- (Exam Topic 4)
Which of the following concepts is NOT one of the core components to an encryption system architecture?

1. A. Software
2. B. Network
3. C. Keys
4. D. Data

Correct Answer: B
The network utilized is not one of the key components of an encryption system architecture. In fact, a network is not even required for encryption systems or the processing and protection of data. The data, software used for the encryption engine itself, and the keys used to implement the encryption are all core components of an encryption system architecture.

- (Exam Topic 4)
Which type of testing uses the same strategies and toolsets that hackers would use?

1. A. Static
2. B. Malicious
3. C. Penetration
4. D. Dynamic

Correct Answer: C
Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities. Although the term malicious captures much of the intent of penetration testing from the perspective of an attacker, it is not the best answer. Static and dynamic are two types of system testing--where static is done offline and with knowledge of the system, and dynamic is done on a live system without any previous knowledge is associated--but neither describes the type of testing being asked for in the question.

- (Exam Topic 1)
Which United States law is focused on data related to health records and privacy?

1. A. Safe Harbor
2. B. SOX
3. C. GLBA
4. D. HIPAA

Correct Answer: D
The Health Insurance Portability and Accountability Act (HIPAA) requires the U.S. Federal Department of Health and Human Services to publish and enforce regulations pertaining to electronic health records and identifiers between patients, providers, and insurance companies. It is focused on the security controls and
confidentiality of medical records, rather than the specific technologies used, so long as they meet the requirements of the regulations.

- (Exam Topic 3)
Which of the following threat types involves the sending of commands or arbitrary data through input fields in an application in an attempt to get that code executed as part of normal processing?

1. A. Cross-site scripting
2. B. Missing function-level access control
3. C. Injection
4. D. Cross-site forgery

Correct Answer: C
An injection attack is where a malicious actor will send commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized to be exposed, or it could potentially allow an attacker to gain insight into configurations or security controls. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.

- (Exam Topic 2)
Which of the following is a commonly used tool for maintaining system configurations?

1. A. Maestro
2. B. Orchestrator
3. C. Puppet
4. D. Conductor

Correct Answer: C
Puppet is a commonly used tool for maintaining system configurations based on policies, and done so from a centralized authority.