CISSP TEST
Which of the following is permitted by an adequate separation of duties in a mainframe computer environment? a. Computer users may reconcile control totals. b. Computer users may access the system files. c. Programmers may change production data. d. Programmers may initiate transactions.
Answer: a
Which one of the following would NOT be considered a media control task? a. Decompressing the storage medium. b. Storing on-site backups in a protected area. c. Maintaining a control log noting all media entries, removals, and returns. d. Erasing volumes at the end of their retention period.
Answer: a (Reference: Rita Summer - "Secure Computing: Threats and Safeguards"; McGraw-Hill; 1997; pg 585. Decompression definitely is part of media management, but it isn't a control.
In what way can violation clipping levels assist in violation tracking and analysis? a. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred. b. Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant. c. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to usercodes with a privileged status. d. Clipping levels enable a security administrator to view all reductions in security levels which have been made to usercodes which have incurred violations.
Answer: a Discussion:Answer a - correct, the clipping level establishes a normal error rate that can be ignored for violation analysis purposes.
Which of the following is the LEAST important information to record when logging a security violation? a. User's name b. Userid c. Type of violation d. Date and time of the violation
Answer: a OK, an easy one for you today. Just remember that the usere's name generally isn't known from direct evidence, but inferred from the userid.
What documents the intention of two entities to work together toward a common goal? a. Mutual agreement b. SLA (service level agreement) c. MOU (memo of understanding) d. ISA
Answer: a Reference: "(ISC)2 Official Study Guide" - Applying Security Operations Concepts
Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data? a. Limiting the local access of operations personnel b. Job rotation of operations personnel c. Management monitoring of audit logs d. Enforcing regular password changes
Answer: a.
Some privacy laws are partly based on the principle that information obtained about a user for some purpose a. cannot be used for another purpose. b. must be copied and provided to the user. c. may only be used with the user's permission. d. may be reviewed by the user's manager.
Answer: a. A is the correct answer, even though that principle has not always been followed. A is one of the principles from the original EU privacy directive, and therefore has been modelled in a significant number of privacy laws around the world (because of the "jurisdiction transfer" restriction). B is a slight variation on one of the privacy directive principles, and is less common in that form. C and D probably don't exist in anybody's privacy laws.
21. Which of the following is a rule-based control mechanism? a. Discretionary Access Control b. Task-based Access Control c. Subject-based Access Control d. Token-based Access Control
Answer: a. Reference: Handbook of Info. Sys. Sec.; Ruthberg & Tipton; pg 517. Discussion: Answer a - some access control systems contain rules that are used to determine whether or not an individual can achieve the access requested. This is particularly true for discretionary access control. Remember your ACL (Access Control List)? A list of rules, right? For those wanting to answer b, c, or d, remember that if you don't know what it is, that doesn't mean it's the right answer. As far as I know, none of those are actual access control systems (unless some marketing department is out there messing with things again).
19. What is the purpose of a ticket-oriented security mechanism? a. Permits the subject's access to objects b. Assigns access modes to objects c. Grants subject's discretionary control d. Assures user access accountability
Answer: a. Reference: Handbook of Information Security Management; Ruthberg & Tipton; pg 538-539. You could say that this is an example of all the answers being correct. However, the answer that most completely answers the question asked is the most correct, and therefore the answer that will get you that point. Answer a may seem a bit broad: after all, that's the purpose of any access control mechanism, and doesn't differentiate a ticket-oriented system from any other. But that's the most correct. Since no other answer (that you're given) distinguishes a ticket-oriented system from any other, "ticket-oriented" is irrelevant.
In an on-line computer application system, erroneous or invalid transactions that are detected by the computer program should be a. dropped from processing. b. written to a report and reviewed. c. terminated and the process aborted. d. written to a computer log.
Answer: b. Dropping a transaction from processing, and not doing anything with it, *can*create all kinds of problems for the business. terminating and aborting the process is a good way to open yourself to some kind of denial of service attack. Writing to a report is good, but writing to a report and then reviewing it is better.
