Cybersecurity-Audit-Certificate無料試験問題と解答PDF最新問題2025年02月 [Q60-Q79]

Share

Cybersecurity-Audit-Certificate無料試験問題と解答PDF最新問題2025年02月

最新Cybersecurity-Audit-Certificate試験問題集で最近更新された136問題

質問 # 60
In cloud computing, which type of hosting is MOST appropriate for a large organization that wants greater control over the environment?

  • A. Hybrid hosting
  • B. Public hosting
  • C. Private hosting
  • D. Shared hosting

正解:C

解説:
Explanation
In cloud computing, the type of hosting that is MOST appropriate for a large organization that wants greater control over the environment is private hosting. Private hosting is a type of cloud service model where the cloud infrastructure is dedicated to a single organization and hosted either on-premise or off-premise by a third-party provider. Private hosting offers more control over the security, performance, customization, and compliance of the cloud environment than other types of hosting.


質問 # 61
At which layer in the open systems interconnection (OSI) model does SSH operate?

  • A. Network
  • B. Presentation
  • C. Application
  • D. Session

正解:C

解説:
SSH, or Secure Shell, is a network protocol that operates at the Application layer of the OSI model. This is the topmost layer, which allows users to interact with the network through applications. SSH provides a secure channel over an unsecured network in a client-server architecture, enabling users to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another.


質問 # 62
Which of the following BEST characterizes security mechanisms for mobile devices?

  • A. Configurable and reliable across device types
  • B. Easy to control through mobile device management
  • C. Comparatively weak relative to workstations
  • D. Inadequate for organizational use

正解:B

解説:
The BEST characteristic that describes security mechanisms for mobile devices is easy to control through mobile device management. This is because mobile device management is a technique that allows organizations to centrally manage and secure mobile devices, such as smartphones, tablets, laptops, etc., that are used by their employees or customers. Mobile device management helps to enforce security policies, configure settings, install applications, monitor usage, wipe data, etc., on mobile devices remotely and efficiently. The other options are not characteristics that describe security mechanisms for mobile devices, but rather different aspects or factors that affect security mechanisms for mobile devices, such as weakness (B), inadequacy C, or reliability (D).


質問 # 63
Which of the following is an attack attribute of an advanced persistent threat (APT) that is designed to remove data from systems and networks?

  • A. Infiltration attack vector
  • B. Adversarial threat event
  • C. Kill chain modeling
  • D. Exfiltration attack vector

正解:D

解説:
Explanation
An example of an attack attribute of an advanced persistent threat (APT) that is designed to remove data from systems and networks is an exfiltration attack vector. An exfiltration attack vector is a method or channel that an APT uses to transfer data from a compromised system or network to an external location. Examples of exfiltration attack vectors include email, FTP, DNS, HTTP, or covert channels.


質問 # 64
Which of the following is a feature of an intrusion detection system (IDS)?

  • A. Automated response
  • B. Intrusion prevention
  • C. Back doors into applications
  • D. Interface with firewalls

正解:A

解説:
Explanation
A feature of an intrusion detection system (IDS) is automated response. This is because an IDS is a system that monitors network or system activities for malicious or anomalous behavior, and alerts or reports on any detected incidents. An IDS can also perform automated response actions, such as blocking traffic, terminating sessions, or sending notifications, to contain or mitigate the incidents. The other options are not features of an IDS, but rather different concepts or techniques that are related to intrusion detection or prevention, such as intrusion prevention (A), interface with firewalls C, or back doors into applications (D).


質問 # 65
Which of the following costs are typically covered by cybersecurity insurance?

  • A. Threat intelligence feed
  • B. Forensic investigation
  • C. Reputational loss
  • D. SIEM implementation

正解:B

解説:
Cybersecurity insurance typically covers direct and immediate losses due to data breaches and information security breaches. This often includes legal costs, credit monitoring costs, litigation costs (such as breach of privacy), and costs of regulatory investigations. Forensic investigation is a critical component of the response to a cyber incident, and the costs associated with it are generally covered under a cybersecurity insurance policy.


質問 # 66
Why are security frameworks an important part of a cybersecurity strategy?

  • A. They contain the necessary policies and standards.
  • B. They provide protection to the organization.
  • C. They are required for regulatory compliance.
  • D. They serve to integrate and guide activities.

正解:D

解説:
Security frameworks are crucial in a cybersecurity strategy because they provide a structured approach to managing and mitigating risks. They help in integrating various cybersecurity activities and guiding them towards achieving the strategic objectives of the organization. By establishing a common language and systematic methodology, they ensure that all parts of the organization's cybersecurity program are aligned and working cohesively.


質問 # 67
Availability can be protected through the use of:

  • A. redundancy, backups, and business continuity management
  • B. user awareness training and related end-user training.
  • C. access controls. We permissions, and encryption.
  • D. logging, digital signatures, and write protection.

