CISSP CBK Flashcards 2016
A
Act of obtaining information of a higher level of sensitivity by combining information from lower level of sensitivity is called? A. Aggregation B. Data mining C. Inference D. Polyinstantiation
C
After signing out a laptop computer from the company loaner pool, you discovered there is a memorandum stored in the loaner laptop written to a competitor containing sensitive information about a new product your company is about to release. Based on the (ISC)2 Code of Ethics, what is the first action you should take? A. Delete the memorandum from the laptop to ensure no one else will see it. B. Contact the author of the memorandum to let him/her know the memorandum was on the laptop. C. Immediately inform your company's management of your findings and its potential ramifications. D. Inform the security awareness trainers that data disclosure prevention in a mobile computing environment needs to be added to their classes.
D
All of the following methods ensure the stored data are unreadable except...? A. writing random data over the old file. B. physical alteration of media. C. degaussing the disk or tape. D. removing the volume header information.
B
All of the followings are hashing algorithms except...? A. SHA B. IDEA C. HAVAL D. MD2
B
An access control system that grants users only those rights necessary for them to perform their work is operating on which security principle? A. Discretionary Access B. Least Privilege C. Mandatory Access D. Separation of Duties
B
A CISSP may face with an ethical conflict between their company's policies and the (ISC)2 Code of Ethics. According to the (ISC)2 Code of Ethics, in which order of priority should ethical conflicts be resolved? A. Duty to principals, profession, public safety, and individuals. B. Duty to public safety, principals, individuals, and profession. C. Duty to profession, public safety, individuals, and principals. D. Duty to public safety, profession, individuals, and principals.
C
A memory address location specified in a program instruction that contains the address of final memory location is known as: A. Implied addressing. B. Indexed addressing. C. Indirect addressing. D. Register addressing.
A
A person in possession of a sample of ciphertext and corresponding plaintext is capable of what type of attack? A. Known-plaintext B. Ciphertext only C. Chosen-plaintext D. Plaintext
C
A processing methodology that executes two or more tasks on a single processor is known as: A. Scalar. B. Multiprocessing. C. Multitasking. D. Multiprogramming.
B
A risk is the likelihood of a threat source taking advantage of a vulnerability to an information system. Risks left over after implementing safeguards is known as: A. Leftover risks. B. Residual risks. C. Remaining risks. D. Exposures
A
A security planning process must defines: how security will be managed, who will be responsible, and...? A. what practices are reasonable and prudent for the enterprise. B. who will work in the security department. C. what impact security will have on the intrinsic value of data. D. how security measures will be tested for effectiveness.
C
A security policy provides a way to...? A. establish a cost model for security activities. B. allow management to define system recovery requirements. C. identify and clarify security goals and objectives. D. enable management to define system access rules.
C
A system security engineer is evaluation methods to store user passwords in an information system, so what may be the best method to store user passwords and meeting the confidentiality security objective? A. Password-protected file B. File restricted to one individual C. One-way encrypted file D. Two-way encrypted file
A
A type cryptographic attack where it is based on the probability of two different messages using the same hash function to produce the same message digest is? A. Birthday attack B. Statistic attack C. Differential cryptanalysis attack D. Known ciphertext attack
C
The accounting branch of a large organization requires an application to process expense vouchers. Each voucher must be input by one of many accounting clerks, verified by the clerk's applicable supervisor, then reconciled by an auditor before the reimbursement check is produced. Which access control technique should be built into the application to best serve these requirements? A. Mandatory Access Control (MAC) B. Password Security C. Role-based Access Control (RBAC) D. Terminal Access Controller Access System (TACACS)
C
The concept that all accesses must be mediated, protected from unauthorized modification, and verifiable as correct is implemented through what? A. A security model. B. A reference monitor. C. A security kernel. D. A trusted computing base.
A
The goal of cryptanalysis is to...? A. forge coded signals that will be accepted as authentic. B. ensure that the key has no repeating segments. C. reduce the system overhead for cryptographic functions. D. determine the number of encryption permutations required.
C
The likelihood of a threat source taking advantage of a vulnerability is called? A. Vulnerability B. Threat C. Risk D. Exposure
B
The practice of embedding a message in a document, image, video or sound recording so that its very existence is hidden is called? A. Anonymity. B. Steganography. C. Shielding. D. Data diddling.
A
The three primary methods for authenticating users to a system or network are...? A. passwords, tokens, and biometrics. B. authorization, identification, and tokens. C. passwords, encryption, and identification. D. identification, encryption, and authorization.
