Certification Study Guide - CC by Kevin Henry
Certification Study Guide - CC by Kevin Henry
Kevin Henry
Study Guide
I am excited that you are on the journey to get your CC™ (Certified in Cybersecurity)
certification. This study guide is meant to complement the CC™ (Certified in Cybersecurity)
video courses on Pluralsight.
Here are a few tips to help you get the most out of these resources:
1. Print this out before you start the video courses.
2. Follow along with the courses, and complete the self-assessment questions for each
course to test your understanding.
3. Keep this document after you finish the course as a part of the materials you will use
to study for the exam.
The CC certification is based on an exam outline that covers five domains of essential
knowledge. It is important to review all five of the Pluralsight courses in the order they are
listed in your journey to achieve this certification. Follow along with the courses in this path,
and then register for the exam.
Reach out on LinkedIn to let me know how you are doing along the way.
Kevin Henry
1
CC™ (Certified in Cybersecurity)
Kevin Henry
Table of Contents
Security Principles for CCSM
Checklist of Exam Objectives: Areas to Study
Exam Essentials: What You Need to Know
Important Terminology
Self-Assessment Questions: Test your Understanding
Business Continuity (BC), Disaster Recovery (DR) & Incident Response Concepts for CCSM
Checklist of Exam Objectives: Areas to Study
Exam Essentials: What You Need to Know
Important Terminology
Self-Assessment Questions: Test your Understanding
2
CC™ (Certified in Cybersecurity)
Kevin Henry
3
CC™ (Certified in Cybersecurity)
Kevin Henry
● Availability
Procedures
● Step-by-step actions
● Mandated to accomplish a task in compliance with the intent of policy
Baselines
Implementation specific minimum acceptable requirements for controls or configuration
Standards
Mandated requirements for hardware or software; or the use of external standards such as
ISO standards as a template for internal processes
Compliance
Having a record of activity to prove compliance
Ethics
● It’s important to develop and communicate an organizational ethics policy.
● Be familiar with the four main principles (canons) of the ISC2 Code of Ethics.
● Know their order of importance.
4
CC™ (Certified in Cybersecurity)
Kevin Henry
Important Terminology
Asset — An entity with value to its owner
Attack — Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or
destroy information system resources or the information itself. CNSSI 4009
Availability — The measure of the criticality of an entity and the value of the entity to
supporting a business process
Due Care — The actions taken by a reasonable, prudent person to protect others from
unreasonable harm
Encryption — The process of rendering sensitive data unreadable through substitution and
transposition using a mathematical function (algorithm)
Residual Risk — Portion of risk remaining after security measures have been applied (CNSSI
4009)
Risk Acceptance — The level of risk within the limits set by the risk owner
Threat — Any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational assets,
5
CC™ (Certified in Cybersecurity)
Kevin Henry
Tokenization — The replacement of sensitive data with a non-sensitive token value that can
be linked back to the sensitive data by authorized personnel
2. The organization is conducting a risk assessment that determines the level of risk to a
business process. What must be determined to calculate this level of risk?
a. Risk treatment
b. Risk monitoring
c. The value of the asset
d. Frequency of vulnerabilities
6
CC™ (Certified in Cybersecurity)
Kevin Henry
d. Guideline
10. The step-by-step list of actions an administrator should follow when setting up a new
user account is known as a:
a. Procedure
b. Standard
c. Functional policy
d. Baseline
11. An organization has determined that the cost of mitigating a risk is higher than the
value of the asset being protected. How was this determined?
a. Risk assessment
b. Cost/benefit analysis (CBA)
c. Control selection
d. Threat modeling
7
CC™ (Certified in Cybersecurity)
Kevin Henry
b. Threat
c. Defense in depth
d. Asset
13. A risk owner may accept a risk that is above the normal risk acceptance level. What is
this known as?
a. Risk tolerance
b. Risk mitigation
c. Risk avoidance
d. Total risk
14. A Certified in Cybersecurity certification holder does not report a serious problem with
another employee’s actions to management because the other employee is a friend.
