IT462 - Midterm Chapter Review Questions
4. What type of federal government computing system requires that all individuals accessing the system have a need to know all of the information processed by that system? A. Dedicated B. System high C. Compartmented D. Multilevel
A. In a dedicated system, all users must have a valid security clearance for the highest level of information processed by the system, they must have access approval for all information processed by the system, and they must have a valid need to know of all information processed by the system.
18. Which of the following is not specifically or directly related to managing the security function of an organization? A. Worker job satisfaction B. Metrics C. Information security strategies D. Budget
A. Managing the security function often includes assessment of budget, metrics, resources, and information security strategies, and assessing the completeness and effectiveness of the security program.
17. What are the two common data classification schemes? A. Military and private sector B. Personal and government C. Private sector and unrestricted sector D. Classified and unclassified
A. Military (or government) and private sector (or commercial business) are the two common data classification schemes.
15. What is the primary objective of data classification schemes? A. To control access to objects for authorized subjects B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity C. To establish a transaction trail for auditing accountability D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality
B. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.
12. Which of the following is the most important and distinctive concept in relation to layered security? A. Multiple B. Series C. Parallel D. Filter
B. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.
12. Dave is developing a key escrow system that requires multiple people to retrieve a key but does not depend on every participant being present. What type of technique is he using? A. Split knowledge B. M of N Control C. Work function D. Zero-knowledge proof
B. M of N Control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks.
14. What is it called when email itself is used as an attack mechanism? A. Masquerading B. Mail-bombing C. Spoofing D. Smurf attack
B. Mail-bombing is the use of email as an attack mechanism. Flooding a system with messages causes a denial of service.
13. Grace is performing a penetration test against a client's network and would like to use a tool to assist in automatically executing common exploits. Which one of the following security tools will best meet her needs? A. nmap B. Metasploit C. Nessus D. Snort
B. Metasploit is an automated exploit tool that allows attackers to easily execute common attack techniques.
2. What technology provides an organization with the best control over BYOD equipment? A. Application whitelisting B. Mobile device management C. Encrypted removable storage D. Geotagging
B. Mobile device management (MDM) is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting. Not all mobile devices support removable storage, and even fewer support encrypted removable storage. Geotagging is used to mark photos and social network posts, not for BYOD management. Application whitelisting may be an element of BYOD management but is only part of a full MDM solution.
13. Which of the following is not true regarding firewalls? A. They are able to log traffic information. B. They are able to block viruses. C. They are able to issue alarms based on suspected attacks. D. They are unable to prevent internal attacks.
B. Most firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms and even basic IDS functions. Firewalls are unable to block viruses or malicious code transmitted through otherwise authorized communication channels, prevent unauthorized but accidental or intended disclosure of information by users, prevent attacks by malicious users already behind the firewall, or protect data after it passed out of or into the private network.
18. Which of the following is the lowest military data classification for classified data? A. Sensitive B. Secret C. Proprietary D. Private
B. Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.
8. What is the output value of the mathematical function 16 mod 3? A. 0 B. 1 C. 3 D. 5
B. Option B is correct because 16 divided by 3 equals 5, with a remainder value of 1.
12. What is the best definition of a security model? A. A security model states policies an organization must follow. B. A security model provides a framework to implement a security policy. C. A security model is a technical evaluation of each part of a computer system to assess its concordance with security standards. D. A security model is the process of formal acceptance of a certified configuration.
B. Option B is the only option that correctly defines a security model. Options A, C, and D define part of a security policy and the certification and accreditation process.
1. Which of the following best describes an implicit deny principle? A. All actions that are not expressly denied are allowed. B. All actions that are not expressly allowed are denied. C. All actions must be expressly denied. D. None of the above.
B. The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn't require all actions to be denied.
1. In the RSA public key cryptosystem, which one of the following numbers will always be largest? A. e B. n C. p D. q
B. The number n is generated as the product of the two large prime numbers, p and q. Therefore, n must always be greater than both p and q. Furthermore, it is an algorithm constraint that e must be chosen such that e is smaller than n. Therefore, in RSA cryptography, n is always the largest of the four variables shown in the options to this question.
1. Which of the following contains the primary goals and objectives of security? A. A network's border perimeter B. The CIA Triad C. A stand-alone system D. The internet
B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.