C
Under what circumstance might a certification authority (CA) revoke a certificate? A. The certificate owner has not utilized the certificate for an extended period. B. The certificate owner public key has been compromised. C. The certificate owner' private key has been compromised. D. The certificate owner has upgraded his/her web browser.
D
What characteristic of Digital Encryption Standard (DES) used in Electronic Code Book (ECB) mode makes it unsuitable for long messages? A. Block fragmentation causes message cipher instability. B. Weak keys will produce symmetrical message holes. C. Each message block produces a single cipher text block. D. Repeated message blocks produce repeated cipher text blocks.
D
What determines the assignment of data classifications in a mandatory access control (MAC) philosophy? A. The analysis of the users in conjunction with the audit department B. The assessment by the information security department C. The user's evaluation of a particular information element D. The organization's published security policy for data classification
D
What is a set of step-by-step instructions used to satisfy control requirements called? A. Policy B. Standard C. Guideline D. Procedure
B
What is the advantage of Rivest, Shamir, Adelman (RSA) public key system over the Digital Signature Algorithm (DSA)? A. It uses the secure hash algorithm to condense a message before signing. B. It can be used for encryption. C. It cannot be compromised through substitution. D. It uses the function of escrowed encryption.
C
What is the difference between quantitative and qualitative risk analysis? A. Qualitative analysis uses mathematical formulas and while quantitative analysis does not. B. Purely qualitative analysis is not possible, while purely quantitative is possible. C. Quantitative analysis provides formal cost/benefit information while qualitative analysis does not. D. There is no difference between qualitative and quantitative analysis.
C
What is the inverse of confidentiality, integrity, and availability (C.I.A.) triad in risk management? A. misuse, exposure, destruction B. authorization, non-repudiation, integrity C. disclosure, alteration, destruction D. confidentiality, integrity, availability
B
What is the trusted registry that guarantees the authenticity of client and server public keys? A. Public key notary. B. Certification authority. C. Key distribution center. D. Key revocation certificate
A
What principle recommends division of responsibilities so that one person cannot commit an undetected fraud? A. Separation of duties B. Mutual exclusion C. Need to know D. Least privilege
D
What type of controls is not utilized to achieve management directives to protect company assets? A. Administrative controls B. Technical controls C. Physical controls D. Financial controls
B
What type of cryptanalytic attack where an adversary has the least amount of information to work with? A. Known-plaintext B. Ciphertext-only C. Plaintext-only D. Chosen-ciphertext
B
When a security administrator wants to conduct regular test on the strength of user passwords, what may be the best setup for this test? A. A networked laptop with Rainbow table that have direct access to the live password database. B. A standalone workstation with Rainbow table and a copied password database. C. A networked workstation with Rainbow table and a copied password database. D. This is not possible, because the password database is encrypted.
C
When an employee transfers within an organization ... A. The employee must undergo a new security review. B. The old system IDs must be disabled. C. All access permission should be reviewed. D. The employee must turn in all access devices
A
When downloading software from Internet, why do vendors publish MD5 hash values when they provide software to customers? A. Recipients can verify the software's integrity after downloading. B. Recipients can confirm the authenticity of the site from which they are downloading the patch. C. Recipients can request future updates to the software by using the assigned hash value. D. Recipients need the hash value to successfully activate the new software.
B
When engaging an external contractor for a software development project, source code escrow can be used to protect against...? A. system data loss. B. vendor bankruptcy. C. copyright violation. D. legal liability.
D
When securing Internet connections which of the following should be used to protect internal routing and labeling schemes? A. Virtual Private Networks (VPN) B. Layer 2 Tunneling Protocol (L2TP) C. Domain Name Systems (DNS) D. Network Address Translation (NAT)
A
When there is a "separation of duties", parts of tasks are assigned to different people so that: A. Collusion is required to perform an unauthorized act. B. Better planning is required to break into systems. C. Defense-in-depth is achieved by creating multiple layers an attacker must circumvent. D. The weakest link, people, are not easily flipped.
C
When verifying key control objectives of a system design, the security specialist should ensure that the...? A. final system design has security administrator approval. B. auditing procedures have been defined. C. vulnerability assessment has been completed. D. impact assessment has been approved.
A
Which answer is not true for Diffie-Hellman algorithm? A. Security stems from the difficulty of calculating the product of two large prime numbers. B. It was the first public key exchange algorithm. C. It is vulnerable to man-in-the-middle attacks. D. It is used for distribution of a shared key, not for message encryption and decryption
A
Which answer lists the proper steps required to develop a disaster recovery and business continuity plan (DRP/BCP)? A. Project initiation, business impact analysis, strategy development, plan development, testing, maintenance. B. Strategy development, project initiation, business impact analysis, plan development, testing, maintenance. C. Business impact analysis, project initiation, strategy development, plan development, testing, maintenance. D. Project initiation, plan development, business impact analysis, strategy development, testing, maintenance.
