- (Exam Topic 4)
Which of the following is considered an administrative control?

1. A. Keystroke logging
2. B. Access control process
3. C. Door locks
4. D. Biometric authentication

Correct Answer: B
A process is an administrative control; sometimes, the process includes elements of other types of controls (in this case, the access control mechanism might be a technical control, or it might be a physical control), but the process itself is administrative. Keystroke logging is a technical control (or an attack, if done for malicious purposes, and not for auditing); door locks are a physical control; and biometric authentication is a technological control.

- (Exam Topic 2)
Which if the following is NOT one of the three components of a federated identity system transaction?

1. A. Relying party
2. B. Identity provider
3. C. User
4. D. Proxy relay

Correct Answer: D

- (Exam Topic 1)
Which term relates to the application of scientific methods and practices to evidence?

1. A. Forensics
2. B. Methodical
3. C. Theoretical
4. D. Measured

Correct Answer: A
Forensics is the application of scientific and methodical processes to identify, collect, preserve, analyze, and summarize/report digital information and evidence.

- (Exam Topic 4)
Which crucial aspect of cloud computing can be most threatened by insecure APIs?

1. A. Automation
2. B. Resource pooling
3. C. Elasticity
4. D. Redundancy

Correct Answer: A
Cloud environments depend heavily on API calls for management and automation. Any vulnerability with the APIs can cause significant risk and exposure to all tenants of the cloud environment. Resource pooling and elasticity could both be impacted by insecure APIs, as both require automation and orchestration to operate properly, but automation is the better answer here. Redundancy would not be directly impacted by insecure APIs.

- (Exam Topic 3)
Many different common threats exist against web-exposed services and applications. One attack involves attempting to leverage input fields to execute queries in a nested fashion that is unintended by the developers.
What type of attack is this?

1. A. Injection
2. B. Missing function-level access control
3. C. Cross-site scripting
4. D. Cross-site request forgery

Correct Answer: A
An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized to be exposed, or it can potentially allow an attacker to gain insight into configurations or security controls. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.