4. If a 2,048-bit plaintext message were encrypted with the El Gamal public key cryptosystem, how long would the resulting ciphertext message be? A. 1,024 bits B. 2,048 bits C. 4,096 bits D. 8,192 bits
C. The major disadvantage of the El Gamal cryptosystem is that it doubles the length of any message it encrypts. Therefore, a 2,048-bit plain-text message would yield a 4,096-bit ciphertext message when El Gamal is used for the encryption process.
15. What type of cryptographic attack rendered Double DES (2DES) no more effective than standard DES encryption? A. Birthday attack B. Chosen ciphertext attack C. Meet-in-the-middle attack D. Man-in-the-middle attack
C. The meet-in-the-middle attack demonstrated that it took relatively the same amount of computation power to defeat 2DES as it does to defeat standard DES. This led to the adoption of Triple DES (3DES) as a standard for government communication.
3. Which of the following is a primary purpose of an exit interview? A. To return the exiting employee's personal belongings B. To review the nondisclosure agreement C. To evaluate the exiting employee's performance D. To cancel the exiting employee's network access accounts
B. The primary purpose of an exit interview is to review the nondisclosure agreement (NDA) and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.
14. Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers. What characteristic of this problem are they relying on? A. It contains diffusion. B. It contains confusion. C. It is a one-way function. D. It complies with Kerchoff's principle.
C. A one-way function is a mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values.
15. What would an organization do to identify weaknesses? A. Asset valuation B. Threat modeling C. Vulnerability analysis D. Access review
C. A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, but threat modeling doesn't identify weaknesses. An access review audits account management and object access practices.
7. If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can _____________________ the data, objects, and resources. A. Control B. Audit C. Access D. Repudiate
C. Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.
5. What is a security risk of an embedded system that is not commonly found in a standard PC? A. Software flaws B. Access to the internet C. Control of a mechanism in the physical world D. Power loss
C. Because an embedded system is in control of a mechanism in the physical world, a security breach could cause harm to people and property. This typically is not true of a standard PC. Power loss, internet access, and software flaws are security risks of both embedded systems and standard PCs.
10. Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message? A. Stream cipher B. Caesar cipher C. Block cipher D. ROT3 cipher
C. Block ciphers operate on message "chunks" rather than on individual characters or bits. The other ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of a message.
20. What form of infrastructure mode wireless networking deployment supports large physical environments through the use of a single SSID but numerous access points? A. Stand-alone B. Wired extension C. Enterprise extension D. Bridge
C. Enterprise extended infrastructure mode exists when a wireless network is designed to support a large physical environment through the use of a single SSID but numerous access points.
11. What type of access control model is used on a firewall? A. MAC model B. DAC model C. Rule-based access control model D. RBAC model
C. Firewalls use a rule-based access control model with rules expressed in an access control list. A Mandatory Access Control (MAC) model uses labels. A Discretionary Access Control (DAC) model allows users to assign permissions. A Role Based Access Control (RBAC) model organizes users in groups.
4. Which of the following is not considered a violation of confidentiality? A. Stealing passwords B. Eavesdropping C. Hardware destruction D. Social engineering
C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.
3. ___________________ is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic. A. UDP B. IDEA C. IPsec D. SDLC
C. IPsec, or IP Security, is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic.
20. Data classifications are used to focus security controls over all but which of the following? A. Storage B. Processing C. Layering D. Transfer
C. Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.
13. The most commonly overlooked aspect of mobile phone eavesdropping is related to which of the following? A. Storage device encryption B. Screen locks C. Overhearing conversations D. Wireless networking
C. The most commonly overlooked aspect of mobile phone eavesdropping is related to people in the vicinity overhearing conversations (at least one side of them). Organizations frequently consider and address issues of wireless networking, storage device encryption, and screen locks.
15. Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level? A. (star) Security Property B. No write up property C. No read up property D. No read down property
C. The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher-security-level object.
15. How many keys are required to fully implement a symmetric algorithm with 10 participants? A. 10 B. 20 C. 45 D. 100
C. The number of keys required for a symmetric algorithm is dictated by the formula (n*(n-1))/2, which in this case, where n = 10, is 45.