C
Which choice below is an accurate statement about standards? A. Standards are the high-level statements made by senior management in support of information systems security. B. Standards are the first element created in an effective security policy program. C. Standards are used to describe how policies will be implemented within an organization. D. Standards are senior management's directives to create a computer security program.
A
Which e-mail standard relies on "Web of Trust"? A. Pretty Good Privacy (PGP) B. Privacy Enhanced Mail (PEM) C. MIME Object Security Services (MOSS) D. Secure Multipurpose Internet Mail Extensions (S/MIME)
C
Which has the flag used for a TCP 3-way handshake? A. Syn ->: Syn-Fin <-: Ack -> B. Ack ->: Syn-Ack <-: Syn -> C. Syn ->: Syn-Ack <-: Ack -> D. Syn ->: Ack <-: Ack ->
C
Which of the following can be identified when exceptions occur using operations security detective controls? A. Unauthorized people seeing printed confidential reports. B. Unauthorized people destroying confidential reports. C. Authorized operations people performing unauthorized functions. D. Authorized operations people not responding to important console messages.
B
Which of the following characteristics is not of a good stream cipher? A. Long periods of no repeating patterns. B. Statistically predictable. C. Keystream is not linearly related to the key. D. Statistically unbiased keystream.
B
Which of the following describes the activities that assure protection mechanisms are maintained and operational? A. Due care B. Due diligence C. Due care but not due diligence D. Due care and due diligence
D
Which of the following describes the first step in establishing an encrypted session using a Data Encryption Standard (DES) key? A. Key clustering B. Key compression C. Key signing D. Key exchange
D
Which of the following describes the step prior to an encrypted session using Data Encryption Standard (DES)? A. Key clustering B. Key compression C. Key signing D. Key exchange
D
Which of the following entity is ultimately responsible for information security within an organization? A. IT Security Officer B. Project Managers C. Department Directors D. Senior Management
C
Which of the following evidence collection method is most likely accepted in a court case? A. Provide a full system backup inventory. B. Create a file-level archive of all files. C. Provide a mirror image of the hard drive. D. Copy all files accessed at the time of the incident.
C
Which of the following feature does a digital signature provide? A. It provides the ability to encrypt an individual's confidential data. B. It ensures an individual's privacy. C. It identifies the source and verifies the integrity of data. D. It provides a framework for law and procedures.
A
Which of the following is a high-level language? A. BASIC. B. Machine. C. Assembly. D. BIOS
D
Which of the following is not a component of "chain of evidence": A. Location evidence obtained. B. Time evidence obtained. C. Who discovered the evidence. D. Identification of person who left the evidence.
C
Which of the following is not a generally accepted benefit of security awareness, training and education? A. A security awareness program can help operators understand the value of the information. B. A security education program can help system administrators recognize unauthorized intrusion attempts. C. A security awareness and training program will help prevent natural disasters from occurring. D. A security awareness and training program can help an organization reduce the number and severity of errors and omissions.
D
Which of the following is not a symmetric key algorithm? A. RC4. B. Blowfish. C. DES. D. RSA.
B
Which of the following is not true regarding security policy? A. It is a general statement B. It is promulgated by senior IT security staff C. It describes the role of security in the organization D. It is broad
D
Which of the following is not true with respect to qualitative risk analysis? A. It uses scenarios. B. It is based on judgment, intuition and experience. C. May include the Delphi technique D. Results in concrete probability percentages.
A
Which of the following is the least important information to record when logging a security violation? A. User's name B. User id. C. Type of violation D. Date and time of the violation
A
Which of the following is the most effective method for reducing security risks associated with building entrances? A. Minimize the number of entrances B. Use solid metal doors and frames C. Brightly illuminate the entrances D. Install tamperproof hinges and glass
B
Which of the following is the primary goal of a security awareness program? A. It provides a vehicle for communicating security procedures. B. It provides a clear understanding of potential risk and exposure. C. It provides a forum for disclosing exposure and risk analysis. D. It provides a forum to communicate user responsibilities.
A
Which of the following is true about information that is designated with the highest level of confidentiality in a private sector organization? A. It is limited to named individuals and creates an audit trail. B. It is restricted to those in the department of origin for the information. C. It is available to anyone in the organization whose work relates to the subject and requires authorization for each access. D. It is classified only by the information security officer and restricted to those who have made formal requests for access.