Which principle of the (ISC)2 code of ethics does this violate?
a. Provide diligent and competent service to principals
b. Do no harm
c. Protect society and the common good
d. Advance and protect the profession
8
CC™ (Certified in Cybersecurity)
Kevin Henry
9
CC™ (Certified in Cybersecurity)
Kevin Henry
Monitoring
Log management, types of firewalls, host and network-based IDS and IPS, egress monitoring,
anti-virus
Configuration Management
Change control, baselines, patch management
Media Protection
Number of uses, age, environmental protection
Incident Management
The process, lessons learned to improve response
BCP/DRP
The process, types of tests, terminology – BIA, RPO, SDO, RTO, MTD
10
CC™ (Certified in Cybersecurity)
Kevin Henry
Personnel Security
Awareness, safety
Important Terminology
Business Impact Analysis (BIA) — The determination of the impact of a disruption to the
business mission (delivery of products and services) over the duration (time) of the disruption
Cold Site — A building that can be converted into an IT operations center; must have power,
HVAC, and network communications to be considered a viable cold site
Hot Site — A fully equipped site for recovery of IT operations; may be a commercially-owned
site or a mirrored site owned by the organization
Maximum Tolerable Downtime (MTD) — The longest time that a critical product or service
(business process) could be unavailable before the business is likely to suffer irreparable
harm (also Maximum Allowable Downtime (MAD) or Maximum Tolerable Period of
Disruption (MTPD))
Maximum Tolerable Outage (MTO) — The longest time that a business can continue to
operate in a disrupted state before the business would suffer irreparable harm
Recovery Point Objective (RPO) — The data recovery point that indicates the maximum
amount of data that would be lost following a disruption
Recovery Time Objective (RTO) — The desired scheduled time for the recovery of a business
operation; the most critical business functions have the shortest RTO
Service Delivery Objective (SDO) — The level of service that must be reached by the RTO;
the SDO is usually a percentage of normal operational capability
Warm Site — A partially equipped site for recovery of IT operations; would require additional
hardware to bring it into operational status
11
CC™ (Certified in Cybersecurity)
Kevin Henry
4. The business continuity team has been asked to provide input into the BIA
calculations. From which perspective should the BIA be conducted?
a. The user perspective
b. The business perspective
c. The IT perspective
d. The regulatory perspective
12
CC™ (Certified in Cybersecurity)
Kevin Henry
7. The business continuity plan for recovery of critical business processes following a
serious incident is based on:
a. Recovery Point Objective (RPO)
b. Maximum Tolerable Outage (MTO)
c. Recovery Time Objective (RTO)
d. Allowable Interruption Window (AIW)
8. What is a risk associated with using tape for the backups of critical data?
a. Lost data
b. Time required to restore data
c. Length of time between backups
d. Tapes have a higher cost
9. What is the advantage of reviewing the lessons learned from an incident a few days
after the incident instead of only reviewing immediately?
a. Better analysis without the emotion of the moment
b. Less people are involved in the discussion
c. More data can be remembered
d. Incident documentation is available
10. The priority for recovery of critical business processes is determined by:
a. Business Impact Analysis (BIA)
b. Cost of recovery
c. Maximum Tolerable Period of Disruption (MTPD)
d. Recovery Point Objective (RPO)
12. During a serious incident that requires the use of a Business Continuity Plan, the most
critical business operations are recovered first. When the organization returns to
normal operations, which services should have first priority?
a. The most critical business operations
b. All services should be recovered simultaneously
c. The least critical business processes
d. Customer-facing systems
13. Which of the following is NOT normally part of recovery resource requirements?
a. Data
b. Equipment
13
CC™ (Certified in Cybersecurity)
Kevin Henry
c. Supply chain
d. Security
14. The security manager is invited to a test of the business continuity plan. All the key
team members will meet in a boardroom and describe their role in the event of a
crisis. Which type of test is this likely to be?
a. Desktop
b. Simulation
c. Walkthrough
d. Parallel
14
CC™ (Certified in Cybersecurity)
Kevin Henry
15
CC™ (Certified in Cybersecurity)
Kevin Henry
Single Sign On has benefits and disadvantages. Know how to implement and manage the
risk of single sign on.
Most access control implementations are based on discretionary access control. This is where
the asset owner makes the decision on who gets access and what level of access they get.
Mandatory Access Control (MAC) requires compliance with policy as well as the owner’s
consent. In MAC, the owner’s decision enforces need-to-know.
RBAC (Role Based Access Control) is based on personnel with similar or identical access
requirements; in this way, it may violate the principle of least privilege.
16
CC™ (Certified in Cybersecurity)
Kevin Henry
Important Terminology
Accounting or Auditing (as part of identity and access management) — The tracking and
recording of all activity on a system; establishes a link between activities and the unique
identifier of the entity that executed the activity
Discretionary Access Control (DAC) — The majority of systems in the world are based on
DAC. In DAC the owner of the asset determines what level of access is granted, and to whom
the access is granted. The system just enforces the access decision made by the owner.