13. When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset loss. D. The annual costs of safeguards should not exceed 10 percent of the security budget.
C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
16. What security control is directly focused on preventing collusion? A. Principle of least privilege B. Job descriptions C. Separation of duties D. Qualitative risk analysis
C. The likelihood that a co-worker will be willing to collaborate on an illegal or abusive scheme is reduced because of the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.
11. Which one of the following would administrators use to connect to a remote server securely for administration? A. Telnet B. Secure File Transfer Protocol (SFTP) C. Secure Copy (SCP) D. Secure Shell (SSH)
D. SSH is a secure method of connecting to remote servers over a network because it encrypts data transmitted over a network. In contrast, Telnet transmits data in cleartext. SFTP and SCP are good methods for transmitting sensitive data over a network but not for administration purposes.
17. An organization is implementing a preselected baseline of security controls, but finds that some of the controls aren't relevant to their needs. What should they do? A. Implement all the controls anyway. B. Identify another baseline. C. Re-create a baseline. D. Tailor the baseline to their needs.
D. Scoping and tailoring processes allow an organization to tailor security baselines to its needs. There is no need to implement security controls that do not apply, and it is not necessary to identify or re-create a different baseline.
13. Which security models are built on a state machine model? A. Bell-LaPadula and Take-Grant B. Biba and Clark-Wilson C. Clark-Wilson and Bell-LaPadula D. Bell-LaPadula and Biba
D. The Bell-LaPadula and Biba models are built on the state machine model.
13. Which of the following best describes a characteristic of the MAC model? A. Employs explicit-deny philosophy B. Permissive C. Rule-based D. Prohibitive
D. The Mandatory Access Control (MAC) model is prohibitive, and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules.
19. Which one of the following encryption algorithms is now considered insecure? A. El Gamal B. RSA C. Elliptic Curve Cryptography D. Merkle-Hellman Knapsack
D. The Merkle-Hellman Knapsack algorithm, which relies on the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.
1. What is layer 4 of the OSI model? A. Presentation B. Network C. Data Link D. Transport
D. The Transport layer is layer 4. The Presentation layer is layer 6, the Data Link layer is layer 2, and the Network layer is layer 3.
13. Which of the following is typically not an element that must be discussed with end users in regard to email retention policies? A. Privacy B. Auditor review C. Length of retainer D. Backup method
D. The backup method is not an important factor to discuss with end users regarding email retention.
4. Who, or what, grants permissions to users in a DAC model? A. Administrators B. Access control list C. Assigned labels D. The data custodian
D. The data custodian (or owner) grants permissions to users in a Discretionary Access Control (DAC) model. Administrators grant permissions for resources they own, but not for all resources in a DAC model. A rule-based access control model uses an access control list. The Mandatory Access Control (MAC) model uses labels.
9. Which of the following would generally not be considered an asset in a risk analysis? A. A development process B. An IT infrastructure C. A proprietary system resource D. Users' personal files
D. The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.
14. What is the primary goal of change management? A. Maintaining documentation B. Keeping users informed of changes C. Allowing rollback of failed changes D. Preventing security compromises
D. The prevention of security compromises is the primary goal of change management.
19. Which security principle mandates that only a minimum number of operating system processes should run in supervisory mode? A. Abstraction B. Layering C. Data hiding D. Least privilege
D. The principle of least privilege states that only processes that absolutely need kernel-level access should run in supervisory mode. The remaining processes should run in user mode to reduce the number of potential security vulnerabilities.
9. All but which of the following items requires awareness for all individuals affected? A. Restricting personal email B. Recording phone conversations C. Gathering information about surfing habits D. The backup mechanism used to retain email messages
D. Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.
16. Which of the following tools can be used to improve the effectiveness of a brute-force password cracking attack? A. Rainbow tables B. Hierarchical screening C. TKIP D. Random enhancement
16. A. Rainbow tables contain precomputed hash values for commonly used passwords and may be used to increase the efficiency of password cracking attacks.