正解:A

解説:
Availability can be protected through the use of redundancy, backups, and business continuity management. This is because these measures help to ensure that systems, data, and services are accessible and functional at all times, even in the event of a disruption or disaster. The other options are not directly related to protecting availability, but rather focus on enhancing confidentiality (A), integrity C, or awareness (D).


質問 # 68
Which of the following is EASIEST for a malicious attacker to detect?

  • A. Use of insufficient cryptography
  • B. Insecure storage of sensitive data
  • C. Ability to tamper with mobile code
  • D. Susceptibility to reverse engineering

正解:D

解説:
Explanation
The EASIEST thing for a malicious attacker to detect is the susceptibility to reverse engineering. Reverse engineering is the process of analyzing the code or functionality of an application to understand its structure, logic, or design. Reverse engineering can be used by attackers to discover vulnerabilities, bypass security mechanisms, or modify the application's behavior. Mobile applications are often susceptible to reverse engineering because they are distributed in binary form and can be easily decompiled or disassembled.


質問 # 69
Which of the following is a limitation of intrusion detection systems (IDS)?

  • A. Application-level vulnerabilities
  • B. Weak passwords for the administration console
  • C. Lack of Interface with system tools
  • D. Limited evidence on intrusive activity

正解:A

解説:
A limitation of intrusion detection systems (IDS) is that they cannot detect application-level vulnerabilities. An IDS is a tool that monitors network traffic or system activity and alerts on any suspicious or malicious events. However, an IDS cannot analyze the logic or functionality of applications and identify vulnerabilities such as SQL injection, cross-site scripting, or broken authentication.


質問 # 70
Which of the following is EASIEST for a malicious attacker to detect?

  • A. Use of insufficient cryptography
  • B. Insecure storage of sensitive data
  • C. Ability to tamper with mobile code
  • D. Susceptibility to reverse engineering

正解:D

解説:
The EASIEST thing for a malicious attacker to detect is the susceptibility to reverse engineering. Reverse engineering is the process of analyzing the code or functionality of an application to understand its structure, logic, or design. Reverse engineering can be used by attackers to discover vulnerabilities, bypass security mechanisms, or modify the application's behavior. Mobile applications are often susceptible to reverse engineering because they are distributed in binary form and can be easily decompiled or disassembled.


質問 # 71
he MOST significant limitation of vulnerability scanning is the fact that modern scanners only detect:

  • A. unknown vulnerabilities.
  • B. zero-day vulnerabilities.
  • C. common vulnerabilities.
  • D. known vulnerabilities.

正解:D

解説:
Explanation
The MOST significant limitation of vulnerability scanning is the fact that modern scanners only detect known vulnerabilities. This is because vulnerability scanners rely on databases or repositories of known vulnerabilities, such as CVE (Common Vulnerabilities and Exposures), to compare and identify the weaknesses or flaws in systems or applications. Vulnerability scanners cannot detect unknown vulnerabilities, such as zero-day vulnerabilities, that have not been reported or disclosed yet, and may be exploited by attackers before they are patched or fixed. The other options are not the most significant limitation of vulnerability scanning, because they either involve detecting common (A), unknown (B), or zero-day (D) vulnerabilities, which are not the capabilities or limitations of modern scanners.


質問 # 72
Within the NIST core cybersecurity framework, which function is associated with using organizational understanding to minimize risk to systems, assets, and data?

  • A. Detect
  • B. Respond
  • C. Identify
  • D. Recover

正解:C

解説:
Explanation
Within the NIST core cybersecurity framework, the identify function is associated with using organizational understanding to minimize risk to systems, assets, and data. This is because the identify function helps organizations to develop an organizational understanding of their cybersecurity risk management posture, as well as the threats, vulnerabilities, and impacts that could affect their business objectives. The other functions are not directly related to using organizational understanding, but rather focus on detecting (A), recovering C, or responding (D) to cybersecurity events.


質問 # 73
An information security procedure indicates a requirement to sandbox emails. What does this requirement mean?

  • A. isolate the emails and test for malicious content
  • B. Ensure the emails are encrypted and provide nonrepudiation.
  • C. Provide a backup of emails in the event of a disaster
  • D. Guarantee rapid email delivery through firewalls.

正解:A

解説:
Explanation
An information security procedure that indicates a requirement to sandbox emails means that the emails need to be isolated and tested for malicious content. This is because sandboxing is a technique that creates a virtual or isolated environment, where suspicious or untrusted emails can be executed or analyzed without affecting the rest of the system or network. Sandboxing helps to detect and prevent malware, phishing, or spam attacks that may be embedded in emails, and protect the users and the organization from potential harm. The other options are not what sandboxing emails means, but rather different concepts or techniques that are related to information security, such as encryption and nonrepudiation (A), backup and recovery (B), or firewall and delivery (D).


質問 # 74
What would be an IS auditor's BEST response to an IT managers statement that the risk associated with the use of mobile devices in an organizational setting is the same as for any other device?

  • A. The risk associated with mobile devices cannot be mitigated with similar controls for workstations.
  • B. The ability to wipe mobile devices and disable connectivity adequately mitigates additional
  • C. Replication of privileged access and the greater likelihood of physical loss increases risk levels.
  • D. The risk associated with mobile devices is less than that of other devices and systems.