Federated Identity Management (FIM) — ‘Single sign on for the web;’ use of an identity
provider to review the login of a subject (client, relaying party) and provide proof of
authentication (security assertion) to a relying party (merchant).
Identity Management Lifecycle — The need to actively manage identities throughout the
identity lifecycle, from provision to maintenance to de-provisioning
Mandatory Access Control (MAC) — Access that is mandated by policy and provides a more
stringent level of access than discretionary access control. MAC enforces separation of duties
and requires labeling of assets and users, and it requires consent of asset owners and
compliance with policy before access is granted.
Multi-factor Authentication (MFA) — The use of more than one factor to authenticate an
identity. The factors are based on: what you know; what you have; and what you are.
Standards often require the use of two different factors in order to be considered MFA
Role Based Access Control (RBAC) — Access permissions based on a defined job role; a job
role may include entities (persons or processes) with identical or similar access requirements
Rule Based Access Control — Access permissions based on explicit rules that may permit or
deny access
Privileged Access Accounts — A higher risk to the organization since the higher levels of
access can be misused. Requires compensating controls – more supervision; monitoring of
actions, removal of access when no longer required, etc.
Public Key Infrastructure (PKI) — The deployment of Public Key Cryptography (asymmetric
algorithms) using digital certificates to authenticate users and devices to enable secure
communications
17
CC™ (Certified in Cybersecurity)
Kevin Henry
2. A recent audit found many UserIDs on the system that were not being used. The
auditor stated that this was an unacceptable risk. Why is this a risk?
a. Because UserIDs may be used by someone else if they are not in regular use
b. Because this is a violation of least privilege
c. Because there is no way to track misuse of such UserIDs
d. Because each UserID has a licensing cost that is wasted
5. Which control can be used to prevent the highjacking of an existing remote logon
session?
a. Periodic authentication
b. Multi-factor Authentication
c. Strong password policies
d. Continuous authentication
18
CC™ (Certified in Cybersecurity)
Kevin Henry
d. Symmetric encryption
7. What term is used to indicate the correct level of access to be enforced associated
with a building?
a. Clearance
b. Object
c. Classification
d. Mandatory
8. An offensive email was sent, but the user claims that they did not send it. Which
security principle is in question here?
a. Non-repudiation
b. Authentication
c. Integrity
d. Confidentiality
10. What can be used to substitute sensitive data with a non-sensitive value in an e-
commerce credit card transaction?
a. Masking
b. Tokenization
c. Obfuscation
d. Transposition
11. A user account was used to send an email when the user left their workstation
unattended and logged in. What control should be used to address this risk?
a. Session timeout
b. Policy
c. MFA
d. Non-repudiation
12. Which type of access control uses geographic location to determine access
permissions?
a. Attribute
b. Mandatory
c. Discretionary
d. Role Based
19
CC™ (Certified in Cybersecurity)
Kevin Henry
14. A merchant does not want to manage user accounts for their internet-based
customers and decides to use a solution based on OpenID. What is this an example
of?
a. Single Sign On
b. Kerberos
c. Active Directory
d. XML
20
CC™ (Certified in Cybersecurity)
Kevin Henry
21
CC™ (Certified in Cybersecurity)
Kevin Henry
10. B — Tokenization is used to substitute a credit card number with a token value. The
other answers may hide a credit card number from view but not substitute it.
11. B — This is a violation of policy and that needs to be the primary control to ensure that
a user does not leave a workstation logged in and unattended and to ensure that staff
knows that to send an email from another person’s account is a strict violation of
policy. A is a compensating control that may help after a few minutes if the
workstation is left logged in, but it will only help after a few minutes. MFA would not
apply to a session already logged in.
12. A — Location is an attribute. This access may be based on the concepts of MAC, DAC,
and perhaps even on RBAC. But this is an example of ABAC.
13. C — Separation or segregation of duties is designed to catch fraud or prevent errors.
Collusion is where people work together to bypass separation of duties. Logging may
detect fraud but not prevent it. Least privilege is a good answer since limiting access
may prevent unauthorized activity, but it is not the best answer
14. A — This is an example of Federated Identity Management (FIM), which is a type of
single sign on for the internet. Kerberos is an example of Single Sign On but usually
for within an organization, not for internet customers. Active Directory is a commonly
used access control method but not specific to this question. XML defines the
structure of communications, often between organizations, but it is not applicable
with the question presented.
15. A — DAC allows the delegation of authority. MAC does not permit delegation. RBAC
and rule-based may be based on either DAC or MAC.