6. Which of the following describes a community cloud? A. A cloud environment maintained, used, and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange B. A cloud service within a corporate network and isolated from the internet C. A cloud service that is accessible to the general public typically over an internet connection D. A cloud service that is partially hosted within an organization for private use and that uses external services to offer resources to outsiders
6. A. A community cloud is a cloud environment maintained, used, and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange. A private cloud is a cloud service within a corporate network and isolated from the internet. A public cloud is a cloud service that is accessible to the general public typically over an internet connection. A hybrid cloud is a cloud service that is partially hosted within an organization for private use and that uses external services to offer recourses to outsiders.
7. Which of the following VPN protocols do not offer native data encryption? (Choose all that apply.) A. L2F B. L2TP C. IPsec D. PPTP
A, B, D. L2F, L2TP, and PPTP all lack native data encryption. Only IPsec includes native data encryption.
16. You are the IT security manager for a retail merchant organization that is just going online with an e-commerce website. You hired several programmers to craft the code that is the backbone of your new web sales system. However, you are concerned that while the new code functions well, it might not be secure. You begin to review the code, the systems design, and the services architecture to track down issues and concerns. Which of the following do you hope to find in order to prevent or protect against XSS? (Choose as many as apply) A. Input validation B. Defensive coding C. Allowing script input D. Escaping metacharacters
A, B, and D. A programmer can implement the most effective way to prevent XSS by validating input, coding defensively, escaping metacharacters, and rejecting all scriptlike input.
10. What is a security perimeter? (Choose all that apply.) A. The boundary of the physically secure area surrounding your system B. The imaginary boundary that separates the TCB from the rest of the system C. The network where your firewall resides D. Any connections to your computer system
A, B. Although the most correct answer in the context of this chapter is Option B, Option A is also a correct answer in the context of physical security.
5. Which of the following models is also known as an identity-based access control model? A. DAC B. RBAC C. Rule-based access control D. MAC
A. A Discretionary Access Control (DAC) model is an identity-based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the owner. The Role Based Access Control (RBAC) model is based on role or group membership. The rule-based access control model is based on rules within an ACL. The Mandatory Access Control (MAC) model uses assigned labels to identify access.
1. Which one of the following identifies the primary purpose of information classification processes? A. Define the requirements for protecting sensitive data. B. Define the requirements for backing up data. C. Define the requirements for storing data. D. Define the requirements for transmitting data.
A. A primary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data. Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing all data. Similarly, information classification processes will typically include requirements to protect sensitive data in transit but not necessarily all data in transit.
3. You have three applications running on a single-core single-processor system that supports multitasking. One of those applications is a word processing program that is managing two threads simultaneously. The other two applications are using only one thread of execution. How many application threads are running on the processor at any given time? A. One B. Two C. Three D. Four
A. A single-processor system can operate on only one thread at a time. There would be a total of four application threads (ignoring any threads created by the operating system), but the operating system would be responsible for deciding which single thread is running on the processor at any given time.
11. When a safeguard or a countermeasure is not present or is not sufficient, what remains? A. Vulnerability B. Exposure C. Risk D. Penetration
A. A vulnerability is the absence or weakness of a safeguard or countermeasure.
2. What is system accreditation? A. Formal acceptance of a stated system configuration B. A functional evaluation of the manufacturer's goals for each hardware and software component to meet integration standards C. Acceptance of test results that prove the computer system enforces the security policy D. The process to specify secure communication between machines
A. Accreditation is the formal acceptance process. Option B is not an appropriate answer because it addresses manufacturer standards. Options C and D are incorrect because there is no way to prove that a configuration enforces a security policy, and accreditation does not entail secure communication specification.
5. What is an access object? A. A resource a user or process wants to access B. A user or process that wants to access a resource C. A list of valid access rules D. The sequence of valid access types
A. An object is a resource a user or process wants to access. Option A describes an access object.
Refer to the following scenario when answering questions 19 and 20: An organization has recently suffered a series of security breaches that have damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks. 20. Management wants to ensure that the consultant has the correct priorities while doing her research. Of the following, what should be provided to the consultant to meet this need? A. Asset valuation B. Threat modeling results C. Vulnerability analysis reports D. Audit trails
A. Asset valuation identifies the actual value of assets so that they can be prioritized. For example, it will identify the value of the company's reputation from the loss of customer data compared with the value of the secret data stolen by the malicious employee. None of the other answers is focused on high-value assets. Threat modeling results will identify potential threats. vulnerability analysis identifies weaknesses. Audit trails are useful to re-create events leading up to an incident.