Which of the following is commonly used for retrofitting security to a Database Management System? a. Trusted back-end b. Audit trail c. Trusted front-end d. Controller
Answer: c. OK, slapping a trusted front-end on a database is not the best idea in the entire world. Yes, if you have security problems in the database itself, some front-end interface is not going to solve all the problems that will remain behind the curtain.The thing is, you answer the question that has been asked, from the answers that have been provided. And, in this case, putting a trusted front-end on the system*is* what most people, companies, and enterprises do to protect a weak database
What role does biometrics have in logical access control? a. Identification b. Authorization c. Authentication d. Confirmation
Answer: c. Reference: Computer Security Basics; Russell & Gangemi; pg 57-58. OK, I know that there is going to be discussion on this one. Authorization and confirmation are out, of course, but there are instances where biometrics are going to be used for identification (sometimes paired with authentication). The principle to keep in mind here is: don't fight the exam. The point is not to prove that you can come up with a counterexample, the point is what are most security professionals going to say. And most security professionals are going to agree that the most important and significant role biometrics plays is in authentication. After all, biometrics is the "something you are" that is the third pillar of authentication besides something you know and something you have.
The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called a. keystroke capturing b. access validation testing c. brute force testing d. accountability testing
Answer: c. Reference: Intrusion Detection; Terry Escamilla; pg 44-47. OK, maybe you think that brute force testing is not penetration testing, but rather cryptology. That's a classic case of "fighting the question." It isn't going to get you any points. It also doesn't demonstrate that you know what using various inputs to gain access is called: brute force testing. Besides, none of the other answers fit at all. Keystroke capturing, captures the information being entered so no guessing is involved. User Ids & passwords are known. "Access validation testing" doesn't exist. "Accountability testing" doesn't exist.
Which of the following is NOT an element of a security planning mission statement? a. Objectives statement b. Background statement c. Scope statement d. Confidentiality statement
Answer: d Reference: Handbook of Information Security Management, edited by Ruthberg and Tipton, Auerbach, 1993, page 73 This is the type of question that ensures you do not just memorize a bunch of security buzzwords. You have to understand the concepts behind them. What is a "security planning mission statement"? Well, it's more simply known as a policy. What does a policy contain? Among other things, the background of your enterprise, your objectives, and the scope of what you are trying to protect. What you are going to do about confidentiality (unless you are an unusual company and either don't care about confidentiality, or it's really, really important) generally is in your subordinate standards or procedures. Don't get hung up on whether the question has exactly the wording you have studied. That way lies failure. Make sure you understand the fundamentals behind the words.
What determines the assignment of data classifications in a mandatory access control philosophy? a. The analysis of the users in conjunction with the audit department. b. The assessment by the information security department. c. The steward's evaluation of the particular information element. d. The requirement of the organization's published security policy.
Answer: d. Reference: Computer Security Basics; Russell & Gangemi; pg 72-74 While analysis by users, the audit department, the infosec office, and possibly a steward have places or responsibilities for access control, determination is at the direction of policy.
From an operations security standpoint, which one of the following dial-in access configurations is best? a. Force the port to log out when the modem loses carrier. b. Disable the port when the modem disconnects. c. Reset the modem when the phone line disconnects. d. Force a modem reset when the DTR line transitions.
Discussion: a - correct, this is a control measure that will force the user to reauthenticate, and prevent someone from simply taking over a free line they come across b - wrong, this allows for a good way to do a DOS on the dialup facility c - wrong, once the phone line is disconnected it can't be reset, and simply resetting the modem may leave a live session behind it d - wrong, this is a normal occurrence (DTR - data terminal ready) (Reference: Fites and Kratz, Information Systems Security: A Practitioner's Reference, International Thomson Computer Press, 1996)
The PRIMARY difference between the TCSEC and ITSEC data classifications is: a. ITSEC classifications are based on integrity b. TCSEC classifications are based on government requirements c. ITSEC classifications are based on international requirements d. TCSEC classifications are based on mandatory requirements
answer: a I've never seen a reference for this question, although I assume there must be one, somewhere. This is the type of question that proves that, no, you can't just get the right book and have all the answers. You have to understand that, although TCSEC is based on government requirements, and ITSEC is based on international input, and TCSEC does talk (at some levels) about mandatory (as opposed to discretionary) requirements, that the addition of integrity is a fundamental change over TCSEC (which was only concerned with confidentiality). You have to understand the concepts, and the implications.
