Ransomware is a specific category of malicious software designed to block access to a computer system or data, typically by encrypting files, until a sum of money (a ransom) is paid. The malware's primary function is to hold the victim's data hostage, demanding payment for the decryption key to restore access. This directly matches the scenario described in the question, where data is held hostage in exchange for a ransom payment.

A. Trojan: A Trojan is a delivery mechanism that disguises malware as legitimate software; it does not inherently hold data for ransom.

B. Virus: A virus is self-replicating code that attaches to other programs to spread. Its primary purpose is propagation, not extortion.

D. DoS: A Denial-of-Service (DoS) is an attack type, not malware, that makes a service unavailable. It does not involve encrypting data for a ransom.

1. National Institute of Standards and Technology (NIST). (n.d.). Glossary: Ransomware. Computer Security Resource Center. Retrieved from https://csrc.nist.gov/glossary/term/ransomware.

Reference Point: The glossary defines ransomware as "A type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it."

2. University of California

Berkeley. (n.d.). What is Ransomware? Information Security Office. Retrieved from https://security.berkeley.edu/education-awareness/what-ransomware.

Reference Point: The "What is Ransomware?" section states

"Ransomware is a type of malware that encrypts your files

holding them hostage until you pay a ransom to the attacker."

3. Kharraz

A.

Robertson

W.

Balzarotti

D.

Bilge

L.

& Kirda

E. (2015). Cutting the Gordian Knot: A Look at Ransomware Attacks. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware

and Vulnerability Assessment (DIMVA) (pp. 3-22). Springer. https://doi.org/10.1007/978-3-319-20550-21

Reference Point: Page 3

Section 1 (Introduction)

Paragraph 1: "Ransomware is a particularly nasty type of malware that prevents victims from using their computer or accessing their personal files until a ransom is paid."

Due care is the legal and ethical principle that describes the standard of conduct expected of a reasonable person under specific circumstances. In information security, it means taking the necessary, ongoing actions to protect assets and mitigate risks. This standard requires individuals and organizations to act prudently and responsibly to avoid causing harm or loss, which directly aligns with the "reasonable person" test mentioned in the question.

A. Separation of duties is a security control that divides a critical task among multiple individuals to prevent fraud or error, not a standard of conduct.

B. Due diligence refers to the preparatory investigation and research conducted before taking an action to identify potential risks and liabilities.

D. Least privilege is an access control principle that ensures users are only granted the minimum level of access necessary to perform their job functions.

1. Cornell Law School

Legal Information Institute (LII). "Due Care." The LII

a reputable academic source

defines due care as: "The degree of care that a reasonable person would exercise under the same or similar circumstances." This provides the foundational legal definition.

Source: https://www.law.cornell.edu/wex/duecare

2. NIST Special Publication 800-161 Revision 1

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. This official publication distinguishes between the two key concepts.

Section 2.3.2

"Due Diligence and Due Care

" states: "Due care is the prudent and responsible execution of the duties and responsibilities associated with a given role or position." This directly supports the concept of ongoing

reasonable action.

3. (ISC)². Official (ISC)² Guide to the CISSP CBK. 6th Edition. CRC Press

2022. This is an official vendor document for a foundational cybersecurity certification whose concepts are shared with the CC.

Chapter 3

"Security Governance Principles

" defines due care as "the standard of care that a reasonable person is expected to exercise in all activities that could potentially harm others." It explicitly contrasts this with due diligence

which is defined as the "process of investigation."

Political affiliation is a protected characteristic under various state and local laws, and for federal employees, it is explicitly prohibited as a basis for personnel actions. Using it as a factor in hiring decisions constitutes illegal discrimination as it is not considered a Bona Fide Occupational Qualification (BFOQ) for the vast majority of roles. While the other attributes listed—such as criminal records, credit history, references, education, and employment history—can be legitimate components of a background check, their use is heavily regulated to ensure they are job-related and applied non-discriminatorily. Political affiliation, however, is fundamentally a non-job-related attribute that should never be a basis for an employment decision.

A. Criminal Records, credit history, references: Criminal and credit histories can be legally used in hiring decisions when relevant to the job, as guided by the EEOC and the Fair Credit Reporting Act (FCRA).

B. Credit history, employment history, references: These are all standard, permissible components of a background check used to verify a candidate's qualifications and reliability, provided they are applied consistently and are job-related.

D. Employment history, references, criminal records: Verifying employment history and references are standard practices. Criminal records can be a valid consideration for roles requiring a high degree of trust or security, subject to legal constraints.