3. What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem? A. 56 bits B. 128 bits C. 192 bits D. 256 bits
A. DES uses a 56-bit key. This is considered one of the major weaknesses of this cryptosystem.
10. What type of electrical component serves as the primary building block for dynamic RAM chips? A. Capacitor B. Resistor C. Flip-flop D. Transistor
A. Dynamic RAM chips are built from a large number of capacitors, each of which holds a single electrical charge. These capacitors must be continually refreshed by the CPU in order to retain their contents. The data stored in the chip is lost when power is removed.
18. What security concept encourages administrators to install firewalls, malware scanners, and an IDS on every host? A. Endpoint security B. Network access control (NAC) C. VLAN D. RADIUS
A. Endpoint security is the security concept that encourages administrators to install firewalls, malware scanners, and an IDS on every host.
8. Which networking technology is based on the IEEE 802.3 standard? A. Ethernet B. Token Ring C. FDDI D. HDLC
A. Ethernet is based on the IEEE 802.3 standard.
20. Which security principle takes the concept of process isolation and implements it using physical controls? A. Hardware segmentation B. Data hiding C. Layering D. Abstraction
A. Hardware segmentation achieves the same objectives as process isolation but takes them to a higher level by implementing them with physical controls in hardware.
19. Which of the following administrator actions might have prevented this incident? A. Mark the tapes before sending them to the warehouse. B. Purge the tapes before backing up data to them. C. Degauss the tapes before backing up data to them. D. Add the tapes to an asset management database.
A. If the tapes were marked before they left the datacenter, employees would recognize their value and it is more likely someone would challenge their storage in an unstaffed warehouse. Purging or degaussing the tapes before using them will erase previously held data but won't help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn't prevent this incident.
15. Users of a banking application may try to withdraw funds that don't exist from their account. Developers are aware of this threat and implemented code to protect against it. What type of software testing would most likely catch this type of vulnerability if the developers have not already remediated it? A. Misuse case testing B. SQL injection testing C. Fuzzing D. Code review
A. Misuse case testing identifies known ways that an attacker might exploit a system and tests explicitly to see if those attacks are possible in the proposed code.
1. Which one of the following tools is used primarily to perform network discovery scans? A. Nmap B. Nessus C. Metasploit D. lsof
A. Nmap is a network discovery scanning tool that reports the open ports on a remote system.
2. John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message? A. Nonrepudiation B. Confidentiality C. Availability D. Integrity
A. Nonrepudiation prevents the sender of a message from later denying that they sent it.
6. Which one of the following cannot be achieved by a secret key cryptosystem? A. Nonrepudiation B. Confidentiality C. Authentication D. Key distribution
A. Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message.
14. Which security model addresses data confidentiality? A. Bell-LaPadula B. Biba C. Clark-Wilson D. Brewer and Nash
A. Only the Bell-LaPadula model addresses data confidentiality. The Biba and Clark-Wilson models address data integrity. The Brewer and Nash model prevents conflicts of interest.
20. What authentication protocol offers no encryption or protection for logon credentials? A. PAP B. CHAP C. SSL D. RADIUS
A. Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It simply provides a means to transport the logon credentials from the client to the authentication server.
13. Which of the following is not considered an example of data hiding? A. Preventing an authorized reader of an object from deleting that object B. Keeping a database from being accessed by unauthorized visitors C. Restricting a subject at a lower classification level from accessing data at a higher classification level D. Preventing an application from accessing hardware directly
A. Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.
16. Your organization has a large database of customer data. To comply with the EU GDPR, administrators plan to use pseudonymization. Which of the following best describes pseudonymization? A. The process of replacing some data with another identifier B. The process of removing all personal data C. The process of encrypting data D. The process of storing data
A. Pseudonymization is the process of replacing some data with an identifier, such as a pseudonym. This makes it more difficult to identify an individual from the data. Removing personal data without using an identifier is closer to anonymization. Encrypting data is a logical alternative to pseudonymization because it makes it difficult to view the data. Data should be stored in such a way that it is protected against any type of loss, but this is unrelated to pseudonymization.