Which of the following actions should management take when classified information must be made available to different user populations? a. Increase security controls on the information. b. Raise the classification label to the next highest level. c. Disburse the information to multiple local area network servers. d. Require specific approval each time the information is accessed.
answer: a This is a case of read the question carefully, and read all the answers carefully. Note that increasing security controls doesn't necessarily mean just making the controls more stringent. It can also refer to increasing aspects like granularity, which is probably what is wanted here. Raising classification to a higher level doesn't help with disparate populations. Distributing files to other servers probably won't help with this problem at all. Requiring specific approval might work, but would be very time consuming.
Penetration testing is security testing in which a. hackers with no knowledge of the system are hired to attempt to break into a system to demonstrate protection flaws. b. penetrators attempt to circumvent the security features of the system to identify where weaknesses exist, so that they may be strengthened. c. foreign agents use sophisticated tools such as "password grabbers" and "dictionary attacks" to overcome the identification and authentication mechanisms of a system for future intrusions. d. physical penetration is perpetrated in order to perform manual activities only possible with physical access to the system.
the correct answer is b.
Which of the following defines a denial of service attack? a. An action that prevents a system from functioning in accordance with its intended purpose. b. An action that allows unauthorized users to access some of the computing services available. c. An action that allows a hacker to compromise system information. d. An action that allows authorized users to access some of the computing services available.
Answer: a. Reference: Information Systems Security: A Practitioner's Reference; Fites & Kratz; Thomson Computer Press; 1996; pg 437-438. Discussion: Answer a - in denial of service, a user or attacker might try to "crash" the system or hang it up so no one can use it. But, at times, simply preventing part of the system from working is enough. Answer b - Usually denial of service attacks make the system virtually unusable. On occasion, an attacker may attempt to bring down one part of a system in order to enable access to another part, but that's a specialize, rather than the general, situation. Answer c - denial of service could involve data corruption/destruction but usually does not compromise the confidentiality of information. Answer d - Usually denial of service means denial of use, i.e., the system itself is not usable. Se above.
Which one of the following is the key element when performing a penetration test? a. The tester should have the same access constraints as a normal user. b. The tester should have access to the system source code. c. The tester should have access to network diagrams. d. The tester should have access to vendor manuals and system documentation.
Answer: a. (Reference: Network Security (Voice & Data Comm.), Simmons; ISBN 0-07-057634-3, pg 371) Discussion: Answer a - to be effective, the tester must not have privileges, otherwise the test may be invalid. The purpose is to emulate an actual hacker (internal or external). OK, I get it that some of you may feel that this is only one type of a penetration test. You are correct, and answer a is only partially right. The thing is,answers b and c are pretty limited in the types of pen tests they would support, and answer d, while it may or may not be relevant for some types of pen tests, is more restricted than a. A is the answer that is most broadly correct in the most situations. (This is sort of a "which answer stinks the least" question. Remember: you must answer the question asked from the answers provided. Fighting with a question because it isn't 100% correct gets you no points. Security, as a profession, very seldom gives you a 100% cut and dried situation.)
Which of the following procedures could BEST be utilized to validate the continued need for privileged user access to system resources? a. Periodic review and recertification of privileged usercodes. b. Periodic review of audit logs. c. Revoke processes which can grant access to sensitive files. d. Periodic review of data classifications by management.
Answer: a. OK, this is one case where sticking to the "management answer" heuristic will get you into trouble. The correct, and pretty complete, answer is that periodic review and recertification of privileged usercodes will will verify the continued need for privileged access. Remember, the best answer is one that completely (or as completely as possible) answers the question. Option "a" does. Review of audit logs may not indicate privileged access and doesn't validate the need for such access. Revoking processes which can grant access to sensitive information may (probably will) be disruptive to ongoing operations. Answer "d" looks like the management answer, but remember: review of data classifications does not address the privileges assigned to individual users, so it actually doesn't really answer the question.