22
CC™ (Certified in Cybersecurity)
Kevin Henry
● Applications
23
CC™ (Certified in Cybersecurity)
Kevin Henry
24
CC™ (Certified in Cybersecurity)
Kevin Henry
Network Components
● Firewalls
● IDS and IPS
● DMZ and Extranet
Wireless Networks
● IEEE 802.11
● Cellular
● Satellite
Important Terminology
Botnet — Short for Robotically Controlled Network; a network of devices that is controlled
remotely often through applications called Zombies and via a Command and Control (C2)
server
Demilitarized Zone (DMZ) — A subnet that is used to support external communications and
is isolated from other networks. Often used to host web servers.
Extranet — A subnet used to communicate with semi-trusted external parties. Isolated from
internal networks and often require higher levels of authentication than services located in a
DMZ.
Firewall — A device that acts as a gateway and regulates traffic between two networks
IPSec — Short for Internet Protocol Security; a suite of protocols used to protect IP traffic
Local Area Network (LAN) — A network of devices connected [usually] within a local, limited
area
25
CC™ (Certified in Cybersecurity)
Kevin Henry
MODEM — Modulates and demodulates electrical signals.; transforms digital data into analog
and visa versa
Network Access Control (NAC)— A device that acts as a gateway controlling access to a
network.
Router — A piece of electronic equipment that connects computer networks to each other,
and sends information between networks (Cambridge dictionary)
Side Channel Attack — An attack against the operation of an integrated circuit (chip) that is
processing cryptographic functions—instead of attacking the data or the key, a side-channel
attack measures the emanations and execution power and timing from a chip thereby
disclosing data about the cryptographic functions; this data may be used to determine
factors such as key length.
SPAM— Unwanted or unsolicited email; spam can clog up networks, servers and often
contains malicious code intended to compromise the systems of the recipient
Switch — A piece of equipment on the network that receives electronic data and sends it to
the right place
Transport Layer Security (TLS) — The replacement for Secure Socket Layer (SSL) to protect
traffic at the transport layer
Trojan — Malicious code that may appear to be beneficial or harmless but contains a
damaging payload; a user is tricked into accepting the trojan without being aware of the
resulting damage
Virtual Local Area Network (VLAN) — A logical network as compared to a physical network;
may be configured as a series of ports on a physical switch or as ports located on different
switches
Virus— A type of malicious code that attaches itself to a victim’s system and then executes
its payload. Often used to damage systems and spread to other systems
Wireless Local Area Network (WLAN) — A network that connects devices over a wireless
LAN
Worm — A type of malicious code that can spread on its own without requiring a host to
support it and can spread rapidly through networks by taking advantage of vulnerable
systems
26
CC™ (Certified in Cybersecurity)
Kevin Henry
2. Which layer of the OSI stack is responsible for secure communications between two
adjacent devices?
a. Data link layer
b. Application layer
c. Network layer
d. Transport layer
5. What type of attack would send malicious traffic over port 53?
a. Mail relay
b. DNS tunneling
c. IP spoofing
d. Wannacry
27
CC™ (Certified in Cybersecurity)
Kevin Henry
8. Which layer of the OSI stack relies on data provided by the application at the source?
a. Intermediate Network
b. Destination Transport
c. Destination Application
d. Source Physical
11. Which of the following is a type of amplification attack—that amplifies the size of the
attack?
a. DNS reflection
b. Ping of Death
c. Man-in-the-Middle
d. ARP Poisoning
28
CC™ (Certified in Cybersecurity)
Kevin Henry
29
CC™ (Certified in Cybersecurity)
Kevin Henry
30
CC™ (Certified in Cybersecurity)
Kevin Henry
10. B — Zombies are often used to control infected machines. Email and SPAM may be
used to distribute infections but not to control the infected machines. DNS poisoning
will send traffic to the wrong destination website.
11. A — A DNS reflection attack is often called a DNS Amplification attack. It allows the
attacker to increase the size of the attack to cause a Denial of Service. The Ping of
Death uses a very large ICMP packet to disable systems, but it does not amplify its
attack size. The Man-in-the-Middle intercepts traffic either actively (altering traffic) or
passively (monitoring traffic). ARP poisoning alters traffic routing but does not do
amplification.
12. C — A satellite signal needs line-of-sight between the satellite and the ground-based
dish. This signal can be interrupted by obstructions such as buildings, snow, or heavy
rain. Ethernet is used for wired LAN connections, and WLAN (IEEE 802.11) and
IEEE802.15 (Wireless Personal Area Networks such as Bluetooth) do not require line-
of-sight.