5. Who is the intended audience for a security assessment report? A. Management B. Security auditor C. Security professional D. Customers
A. Security assessment reports should be addressed to the organization's management. For this reason, they should be written in plain English and avoid technical jargon.
11. What is the minimum number of cryptographic keys required for secure two-way communications in symmetric key cryptography? A. One B. Two C. Three D. Four
A. Symmetric key cryptography uses a shared secret key. All communicating parties utilize the same key for communication in any direction.
15. Within the context of the EU GDPR, what is a data processor? A. The entity that processes personal data on behalf of the data controller B. The entity that controls processing of data C. The computing system that processes data D. The network that processes data
A. The European Union (EU) Global Data Protection Regulation (GDPR) defines a data processor as "a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller." The data controller is the entity that controls processing of the data and directs the data processor. Within the context of the EU GDPR, the data processor is not a computing system or network.
5. Which one of the following is not a possible key length for the Advanced Encryption Standard Rijndael cipher? A. 56 bits B. 128 bits C. 192 bits D. 256 bits
A. The Rijndael cipher allows users to select a key length of 128, 192, or 256 bits, depending on the specific security requirements of the application.
8. Which of the following statements is true related to the RBAC model? A. A RBAC model allows users membership in multiple groups. B. A RBAC model allows users membership in a single group. C. A RBAC model is nonhierarchical. D. A RBAC model uses labels.
A. The Role Based Access Control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The Mandatory Access Control (MAC) model uses assigned labels to identify access.
6. John wants to produce a message digest of a 2,048-byte message he plans to send to Mary. If he uses the SHA-1 hashing algorithm, what size will the message digest for this particular message be? A. 160 bits B. 512 bits C. 1,024 bits D. 2,048 bits
A. The SHA-1 hashing algorithm always produces a 160-bit message digest, regardless of the size of the input message. In fact, this fixed-length output is a requirement of any secure hashing algorithm.
13. Which one of the following data roles is most likely to assign permissions to grant users access to data? A. Administrator B. Custodian C. Owner D. User
A. The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.
5. Acme Widgets currently uses a 1,024-bit RSA encryption standard companywide. The company plans to convert from RSA to an elliptic curve cryptosystem. If it wants to maintain the same cryptographic strength, what ECC key length should it use? A. 160 bits B. 512 bits C. 1,024 bits D. 2,048 bits
A. The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 1,024-bit RSA key is cryptographically equivalent to a 160-bit elliptic curve cryptosystem key.
2. When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request résumés.
A. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.
15. How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap
A. The value of a safeguard to an organization is calculated by ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard [(ALE1 - ALE2) - ACS].
10. Which of the following represents accidental or intentional exploitations of vulnerabilities? A. Threat events B. Risks C. Threat agents D. Breaches
A. Threat events are accidental or intentional exploitations of vulnerabilities.
2. Vulnerabilities and risks are evaluated based on their threats against which of the following? A. One or more of the CIA Triad principles B. Data usefulness C. Due care D. Extent of liability
A. Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.
8. What encryption technique does WPA use to protect wireless communications? A. TKIP B. DES C. 3DES D. AES
A. Wi-Fi Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to protect wireless communications. WPA2 uses AES encryption.
16. Which of the following is not a technology specifically associated with 802.11 wireless networking? A. WAP B. WPA C. WEP D. 802.11i
A. Wireless Application Protocol (WAP) is a technology associated with cell phones accessing the internet rather than 802.11 wireless networking.
9. What block size is used by the 3DES encryption algorithm? A. 32 bits B. 64 bits C. 128 bits D. 256 bits
B. 3DES simply repeats the use of the DES algorithm three times. Therefore, it has the same block length as DES: 64 bits.
9. What is a TCP wrapper? A. An encapsulation protocol used by switches B. An application that can serve as a basic firewall by restricting access based on user IDs or system IDs C. A security protocol used to protect TCP/IP traffic over WAN links D. A mechanism to tunnel TCP/IP through non-IP networks
B. A TCP wrapper is an application that can serve as a basic firewall by restricting access based on user IDs or system IDs.
16. Which of the following is a type of connection that can be described as a logical circuit that always exists and is waiting for the customer to send data? A. ISDN B. PVC C. VPN D. SVC
B. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data.