An Access Control List (ACL) represents a set of subjects by using which of the following constructs? a. Group b. Capability c. Key d. Domain
Answer: a. Reference: Fites & Kratz, pg 149 You can easily drop the key and domain answers here. You might be a bit confused by the group and capability options. Again, this is an example of "if you don't know it, it isn't necessarily the right answer." ACLs almost always have options for groups, even if that isn't always the primary use. Capability? Well, that's kind of related. It's an older term for what might now be described as an authorization that is digitally signed.
Why are user IDs critical in the review of audit trails? a. they show which files were altered. b. they establish individual accountability. c. they cannot be easily altered. d. they trigger corrective controls.
Answer: b (Reference: Fites and Kratz, Information Systems Security: A Practitioner's Reference, International Thomson Computer Press, 1996, pg 127. Discussion: Answer a - wrong, the identification of a specific user does not in itself show the activities conducted under the user's name. Answer b - correct. Answer c - wrong, audit trail information should be secured so it cannot be altered. Answer d - wrong, user Ids by themselves do not trigger corrective controls - the activity conducted may trigger corrective action.
Which one of the following is NOT a goal of the change control management process? a. Ensure changes are authorized. b. Ensure coherence of changes. c. Ensure changes are documented. d. Ensure correctness of changes.
Answer: b Reference: Fites and Kratz, Information Systems Security: A Practitioner's Reference, International Thompson Computer Press, 1996, 1996, pg 321 Change control management should ensure that all changes are authorized, documented, and correct. What the heck are "coherent" changes? OK, you could argue that changes should be coherent with policies, other parts of the system, or some other factor, but you know that changes are supposed to be authorized, documented, and correct, so why try and make something you don't know fit? Which brings up a point that trips up a lot of people in a lot of ways: just because you don't know it, doesn't make it the right answer. I don't know why this is so important, but it is. Maybe most of us lack self-confidence, and automatically assume that if we don't understand it, it must be something important that we've missed. However, if you really are a security professional, most of the time that's wrong. Which brings up another important point: most of the time, the right answer is going to jump out at you. Very often, your first response is the right one. Don't "overthink" yourself into a wrong answer.
Which type of access control allows users to specify who can access their files? a. Mandatory b. Discretionary c. Relational d. Administrative
Answer: b. (Reference: Gasser, Morrie, Building a Secure Computer System, New York: Nostrand Reinhold, 1988, pg 55) Discussion: Answer a - Mandatory access control bases access on the preset labels of the sensitivity of objects and the clearance of subjects. Answer b - The user (or creator) of an object grants authorization to support discretionary access control. Answer c - Relational is not a type of access control. Answer d - Administrative is not a type of access control. Remember: just because you don't know it doesn't make it the right answer.
Which of the following is NOT an effective deterrent against a database inference attack? a. Partitioning b. Small query sets c. Noise and perturbation d. Cell suppression
Answer: b. OK, over the years I have found that a lot of people get this one wrong.First off, let's get rid of a and d. Database inference attacks are an old andestablished threat against database systems, and are not subject to many defences.Partitioning and cell suppression may not help much, but they do help.Now we are left with small query sets (b) and noise and perturbation (c). Lots ofpeople choose noise and perturbation, because, well, noise. We don't want tointroduce errors into our databases, do we? That has to be the worst (and therfore,in the wording of this question, right) answer.The thing is that small query sets are, specifically, one of the tools that you do useto mount inference attacks. So small query sets are, specifically, NOT aneffective deterrent against a database inference attack.And what about noise and perturbation? Well, if you are really, seriously,concerned about inference attacks, introducing small sources of noise andperturbation (very carefully) *is* a very effective protection.
Remote access using a one-time password scheme is most closely associated with which of the following? a. Something you are b. Something you have c. Something you calculated. Something you know
Answer: b. Reference: Handbook of Info. Sec. Mgmt; Krause & Tipton; 1998; pg 682-683. You have to read, but you also have to think about, the question. This is one of the few cases where your first reaction might be wrong, since you probably triggered on the word "password" in the question. But remember that a "one-time" password is not the same as a static password. The one-time password generator in this case might be a token. Or, in some cases, it might be a list of one-time passwords that are crossed off or discarded after use. In either case, something you have. Answer a - Something you are is biometrics.Answer b - Something you have which in this case would be the token generating the password or a list.Answer c - Something you calculate is not one of the 3 authentication factors.Answer d - Something you know is a static password, not a one-time password.