13. A — Optical fiber is the hardest to intercept, not impossible but the hardest of the
transmission medium provided in the answers. Wireless is easy to intercept and it is
easier to intercept traffic on a coaxial cable than on fiber.
14. A — An advantage of a Software as a Service (SaaS) as compared to a locally managed
application is the centralization of management. This is better for access control,
compliance, patching and support since those functions are managed together with
the Cloud Service Provider instead of local staff who may not be present in remote
offices. Since the SaaS requires internet access, it may not be as fast to respond as a
local application. There is no guarantee that either SaaS or a locally managed
application is more secure than the other. SaaS is almost certain to have higher
operating costs than a local application, but a local application often has higher
capital costs.
15. C — A firewall protects one network from another by examining and blocking
undesirable traffic. It should monitor both incoming and outgoing (egress) traffic.
DNS is concerned with routing of internet traffic to the correct location. A LAN is a
local area network and is not concerned with traffic between networks. Encryption
protects traffic from alteration or disclosure but may actually make the job of the
firewall more difficult by hiding the traffic so that the firewall cannot examine it
properly.
31
CC™ (Certified in Cybersecurity)
Kevin Henry
Security Awareness
One of the most effective of all controls
32
CC™ (Certified in Cybersecurity)
Kevin Henry
Policy
● The foundation of a security program is policy.
● There should be individual policies that address key areas such as BYOD, Wireless,
Remote Access, acceptable use, etc.
Change Management
● Change is a time of risk for an organization.
● Change should be carefully managed to prevent errors.
● Change management should be a formal documented process
Important Terminology
Asset — An entity with value to its owner
Attack — Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or
destroy information system resources or the information itself (CNSSI 4009)
Availability — The measure of the criticality of an entity and the value of the entity to
supporting a business process
Chain of Custody — A documented record of all actions related to evidence throughout the
evidence lifecycle
Due Care — The actions taken by a reasonable, prudent person to protect others from
unreasonable harm
Encryption — The process of rendering sensitive data unreadable through substitution and
transposition using a mathematical function (algorithm)
33
CC™ (Certified in Cybersecurity)
Kevin Henry
Residual Risk — Portion of risk remaining after security measures have been applied (CNSSI
4009
Risk Acceptance — The level of risk within the limits set by the risk owner
Threat — Any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, or the Nation through an information system via
unauthorized access, destruction, disclosure, or modification of information, and/or denial of
service (CNSS 4009)
2. The organization is conducting a risk assessment. Which process uses the results of a
risk assessment?
a. Risk avoidance
b. Risk transference
c. Risk treatment
d. Residual risk
34
CC™ (Certified in Cybersecurity)
Kevin Henry
a. Formal approval
b. IT scheduling
c. Vendor recommendations
d. Business requirements
5. A new employee that will work in the office has been granted access to systems and
networks including the internet in order to perform their job duties. Which policy
should be explained to the employee before they are granted access?
a. Bring Your Own Device (BYOD)
b. Remote access
c. Change control
d. Acceptable Use Policy (AUP)
10. An employee approaches the security team with a complaint about a fellow
employee or manager. The employee provides evidence they have captured by
monitoring the person they are complaining about. What should the security
manager do in this case?
a. Begin an investigation of the employee being reported on
b. Ignore the complaint since it did not come through authorized channels
35
CC™ (Certified in Cybersecurity)
Kevin Henry
11. An organization has stated that the maximum number of transactions that they could
afford to lose in the event of a system failure is three hours’ worth of activity. What
does this determination represent?
a. The volume of the backups
b. The frequency of the backups
c. The type of backup media used
d. The number of generations of back ups
12. The organization has set three levels of data classification. What is the benefit for an
employee that has access to a piece of data that is classified?
a. The classification indicates proper data handling
b. The classification only applies to data owners not to users
c. The data must be encrypted
d. The classification cannot be changed at a later time
13. A researcher can determine cryptographic key length based on the execution time of
the chip used for encryption. What type of attack does this represent?
a. A covert timing attack
b. A brute force attack
c. Network sniffing
d. Social engineering
14. An auditor accepts an assignment that they are not competent to accomplish. Which
principle of the (ISC)2 code of ethics does this violate?
a. Provide diligent and competent service to principals
b. Do no harm
c. Protect society and the common good
d. Advance and protect the profession
36
CC™ (Certified in Cybersecurity)
Kevin Henry
37