15. A ______________ is an intelligent hub because it knows the addresses of the systems connected on each outbound port. Instead of repeating traffic on every outbound port, it repeats traffic only out of the port on which the destination is known to exist. A. Repeater B. Switch C. Bridge D. Router
B. A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port.
12. When you're designing a security system for internet-delivered email, which of the following is least important? A. Nonrepudiation B. Availability C. Message integrity D. Access restriction
B. Although availability is a key aspect of security in general, it is the least important aspect of security systems for internet-delivered email.
18. What security method, mechanism, or model reveals a capabilities list of a subject across multiple objects? A. Separation of duties B. Access control matrix C. Biba D. Clark-Wilson
B. An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list.
3. Which OSI model layer manages communications in simplex, half-duplex, and full-duplex modes? A. Application B. Session C. Transport D. Physical
B. Layer 5, Session, manages simplex (one-direction), half-duplex (two-way, but only one direction can send data at a time), and fullduplex (two-way, in which data can be sent in both directions simultaneously) communications.
1. What is system certification? A. Formal acceptance of a stated system configuration B. A technical evaluation of each part of a computer system to assess its compliance with security standards C. A functional evaluation of the manufacturer's goals for each hardware and software component to meet integration standards D. A manufacturer's certificate stating that all components were installed and configured correctly
B. A system certification is a technical evaluation. Option A describes system accreditation. Options C and D refer to manufacturer standards, not implementation standards.
19. What function does ARP perform? A. It is a routing protocol. B. It resolves IP addresses into MAC addresses. C. It resolves physical addresses into logical addresses. D. It manages multiplex streaming.
B. Address Resolution Protocol (ARP) resolves IP addresses (logical addresses) into MAC addresses (physical addresses).
3. A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table? A. Access control list B. Access control matrix C. Federation D. Creeping privilege
B. An access control matrix includes multiple objects, and it lists subjects' access to each of the objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to the excessive privileges a subject gathers over time.
16. Which of the following can help mitigate the success of an online brute-force attack? A. Rainbow table B. Account lockout C. Salting passwords D. Encryption of password
B. An account lockout policy will lock an account after a user has entered an incorrect password too many times, and this blocks an online brute-force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the stored password but isn't effective against a brute-force attack without an account lockout.
12. Which of the following is not a valid definition for risk? A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure
B. Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.
3. Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects? A. Identification B. Availability C. Encryption D. Layering
B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.
14. What type of memory device is usually used to contain a computer's motherboard BIOS? A. PROM B. EEPROM C. ROM D. EPROM
B. BIOS and device firmware are often stored on EEPROM chips to facilitate future firmware updates.
18. What is the major disadvantage of using certificate revocation lists? A. Key management B. Latency C. Record keeping D. Vulnerability to brute-force attacks
B. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.
17. In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against PBX fraud and abuse? A. Encrypting communications B. Changing default passwords C. Using transmission logs D. Taping and archiving all conversations
B. Changing default passwords on PBX systems provides the most effective increase in security.
2. When determining the classification of data, which one of the following is the most important consideration? A. Processing system B. Value C. Storage media D. Accessibility
B. Data is classified based on its value to the organization. In some cases, it is classified based on the potential negative impact if unauthorized personnel can access it. It is not classified based on the processing system, but the processing system is classified based on the data it processes. Similarly, the storage media is classified based on the data classification, but the data is not classified based on where it is stored. Accessibility is affected by the classification, but the accessibility does not determine the classification. Personnel implement controls to limit accessibility of sensitive data.
17. During what type of penetration test does the tester always have access to system configuration information? A. Black box penetration test B. White box penetration test C. Gray box penetration test D. Red box penetration test
B. During a white box penetration test, the testers have access to detailed configuration information about the system being tested.
2. What is encapsulation? A. Changing the source and destination addresses of a packet B. Adding a header and footer to data as it moves down the OSI stack C. Verifying a person's identity D. Protecting evidence until it has been properly collected
B. Encapsulation is adding a header and footer to data as it moves down the OSI stack.
10. What is both a benefit and a potentially harmful implication of multilayer protocols? A. Throughput B. Encapsulation C. Hash integrity checking D. Logical addressing
B. Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols.