What type attack is eavesdropping? a. Active b. Passive c. Aggressive d. Masquerading
Answer: b. Reference: Information Systems Security; Fites & Kratz; pg 439. Discussion: Answer a - in active attacks data is altered. Answer b - eavesdropping is a method of attack in which data is not altered and, therefore, is a passive attack. Answer c - not a formally defined type of attack. Answer d - the pretense by an entity to be a different entity.
Prior to implementation, a complete description of an operational security issue should specify threat, vulnerability, and a. safeguard. b. asset. c. exposure. d. control.
Answer: b. (Reference: Fitzgerald, Jerry, Internal Controls for Computerized Systems, 1978, pg 7) This isn't really a type of question, as such, it's just one that a surprising number of people get wrong. We tend to concentrate on "problems" and forget what it is that we are trying to protect. Don't get that (or any other kind) of tunnel vision. Which, I suppose, is as good a segue as any to another point. Remember that the CISSP is a general, and even international, certification. When presented with a question, don't pick an answer that is specifically suited to your job or company: pick the answer that is most suited to security in general.
Which of the following has the objective to control and manage data from a central location? a. Databases b. Data dictionaries c. Data access methods d. Data storage
Answer: b. Does anybody (except me) even remember what a data dictionary is? However, do recall that the exam has the whole field of security and related computer, information, and communications technologies to draw upon. (To balance things out, remember that *you* only have to get 70%.)
Who is ultimately responsible to ensure that information is categorized and that specific protective measures are taken? a. Security Officer b. Senior Management c. Data Owner d. Custodian
Answer: b. Reference: Commonsense Computer Security; Martin Smith; 1993; pg 63. This is possibly as close to a "trick" question that you'll get on the exam. If you are just skimming the question, and the answers, the fact that the data owner is generally responsible for assigning data classification is going to jump out at you. Again, read the whole question. The key word here is "ultimately." "Ultimately," senior management is responsible for everything. The security officer may play some role in data classification, but unless you work in a MAC (Mandatory Access Control) environment won't be the one making individual decisions. And the custodian just acts on behalf of the owner.
The concept of "Least Privilege" involves a. individual accountability. b. access authentication. c. authorization levels. d. audit mechanisms.
Answer: c (Reference: Helsing, Swanson, and Todd, Management Guide to the Protection of Information Resources, NIST Special Publication 500-170, 1989, pg.6)
Which of the following is a key element during the initial security planning process? a. Establish system review time frames b. Implement a security awareness program c. Defining reporting relationships d. Institute a change management program
Answer: c Reference: Handbook of Information Security Management, edited by Ruthberg and Tipton, Auerbach, 1993, pg 75 Right, a few initial notes. You will notice a reference. Every exam question is (or was) backed up by at least two references from source security literature. Note that CISSP study guides are not source security literature. A key word in this question is "initial." Establishing system review time frames, security awareness programs, and change management programs are all important, but they come later in security planning. Note also one rather important point. All of these answers are "correct" in a way. If you are confronted with four "right" answers, and one of them is the "management" answer, that one is probably the one that will get you the point. Defining reporting relationships is both something you want to establish early in planning, and it's also the "management" answer. (One person I helped coach through the exam said that this one tip applied to about 10% of the total exam.)
The act of validating a user with a unique identifier is called a. identification b. authorization c. authentication d. registration
Answer: c. (Reference: Gasser, Morrie, Building a Secure Computer System, New York: Nostrand Reinhold, 1988, pg 23) The key word here is "validating." Answer a - identification is the process of telling the system the alleged identity of a subject. Answer b - authorization is the process of granting rights to a subject. Answer c - authentication is the process of validating a subject. Answer d - registration of a subject does not, necessarily, validate an identity claimed.