B
Before powering off a computer system, a computer crime investigator should record contents of the monitor and...? A. save the contents of the spooler queue. B. dump the memory contents to a disk. C. backup the hard drive. D. collect the owner's boot up disks
B
If risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets" the risk has all of the following elements except? A. An impact of assets based on threats and vulnerabilities. B. Controls addressing the threats. C. Threats to and vulnerabilities of processes and/or assets. D. Probabilities of the threats.
B
In IPsec, what is the standard format that helps to establish and manage the security association (SA) between two internetworking entities? A. Internet Security Association and Key Management Protocol (ISAKMP) B. Internet Key Exchange (IKE) C. Diffie-Hellman Key Exchange D. Authentication Header (AH)
B
In a typical information security program, what is the primary responsibility of information (data) owner? A. Ensure the validity and accuracy of data. B. Determine the information sensitivity or classification level. C. Monitor and audit system users. D. Ensure availability of data.
A
In a typical information security program, who would be responsible for providing reports to the corporate executives and senior management on the effectiveness of the instituted program controls? A. Auditors B. Information systems security manager (ISSM) C. Information systems security officer (ISSO) D. Information systems security professionals
D
In business continuity planning, which of the following is an advantage of a "hot site" over a "cold site" A. Air Conditioning B. Cost C. Short period to become operational D. A & C
A
In the Common Criteria Evaluation and Validation Scheme (CCEVS), requirements for future products are defined by: A. Protection Profile. B. Target of Evaluation. C. Evaluation Assurance Level 3. D. Evaluation Assurance Level 7.
B
In what situation would TEMPEST risks and technologies be of most interest? A. Where high availability is vital B. Where the consequences of disclosure are very high C. Where countermeasures are easy to implement D. Where data base integrity is crucial
D
It is important that information about an ongoing computer crime investigation be...? A. destroyed as soon after trial as possible. B. reviewed by upper management before being released. C. replicated to a backup system to ensure availability. D. limited to as few people as possible.
C
Job rotation...? A. makes it more difficult to detect fraudulent activities. B. is the same as separation of duties. C. requires that more than one person fulfill the tasks of one position within the company, thereby providing both backup and redundancy. D. does not make it harder for an employee to commit fraudulent activities without other fining out, especially since it aids in obscuring who did what.
D
Methods of handling risk include all of the followings except: A. Transferring risk B. Reducing risk C. Accepting risk D. Selling risk
D
Physical security is accomplished through proper facility construction, fire and water protection, anti-theft mechanisms, intrusion detection systems, and security procedures that are adhered to and enforced. Which of the following is not a component that achieves this type of security? A. Technical control mechanisms B. Administrative control mechanisms C. Physical control mechanisms D. Integrity control mechanisms
A
Pretty Good Privacy (PGP) provides...? A. confidentiality, integrity, and authenticity. B. integrity, availability, and authentication. C. availability, authentication, and non-repudiation. D. authorization, non-repudiation, and confidentiality.
B
Prior to installation of an intrusion prevention system (IPS), a network engineer would place a packet sniffer on the network, what is the purpose for using a packet sniffer? A. It tracks network connections. B. It monitors network traffic. C. It scans network segments for cabling faults. D. It detects illegal packets on the network.
C
Reference monitor requires which of the following conditions? A. Policy, mechanism and assurance B. Isolation, layering and abstraction C. Isolation, completeness and verifiability D. Confidentiality, availability and integrity
D
Risk analysis allows you to do all of the following except: A. Quantify the impact of potential risks B. Create an economic balance between the impact of a risk and the cost of a countermeasure C. Provides a cost/benefit comparison D. Prevent risk
A
Security management practice focuses on the continual protection of: A. Company assets B. Classified information C. Security-related hardware and software D. Company data
D
Security of an automated information system is most effective and economical if the system is...? A. optimized prior to addition of security. B. customized to meet the specific security threat. C. subjected to intense security testing. D. designed originally to meet the information protection needs.
B
Separation of duties should be...? A. enforced in all organizational areas. B. cost justified for the potential for loss. C. enforced in the program testing phase of application development. D. determined by the availability of trained staff.
D
Which of the following mechanism is used to achieve non-repudiation of a message delivery? A. Sender encrypts the message with the recipients public key and signs it with their own private key. B. Sender computes a digest of the message and sends it to a Trusted Third Party (TTP) who signs it and stores it for later reference. C. Sender sends the message to a TTP who signs it together with a time stamp and sends it on to the recipient. D. Sender gets a digitally signed acknowledgment from the recipient containing a copy or digest of the message.