1. U.S. Equal Employment Opportunity Commission (EEOC). "Prohibited Employment Policies/Practices." The EEOC outlines federally protected classes. While Title VII does not explicitly list political affiliation for private employers

the EEOC's principles focus on job-relatedness. Furthermore

the Civil Service Reform Act of 1978 explicitly prohibits discrimination based on political affiliation in federal employment

establishing the legal principle. Many state and local laws extend this protection to the private sector. (See Prohibited Personnel Practices

5 U.S.C. § 2302(b)(1)(E)).

2. U.S. Equal Employment Opportunity Commission (EEOC). "Background Checks: What Employers Need to Know." This guidance document clarifies the legal parameters for using criminal records and credit history in employment decisions. It confirms that such information can be used if employers "comply with the federal nondiscrimination laws" and consider the nature of the job

the nature of the offense

and the time that has passed. This confirms these are not attributes that can never be used.

3. Cornell Law School Legal Information Institute (LII). "Bona Fide Occupational Qualification (BFOQ)." University-supported legal resources define BFOQ

explaining that characteristics like race or color can never be BFOQs. Similarly

political affiliation is not considered a legitimate BFOQ for non-political positions

making discrimination on this basis impermissible.

The question asks for the components of an incident response plan, which are best represented by the phases of the incident response lifecycle. The correct sequence is established by the National Institute of Standards and Technology (NIST). The lifecycle begins with Preparation, where the organization establishes its incident response capabilities. This is followed by Detection and Analysis to identify and validate an incident. The next phase, Containment, Eradication, and Recovery, focuses on limiting the incident's impact, removing the threat, and restoring systems to normal operation. The final phase is Post-Incident Activity, which involves analyzing the incident and the response to improve future security and incident handling efforts. Option A accurately reflects this established four-phase model.

B. This option incorrectly places Recovery before Containment and Eradication. An incident must be contained and the threat eradicated before systems can be safely recovered.

C. This option incorrectly places Recovery after Post-Incident Activity. System recovery is a critical step to restore business operations and must occur before the final lessons-learned phase.

D. This option incorrectly places Containment last among the active response phases. Containment is the immediate priority after detection to prevent further damage.

1. National Institute of Standards and Technology (NIST). (2012). Computer Security Incident Handling Guide. Special Publication (SP) 800-61 Rev. 2. Section 2.3

"Incident Response Life Cycle

" page 7. The document states

"The life cycle has four phases: 1. Preparation; 2. Detection and Analysis; 3. Containment

Eradication

and Recovery; 4. Post-Incident Activity." Figure 2-1 visually depicts this exact flow.

2. Tøndel

I. A.

Line

M. B.

& Gjøsæter

T. (2008). A Comparative Study of Incident Response Methodologies. In Proceedings of the 4th International Conference on Information-Warfare and Information-Security (ICIW 2008). Section 3.1

"The NIST Methodology

" page 370. This paper reviews various methodologies and describes the NIST model with the phases: Preparation

Detection & Analysis

Containment

Eradication & Recovery

and Post-Incident Activity.

3. Carnegie Mellon University

Software Engineering Institute. (2016). Defining the Process for Incident Response. CERT Division. Retrieved from course materials related to incident management. The CERT model

which heavily influenced the NIST framework

outlines a similar process: Prepare -> Protect -> Detect -> Triage -> Respond. The "Respond" phase encompasses containment

eradication

and recovery

aligning with the NIST structure.

Procedures are formal documents that provide detailed, step-by-step instructions on how to perform a specific task or process. They are designed to ensure that actions are carried out consistently and correctly, in alignment with established policies and standards. For example, a procedure would outline the exact sequence of actions a system administrator must take to create a new user account, ensuring compliance with the organization's access control policy.

A. Policies are high-level documents that state management's intent and objectives; they define what is required, not the specific steps on how to do it.

B. Regulations are mandatory rules or laws imposed by an external governing body, which an organization must follow, but they are not internal step-by-step guides.

C. Standards establish mandatory, specific requirements for technologies, configurations, or methods to ensure consistency, but they are not detailed procedural instructions.

1. National Institute of Standards and Technology (NIST). (2017). An Introduction to Information Security (NIST Special Publication 800-12 Rev. 1). U.S. Department of Commerce. In Section 2.3.1

"Policy

Standards

and Practices

" it states

"Procedures are detailed

step-by-step instructions that are created to ensure that personnel can perform a given action." (p. 10).

2. National Institute of Standards and Technology (NIST). (n.d.). Glossary. Computer Security Resource Center. Retrieved from https://csrc.nist.gov/glossary. The glossary defines a procedure as: "A set of steps that can be followed to accomplish a task."

3. University of California

Berkeley. (n.d.). Information Security Policy Program. Information Security Office. The document outlines the policy framework

defining Procedures as: "Step-by-step instructions to assist staff in implementing the various policies

standards

and guidelines."