What step can a company take to reduce the risk of its employees violating software copyright laws? a. Remove copy programs from personal computers. b. Install application licensing meters to prevent an excess of users for each license. c. Establish a company policy prohibiting the unauthorized duplicating of software. d. Prohibit the use of software on multiple computers.
Answer: c. This is another question that lots and lots of people get wrong. But, by this time, you should get it right because it illustrates points already made.Answer a - wrong - Well, it's possible, and might work, but it's not really practical, is it? Copying is a basic function of computers: users have a need to copy files. Besides, even if you took it off, people could put it back.Answer b - wrong - A meter notes and possibly alerts you to the use of software beyond the number of licensed copies. It may or may not prevent copying. It would help, but it is not a complete solution.Answer c - correct - The policy doesn't prevent copying, but does reduce the liability risk if employees are caught making illegal copies. (And that's the real risk in violating copyright, yes?) And it means you can fire them if they do. (If there's no policy against it, what did they do that was wrong?)Answer d - wrong - It's kind of impractical because more than one user may need to use the program. I mean, really ... Oh, and remember that earlier point about the management answer being the right one?
What is the BEST method of storing user passwords for a system? a. Password-protected file. b. File restricted to one individual. c. One-way encrypted file. d. Two-way encrypted file.
Answer: c. Reference: Computer Security Basics; Russell & Gangemi; pg 65-66. A password protected file could leave the passwords in the file in clear text so that anyone with the password could see all user's passwords, making it impossible to hold users accountable for what happens under their ID.The file restricted to one individual has the same problem as a.Answer c - One-way encryption means that the password file is never decrypted, therefore, only the user knows the password (and hackers that use a dictionary attack, but nobody's perfect).What is "two-way encryption"? As I keep telling you, just because you don't understand it doesn't mean it's the right answer!
When a database error has been detected requiring a backing out process, a mechanism that permits starting the process at designated places in the process is called a a. restarter. b. reboot. c. checkpoint. d. journal.
Answer: c. Reference: Hutt, Bosworth, & Hoyt; Computer Security Handbook; 3rd Edition; John Wiley & Sons; 1995; pg G-5. Discussion: Answer a - wrong - restart begins the whole process again instead of at a designated point. Answer b - wrong - reboot is a method of restarting the entire computer system instead of a specific application. Answer c - correct - checkpoints facilitate restarts. Answer d - wrong - a journal is a log of activities which is internal to automated systems.
What is the PRIMARY use of a password? a. Allow access to files. b. Identify the user. c. Authenticate the user. d. Segregate various user's accesses.
Answer: c. Reference: Info Systems Security; Fites & Kratz; pg 4; 1.2.4 Some of the easier questions you'll face allow you to quickly eliminate a couple of the options. In this case, while file access and other types of access are going to be related to a login process, they clearly aren't primary. That leaves you with two fairly similar options: identifying and authenticating the user. At this point you should be a little careful, and remember that identification is the function of the username. The password is used for authentication.
When verifying the key control objectives of a system design, the security specialist should ensure that the a. Final system design has security administrator approval b. Auditing procedures have been defined c. Vulnerability assessment has been completed d. Impact assessment has been approved
Answer: c. Reference: HISM, edited by Ruthberg & Tipton; Auerbach; 1993, pg 309.Discussion: Answer a is a fabricated distractor. (The security admin probably doesn't do design approval.) Answer b is a necessary step in the security administration process, but isn't a primary part of system control design. Answer c - correct - a key step in the System Design process. Answer d is possibly important, particularly in risk assessment or business continuity planning, but, again, isn't vital to system control design.
Which of the following security principles are supported by role-based access control? a. Discretionary access control, confidentiality, and non-repudiation b. Mandatory access control, auditing, and integrity c. Least privilege, separation of duties, and discretionary access control d. Least privilege, mandatory access control, and data sensitivity
Answer: c.Reference: Handbook of Info. Sec. Mgmt.; edited by Krause & Tipton, Auerbach. 1998. Pg 606-607, 622. This one takes a bit of thinking, because so many parts of the answers do relate to role-based access control. You have to read the answers fully, and see which ones have points that aren't supported. Answer a - non-repudiation is not supported by role-based access control. Answer b - auditing is not supported by role-based access control. Answer c - all are conceivable. Answer d - data sensitivity is not supported by role-based access control.