C
Which of the following refers to a series of characters used to verify a user's identity? A. Token serial number B. User ID C. Password D. Security ticket
D
Which of the following transaction processing properties ensures once a transaction completes successfully (commits), the updates survive even if there is a system failure? A. Atomicity. B. Consistency. C. Isolation. D. Durability
D
Which of the following virus types changes its characteristics as it spreads? A. Boot sector B. Parasitic C. Stealth D. Polymorphic
C
Which of the followings is an example of simple substitution algorithm? A. Rivest, Shamir, Adleman (RSA) B. Data Encryption Standard (DES) C. Caesar cipher D. Blowfish
B
Which one of the following hardware devices can be re-programmed? 1 Read Only Memory (ROM). 2 Programmable Read Only Memory (PROM). 3 Erasable Programmable Read Only Memory (EPROM). 4 Electrically Erasable Programmable Read Only Memory (EEPROM). A. 1 and 3. B. 3 and 4. C. 1 and 4. D. 2 and 3.
D
Which one of the followings cannot be identified by a business impact analysis (BIA)? A. Analyzing the threats associated with each functional area. B. Determining risks associated with threats. C. Identifying major functional areas of information. D. Determining team members associated with disaster planning.
B
Which statement below is an incorrect description of a security control? A. Detective controls discover attacks and trigger preventive or corrective controls B. Corrective controls reduce the likelihood of a deliberate attack C. Corrective controls reduce the affect of a an attack D. Controls are the countermeasures for vulnerabilities
A
Which statement below most accurately reflects the goal of risk mitigation? A. Defining the acceptable level of risk the organization can tolerate, then reduce risk to that level. B. Analyzing and removing all vulnerabilities and threats to security within the organization. C. Defining the acceptable level of risk the organization can tolerate, and assigning any costs associated with loss or disruption to a third party such as an insurance carrier. D. Analyzing the effects of a business disruption and preparing the company's response.
C
An information security program should include the following elements: A. Disaster recovery and business continuity planning, and definition of access control requirements and human resources policies. B. Business impact, threat and vulnerability analysis, delivery of an information security awareness program, and physical security of key installations. C. Security policy implementation, assignment of roles and responsibilities, and information asset classification. D. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems.
D
An instance of being exposed to losses is called? A. Vulnerably B. Threat C. Risk D. Exposure
B
As an information systems security manager (ISSM), how would you explain the purpose for a system security policy? A. A definition of the particular settings that have been determined to provide optimum security B. A brief, high-level statement defining what is and is not permitted during the operation of the system C. A definition of those items that must be excluded on the system D. A listing of tools and applications that will be used to protect the system
B
As an information systems security professional, what is the highest amount would you recommend to a corporation to invest annually on a countermeasure for protecting their assets valued at $1 million from a potential threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 10% : A. $100,000. B. $20,000. C. $200,000. D. $40,000.
A
Company X is planning to implement rule based access control mechanism for controlling access to its information assets, what type of access control is this usually related to? A. Discretionary Access Control B. Task-initiated Access Control C. Subject-dependent Access Control D. Token-oriented Access Control
A
Computer security is generally considered to be the responsibility of...? A. everyone in the organization. B. corporate management. C. the corporate security staff. D. everyone with computer access.
B
Configuration management provides assurance that changes...? A. to application software cannot bypass system security features. B. do not adversely affect implementation of the security policy. C. to the operating system are always subjected to independent validation and verification. D. in technical documentation maintain an accurate description of the Trusted Computer Base.
C
Copyright provides what form of protection: A. Protects an author's right to distribute his/her works. B. Protects information that provides a competitive advantage. C. Protects the right of an author to prevent unauthorized use of his/her works. D. Protects the right of an author to prevent viewing of his/her works.
A
During a disaster or emergency, how does a closed-circuit television (CCTV) help management and security to minimize loss? A. It helps the management to direct resources to the hardest hit area. B. It records instances of looting and other criminal activities. C. It documents shortcomings of plans and procedures. D. It captures the exposure of assets to physical risk.
B
For what reason would a network administrator leverages promiscuous mode on a network interface? A. To screen out all network errors that affect network statistical information. B. To monitor the network to gain a complete statistical picture of activity. C. To monitor only unauthorized activity and use. D. To capture only unauthorized internal/external use.
D
From a legal perspective, which rule must be addressed when investigating a computer crime? A. Search and seizure B. Data protection C. Engagement D. Evidence