An on-path attack, also known as a man-in-the-middle (MITM) attack, is a form of active eavesdropping where an attacker positions themselves in the communication path between two parties. By spoofing the IP address of a legitimate server, the attacker can intercept traffic intended for that server, and then inspect, modify, or redirect it without the knowledge of the communicating parties. The scenario described—intercepting and redirecting traffic via IP spoofing—is a textbook example of an on-path attack methodology.

B. Advanced persistent threat (APT): An APT refers to a prolonged and targeted cyberattack campaign, not the specific network interception technique described.

C. Trojan: A Trojan is a type of malware that misleads users of its true intent by disguising itself as legitimate software; it does not describe a network traffic interception method.

D. Spyware: Spyware is a category of malware designed to secretly gather information from a user's device, which is different from actively intercepting and redirecting network traffic.

---

1. National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Glossary.

On-Path Attacker: "An adversary that can read

write

and delete messages between two parties without either party knowing that the adversary is on the path."

IP Address Spoofing: "Faking the sending IP address in a packet to fool the recipient into accepting it as coming from a trusted source."

Source: NIST CSRC Glossary

s.v. "on-path attacker

" "IP address spoofing." Retrieved from https://csrc.nist.gov/glossary

2. Internet Engineering Task Force (IETF) RFC 4949.

Man-in-the-middle attack: "A form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or both of the entities involved in a communication association." (Note: On-path attack is the modern term for MITM).

Source: Shirey

R. (2007). Internet Security Glossary

Version 2. IETF. RFC 4949

Section 2

Page 189. https://doi.org/10.17487/RFC4949

3. MIT OpenCourseWare

6.858 Computer Systems Security.

Lecture notes describe Man-in-the-Middle (MITM) attacks where an adversary can "impersonate server to client (and client to server)" and "intercept and modify traffic." Techniques like ARP spoofing and DNS spoofing are cited as methods to achieve this position.

Source: Kaashoek

M. F.

& Zeldovich

N. (2014). 6.858 Computer Systems Security

Lecture 11: Network Security. MIT OpenCourseWare. Retrieved from https://ocw.mit.edu/courses/6-858-computer-systems-security-fall-2014/resources/mit6858f14lec11/

The primary objective of physical access controls is to enforce the principle of least privilege in the physical domain. These controls are designed to manage and restrict entry to facilities, rooms, and specific areas to safeguard an organization's most critical assets. This includes protecting personnel, preventing unauthorized access to sensitive information stored on servers or in documents, and securing physical resources like equipment and infrastructure from theft, damage, or tampering. By limiting access to only authorized individuals, these controls form a foundational layer of a defense-in-depth security strategy, directly supporting the confidentiality, integrity, and availability of organizational assets.

A. Physical controls are meant to complement, not replace, technical security controls as part of a layered, defense-in-depth security posture.

B. This contradicts the security principle of least privilege, which dictates that access should be restricted based on job requirements, not granted universally.

D. Allowing public access to sensitive areas would introduce unacceptable risks, directly undermining the fundamental purpose of security controls.

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53

Revision 5). U.S. Department of Commerce. The purpose of the Physical and Environmental Protection (PE) control family is to "limit physical access to systems

equipment

and the respective operating environments to authorized individuals." (p. 199

PE Family Introduction).

2. International Organization for Standardization. (2022). Information security

cybersecurity and privacy protection — Information security controls (ISO/IEC 27002:2022). The objective for control 7.2 "Physical entry" is to "ensure that only authorized personnel are allowed to enter secured areas." (Annex A

Control 7.2).

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM

18(7)

387–408. This foundational paper on computer security design principles implicitly supports physical controls through the principle of "Complete Mediation

" where every access must be checked. Physical controls are the first layer of mediation for physical assets. (Section A.3

p. 5). https://doi.org/10.1145/361011.361062

Infrastructure-as-a-Service (IaaS) provides the highest level of flexibility and customization among cloud service models. In an IaaS model, the cloud provider manages the core physical infrastructure (servers, networking, storage), but the customer retains control over the operating systems, middleware, runtime, data, and applications. This extensive control allows organizations to build and configure their environments precisely to their specifications, similar to on-premises infrastructure but without the capital expenditure and physical maintenance overhead. This model is ideal for organizations with complex or unique IT requirements that cannot be met by the more abstracted PaaS or SaaS models.

B. Platform-as-a-Service (PaaS): PaaS abstracts the underlying infrastructure, including the operating system and middleware, offering less control and customization than IaaS.

C. On-premises: While offering complete control, on-premises is a traditional deployment model, not a cloud service, and thus does not answer the question as posed.

D. Software-as-a-Service (SaaS): SaaS provides the least flexibility, as the vendor manages the entire stack, including the application. Customization is typically limited to user-level configurations.

---

1. Mell

P.