System Development Controls are based on a a. detailed set of business objectives. b. a logical design for security testing. c. an auditor designated review process. d. a standard methodology for project performance.
Answer: d .(Reference: Caelli, Longley, and Shain, Information Security Handbook, StocktonPress, 1991, pg 244)
What type of attack often tries all possible solutions? a. Trojan horse b. Trap door c. Clone d. Brute force
Answer: d Reference: Handbook of Info. Sec. Mgmt; Auerbach; Tipton & Krause; 1998; pg 406. Discussion: Answer a - a trojan horse is hidden code in a program so that the computer will execute unexpected functions. Answer b - a trap door allows system access without going through the authentication process. Answer c - to clone is to replicate a program, code, or operating instruction for authorized or unauthorized use. Answer d - an exhaustive attack often tries all possible solutions.
At what stage of the applications development process should the security department become involved? a. Prior to the implementation b. Prior to systems testing c. During unit testing d. During requirements development
Answer: d. Reference: Secure Computing(Threats & Safeguards); R. Summers; McGraw-Hill; 1997; pg 250. Discussion: This is an example of choosing the best answer from among those provided. "Requirements" is probably not the phase to start thinking about security: you should probably start right at the initiation and concept phase. But that isn't one of the options we are given. So, choose the earliest possible phase from the options you are given: Answer a - incorrect - prior to implementation is 7 steps down in the software development life cycle. At this point, security safeguards would be expensive to retrofit. Answer b - incorrect - prior to system test is vague and several steps (5) required preceding it. Answer c - incorrect - unit test is where you would want to test the security of the system. Security dept. should have been involved much earlier. Answer d - correct - Security dept. should be involved at the beginning of the project. It is much easier than adding it later.
Which of the following techniques MOST clearly indicates whether specific risk reduction controls should be implemented? a. Threat and vulnerability analysis. b. Risk evaluation. c. ALE calculation. d. Countermeasure cost/benefit analysis.
Answer: d. Reference: Computer Security Handbook (3rd edition) Hutt, Boswirth, Hoyt; pg 3.3. A fairly simple question: it should be fairly obvious. Again, the principle here is to choose the answer that most broadly answers the question. All the answers are important parts of security and risk assessment, but:Answer a - this analysis does not address whether specific countermeasures should be implemented.Answer b - risk evaluation studies existing risks but doesn't address whether specific countermeasures should be implemented.Answer c - ALE is the calculation of loss expectancy but does not address whether specific countermeasures should be implemented.Answer d - correct - in a countermeasures cost/benefit analysis, the annualized cost of safeguards is compared with the expected cost of loss. Oh, one more point: if you saw this question on an exam these days, it should be reworded slightly. Acronyms in questions are now supposed to be spelled out in full.
In data processing systems, the value analysis should be performed in terms of which three properties? a. Profit, loss, ROI b. Intentional, accidental, natural disaster c. Assets, personnel, services provided d. Availability, integrity, confidentiality
Answer: d. Reference: Information Systems Security; Fites & Kratz; Thompson Press; 1996; pg 54. OK, in a sense this is kind of a trick question, for a couple of reasons. But it does have a point. The point is, choose the answer with the greatest breadth and application that does answer the question. Answer a - incorrect - it's right, but applies only to business management.Answer b - incorrect - it's right, but applies directly to threat analysis.Answer c - incorrect - it's right, but considered mostly in business impact analysis. (There is a myth that says that if you see the CIA triad [confidentiality, integrity, availability] as an answer on any question on the CISSP exam, that is the correct answer. In fact, a friend, knowing of the myth, once specifically wrote a question so that CIA was wrong ...
Which of the following results would NOT routinely be expected from a penetration test? a. Specifics on how the testing team obtained the information that allowed them to infiltrate a protected system. b. A description of the company's vulnerabilities c. A risk analysis showing the extent to which a company is at risk within each exposure d. Evidence of destruction of any data obtained but not delivered
The answer is C
