHI handling, Security Rule controls, Breach Notification compliance
โข Any business associate agreements requiring external assessment
โข If the organization accepts payment cards: PCI DSS QSA assessment above transaction thresholds
3. One-time vs. integrated penetration testing:
One-time test: Point-in-time snapshot; produces a list of vulnerabilities at a specific moment; findings may be remediated but retesting is not built in; the organization may be re-exposed between annual engagements as the environment changes.
Integrated (continuous) testing: Ongoing red/blue cycle โ red team finds vulnerabilities, blue team remediates, red team retests; self-reinforcing improvement loop; provides ongoing security posture visibility rather than periodic snapshots; converts penetration testing from an annual event into a continuous security operation.
For a healthcare organization: Integrated testing is better suited if resources permit, because the threat environment and system configurations evolve constantly. PHI environments change with new applications, patches, and staff access changes that annual tests miss. The continuous feedback loop ensures that each change is tested rather than waiting for the next annual engagement window.
Ch 120โ121 ยท Scenario
Scenario Question B
A penetration tester's engagement report documents three findings from the physical and social engineering phases: (1) Three USB drives planted in the parking lot were connected to employee workstations within 2 hours of being placed. (2) Two employees provided badge access to a social engineer claiming to be a printer repair technician โ no verification was requested. (3) A simulated phishing campaign sent to all 400 employees produced a 41% click rate, with finance employees clicking at 67% and IT staff at 8%.
Address: (1) For each finding, identify the relevant user training coverage area and classify the employee behavior by anomalous behavior category where applicable. (2) What minimum program components should be immediately implemented? (3) What specific metrics should be tracked at 3-month and 6-month intervals to measure program effectiveness?
Address: (1) For each finding, identify the relevant user training coverage area and classify the employee behavior by anomalous behavior category where applicable. (2) What minimum program components should be immediately implemented? (3) What specific metrics should be tracked at 3-month and 6-month intervals to measure program effectiveness?
1. Analysis of each finding:
Finding 1 (USB drives connected):
Training area: Removable media and situational awareness
Behavior category: Unintentional (employees didn't intend to create a security incident โ they were curious or helpful) with elements of risky behavior (connecting unknown USB drives is an inherently dangerous action regardless of intent)
Root cause: No training on USB threat awareness; no policy prohibiting unknown device connection
Finding 2 (Badge tailgating):
Training area: Situational awareness (physical security) and social engineering recognition
Behavior category: Unintentional (employees were trying to be helpful) with risky behavior elements (granting physical access without verification is an inherently dangerous action)
Root cause: No training on tailgating procedures; no clear policy on visitor verification; employees not empowered to challenge unfamiliar individuals
Finding 3 (41% phishing click rate):
Training area: Security awareness (phishing recognition) and job-function training (finance-specific BEC training needed)
Behavior category: Unintentional for those who didn't recognize the phishing attempt
Finance 67% vs. IT 8% gap: Finance employees face BEC and wire transfer fraud specifically โ their role requires targeted job-function training on top of the baseline
2. Minimum program components to implement immediately:
โข Minimum awareness baseline for ALL employees: phishing recognition (domain checking, urgency indicators), USB/removable media policy (never connect unknown devices), physical security (visitor verification, tailgating prevention), how to report incidents
โข Job-function training for finance: wire transfer fraud, CEO impersonation (BEC), invoice manipulation โ the 67% click rate is an urgent gap
โข Phishing simulation program: quarterly campaigns with immediate just-in-time training for those who click; track click rate as primary metric
โข Documented pre-access training requirement: all new employees and third parties complete training before access
โข Automated behavioral monitoring: flag unusual download volumes, external transfers, off-hours access
3. Metrics at 3 and 6 months:
At 3 months:
โข Overall phishing click rate (target: below 20%, down from 41%)
โข Finance department click rate specifically (target: below 25%, down from 67%)
โข Training completion rate (target: 95%+ all employees)
โข USB incident reports (any unknown USB devices found and properly reported vs. connected)
At 6 months:
โข Overall click rate (target: below 10%)
โข Finance click rate (target: below 15%)
โข MFA adoption rate (if not already mandated, track enrollment progress)
โข Password manager adoption rate
โข Password sharing incidents reported
โข Physical security: number of visitor verification failures in follow-up physical tests
Finding 1 (USB drives connected):
Training area: Removable media and situational awareness
Behavior category: Unintentional (employees didn't intend to create a security incident โ they were curious or helpful) with elements of risky behavior (connecting unknown USB drives is an inherently dangerous action regardless of intent)
Root cause: No training on USB threat awareness; no policy prohibiting unknown device connection
Finding 2 (Badge tailgating):
Training area: Situational awareness (physical security) and social engineering recognition
Behavior category: Unintentional (employees were trying to be helpful) with risky behavior elements (granting physical access without verification is an inherently dangerous action)
Root cause: No training on tailgating procedures; no clear policy on visitor verification; employees not empowered to challenge unfamiliar individuals
Finding 3 (41% phishing click rate):
Training area: Security awareness (phishing recognition) and job-function training (finance-specific BEC training needed)
Behavior category: Unintentional for those who didn't recognize the phishing attempt
Finance 67% vs. IT 8% gap: Finance employees face BEC and wire transfer fraud specifically โ their role requires targeted job-function training on top of the baseline
2. Minimum program components to implement immediately:
โข Minimum awareness baseline for ALL employees: phishing recognition (domain checking, urgency indicators), USB/removable media policy (never connect unknown devices), physical security (visitor verification, tailgating prevention), how to report incidents
โข Job-function training for finance: wire transfer fraud, CEO impersonation (BEC), invoice manipulation โ the 67% click rate is an urgent gap
โข Phishing simulation program: quarterly campaigns with immediate just-in-time training for those who click; track click rate as primary metric
โข Documented pre-access training requirement: all new employees and third parties complete training before access
โข Automated behavioral monitoring: flag unusual download volumes, external transfers, off-hours access
3. Metrics at 3 and 6 months:
At 3 months:
โข Overall phishing click rate (target: below 20%, down from 41%)
โข Finance department click rate specifically (target: below 25%, down from 67%)
โข Training completion rate (target: 95%+ all employees)
โข USB incident reports (any unknown USB devices found and properly reported vs. connected)
At 6 months:
โข Overall click rate (target: below 10%)
โข Finance click rate (target: below 15%)
โข MFA adoption rate (if not already mandated, track enrollment progress)
โข Password manager adoption rate
โข Password sharing incidents reported
โข Physical security: number of visitor verification failures in follow-up physical tests