正解:C

解説:
The BEST response to an IT manager's statement that the risk associated with the use of mobile devices in an organizational setting is the same as for any other device is that replication of privileged access and the greater likelihood of physical loss increases risk levels. Mobile devices pose unique risks to an organization due to their portability, connectivity, and functionality. Mobile devices may store or access sensitive data or systems that require privileged access, which can be compromised if the device is lost, stolen, or hacked. Mobile devices also have a higher chance of being misplaced or taken by unauthorized parties than other devices.


質問 # 75
The GREATEST advantage of using a common vulnerability scoring system is that it helps with:

  • A. risk quantification
  • B. risk elimination.
  • C. risk prioritization.
  • D. risk aggregation.

正解:C

解説:
The GREATEST advantage of using a common vulnerability scoring system is that it helps with risk prioritization. This is because a common vulnerability scoring system provides a standardized and consistent way of measuring and comparing the severity of vulnerabilities, based on their impact and exploitability. This allows organizations to prioritize the remediation of the most critical vulnerabilities and allocate resources accordingly. The other options are not as advantageous as using a common vulnerability scoring system, because they either involve aggregating (A), eliminating C, or quantifying (D) risk, which are not directly related to the scoring system.


質問 # 76
Which of the following is the BEST indication of mature third-party vendor risk management for an organization?

  • A. The organization maintains vendor security assessment checklists.
  • B. The third party maintains annual assessments of control effectiveness.
  • C. The organization's security program follows the thud party's security program.
  • D. The third party's security program Mows the organization s security program.

正解:A

解説:
Explanation
The BEST indication of mature third-party vendor risk management for an organization is that the organization maintains vendor security assessment checklists. This is because vendor security assessment checklists help the organization to evaluate and monitor the security posture and performance of their third-party vendors, based on predefined criteria and standards. Vendor security assessment checklists also help the organization to identify and mitigate any gaps or issues in the vendor's security controls or processes.
The other options are not as indicative of mature third-party vendor risk management for an organization, because they either involve following or mimicking the security program of either party without considering their own needs or risks (A, D), or relying on the vendor's self-assessment without independent verification or validation C.


質問 # 77
Which of the following devices is at GREATEST risk from activity monitoring and data retrieval?

  • A. Printing devices
  • B. Desktop workstation
  • C. Mobile devices
  • D. Cloud storage devices

正解:C

解説:
Explanation
The device that is at GREATEST risk from activity monitoring and data retrieval is mobile devices. This is because mobile devices are devices that are portable, wireless, and connected to the Internet or other networks, such as smartphones, tablets, laptops, etc. Mobile devices are at greatest risk from activity monitoring and data retrieval, because they can be easily lost, stolen, or compromised by attackers who can access or extract the data stored or transmitted on the devices. Mobile devices can also be subject to activity monitoring and data retrieval by third-party applications or services that may collect or share the user's personal or sensitive information without their consent or knowledge. The other options are not devices that are at greatest risk from activity monitoring and data retrieval, but rather different types of devices that may have different levels of risk or protection from activity monitoring and data retrieval, such as cloud storage devices (B), desktop workstations C, or printing devices (D).


質問 # 78
Which of the following is MOST critical to guiding and managing security activities throughout an organization to ensure objectives are met?

  • A. Adopting industry security standards and frameworks
  • B. Conducting annual security awareness training for all employees
  • C. Establishing metrics to measure and monitor security performance
  • D. Allocating a significant amount of budget to security investments

正解:C

解説:
Explanation
The MOST critical thing to guiding and managing security activities throughout an organization to ensure objectives are met is establishing metrics to measure and monitor security performance. This is because metrics provide quantifiable and objective data that can be used to evaluate the effectiveness and efficiency of security activities, as well as identify gaps and areas for improvement. Metrics also enable communication and reporting of security performance to stakeholders, such as senior management, board members, auditors, regulators, customers, etc. The other options are not as critical as establishing metrics, because they either involve spending money without knowing the return on investment (A), adopting standards without customizing them to fit the organization's context and needs (B), or conducting training without assessing its impact on behavior change (D).


質問 # 79
......


ISACA Cybersecurity-Audit-Certificate 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Cybersecurity Governance: This part of the exam covers knowledge of cybersecurity frameworks, policies, and risk management.
トピック 2
  • Cybersecurity Technology Topics: This section of the exam covers the comprehension of cybersecurity tools, technologies, and their applications.
トピック 3
  • Cybersecurity Operations: This section of the exam covers hands-on skills for defending against and responding to cyberattacks.
トピック 4
  • Cybersecurity and Audit’s Role: In this part of the exam, the topics covered the intersection of cybersecurity and auditing practices.

 

ISACA Cybersecurity-Audit-Certificateリアル2025年最新のブレーン問題集で模擬試験問題集:https://jp.fast2test.com/Cybersecurity-Audit-Certificate-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어