& Grance

T. (2011). The NIST Definition of Cloud Computing (NIST Special Publication 800-145). National Institute of Standards and Technology. Page 2

Section "Service Models". The document specifies that with IaaS

the consumer "has control over operating systems

storage

and deployed applications

" which is the broadest scope of control among the three service models.

2. Amazon Web Services. (n.d.). What is IaaS? AWS Documentation. Retrieved from https://aws.amazon.com/what-is/iaas/. The documentation states

"IaaS provides you with the highest level of flexibility and management control over your IT resources."

3. Microsoft Azure. (n.d.). What is infrastructure as a service (IaaS)? Azure Documentation. Retrieved from https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-iaas/. The documentation notes

"Of the three cloud service models

IaaS offers the most control for the business over its hardware."

4. Armbrust

M.

Fox

A.

Griffith

R.

Joseph

A. D.

Katz

R.

Konwinski

A.

... & Zaharia

M. (2009). A view of cloud computing. Communications of the ACM

53(4)

50-58. (Also available as Technical Report No. UCB/EECS-2009-28). Section 3.1 discusses how IaaS providers like Amazon EC2 offer low-level virtualized resources

which inherently provides more flexibility for users to build their own systems compared to higher-level PaaS offerings. DOI: https://doi.org/10.1145/1721654.1721672

The primary purpose of encryption is to provide confidentiality. It is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and a key. This transformation ensures that only authorized parties, who possess the correct decryption key, can access and understand the original information. Therefore, its fundamental goal is to protect data from being read or accessed by unauthorized individuals or systems.

B. Encryption makes data unreadable and thus inherently difficult to analyze without prior decryption.

C. While encryption is a critical component of secure data storage, "secure storage" is a broader concept that also includes physical security and access controls. Encryption's specific role is confidentiality.

D. Encryption adds computational overhead to data operations, which generally decreases, rather than increases, processing efficiency.

1. National Institute of Standards and Technology (NIST). (2020). Recommendation for Key Management

Part 1: General (NIST SP 800-57 Part 1 Rev. 5). Section 2.1.1

"Cryptographic Mechanisms

" states

"Encryption provides the service of confidentiality by transforming data into an unreadable form." (Page 7).

2. Rivest

R. L. (2006). Lecture 1: Introduction; security mindset; threats

attacks

and assets; policies and mechanisms. MIT OpenCourseWare

6.857 Computer and Network Security. The lecture notes introduce cryptography as a primary mechanism for achieving confidentiality

defined as preventing the unauthorized release of information.

3. Pfleeger

C. P.

Pfleeger

S. L.

& Margulies

J. (2015). Security in Computing (5th ed.). Pearson Education. Chapter 2

"Toolbox: Authentication

Access Control

and Cryptography

" explains that cryptography "transforms a message so that it is unintelligible... The goal is that an outsider

seeing the encrypted data

cannot determine the original data." (Page 49).

An Advanced Persistent Threat (APT) is a sophisticated, long-term cyberattack in which an intruder establishes an undetected presence on a network to steal sensitive data over a prolonged period. The "Advanced" aspect refers to the use of highly sophisticated techniques and tools to breach defenses. The "Persistent" aspect signifies that the external command and control system is continuously monitoring and extracting data from a specific target. These campaigns are characterized by their stealth, long duration (months or years), and clear objectives, matching the description in the question precisely.

B. Ping of death: This is a specific type of denial-of-service (DoS) attack, not a long-term, sophisticated campaign. It is a singular event designed to crash a system.

C. Rootkit: A rootkit is a type of malicious software used to gain and maintain privileged access while hiding its presence. It is a tool an APT might use, not the threat campaign itself.

D. Side-channel: This refers to a type of attack that exploits information from the physical implementation of a system (e.g., power consumption), not the overall long-term threat actor or campaign.

1. National Institute of Standards and Technology (NIST). (2011). Special Publication 800-39

Managing Information Security Risk: Organization

Mission

and Information System View. Page C-1

Appendix C. "An adversary that possesses sophisticated levels of expertise and significant resources... pursues its objectives repeatedly over an extended period of time."

2. Chen

P.

Desmet

L.

& Huygens

C. (2014). A Study on Advanced Persistent Threats. In IFIP International Conference on Communications and Multimedia Security (pp. 63-72). Springer

Berlin

Heidelberg. DOI: https://doi.org/10.1007/978-3-662-44885-45. (Abstract and Section 2 define APTs by their advanced

persistent

and targeted nature over long periods).

3. Carnegie Mellon University Software Engineering Institute (SEI). (2017). Common Sense Guide to Mitigating Insider Threats

5th Edition. Page 10. "Advanced Persistent Threat (APT): A targeted

persistent

and skilled adversary who seeks to compromise a specific organization."