1. ___________________ is a layer 2 connection mechanism that uses packet-switching technology to establish virtual circuits between the communication endpoints. A. ISDN B. Frame Relay C. SMDS D. ATM
B. Frame Relay is a layer 2 connection mechanism that uses packet-switching technology to establish virtual circuits between the communication endpoints. The Frame Relay network is a shared medium across which virtual circuits are created to provide point-to-point communications. All virtual circuits are independent of and invisible to each other.
20. What does IPsec define? A. All possible security classifications for a specific configuration B. A framework for setting up a secure communication channel C. The valid transition states in the Biba model D. TCSEC security categories
B. IPsec is a security protocol that defines a framework for setting up a secure channel to exchange information between two entities.
20. How many encryption keys are required to fully implement an asymmetric algorithm with 10 participants? A. 10 B. 20 C. 45 D. 100
B. In an asymmetric algorithm, each participant requires two keys: a public key and a private key.
12. In which of the following security modes can you be assured that all users have access permissions for all information processed by the system but will not necessarily need to know of all that information? A. Dedicated B. System high C. Compartmented D. Multilevel
B. In system high mode, all users have appropriate clearances and access permissions for all information processed by the system but need to know only some of the information processed by that system.
15. Why is spam so difficult to stop? A. Filters are ineffective at blocking inbound messages. B. The source address is usually spoofed. C. It is an attack requiring little expertise. D. Spam can cause denial-of-service attacks.
B. It is often difficult to stop spam because the source of the messages is usually spoofed.
20. Of the following choices, what policy was not followed regarding the backup media? A. Media destruction B. Record retention C. Configuration management D. Versioning
B. Personnel did not follow the record retention policy. The scenario states that administrators purge onsite email older than six months to comply with the organization's security policy, but offsite backups included backups for the last 20 years. Personnel should follow media destruction policies when the organization no longer needs the media, but the issue here is the data on the tapes. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning is applied to applications, not backup tapes.
13. What cryptosystem provides the encryption/decryption technology for the commercial version of Phil Zimmerman's Pretty Good Privacy secure email system? A. ROT13 B. IDEA C. ECC D. El Gamal
B. Pretty Good Privacy uses a "web of trust" system of digital signature verification. The encryption technology is based on the IDEA private key cryptosystem.
6. What is a field-powered technology that can be used for inventory management without requiring direct physical contact? A. IPX B. RFID C. SSID D. SDN
B. Radio-frequency identification (RFID) is a tracking technology based on the ability to power a radio transmitter using current generated in an antenna when placed in a magnetic field. RFID can be triggered/powered and read from a considerable distance away (often hundreds of meters).
10. Richard wants to digitally sign a message he's sending to Sue so that Sue can be sure the message came from him without modification while in transit. Which key should he use to encrypt the message digest? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
B. Richard should encrypt the message digest with his own private key. When Sue receives the message, she will decrypt the digest with Richard's public key and then compute the digest herself. If the two digests match, she can be assured that the message truly originated from Richard.
18. What type of cryptosystem commonly makes use of a passage from a well-known book for the encryption key? A. Vernam cipher B. Running key cipher C. Skipjack cipher D. Twofish cipher
B. Running key (or "book") ciphers often use a passage from a commonly available book as the encryption key.
14. How is single loss expectancy (SLE) calculated? A. Threat + vulnerability B. Asset value ($) * exposure factor C. Annualized rate of occurrence * vulnerability D. Annualized rate of occurrence * asset value * exposure factor
B. SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).
16. Which of the following is typically not a characteristic considered when classifying data? A. Value B. Size of object C. Useful lifetime D. National security implications
B. Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.
12. ______________ firewalls are known as third-generation firewalls. A. Application-level gateway B. Stateful inspection C. Circuit-level gateway D. Static packet-filtering
B. Stateful inspection firewalls are known as third-generation firewalls.
6. What is needed to allow an external client to initiate a communication session with an internal system if the network uses a NAT proxy? A. IPsec tunnel B. Static mode NAT C. Static private IP address D. Reverse DNS
B. Static mode NAT is needed to allow an outside entity to initiate communications with an internal system behind a NAT proxy.
9. Richard received an encrypted message sent to him from Sue. Which key should he use to decrypt the message? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
B. Sue would have encrypted the message using Richard's public key. Therefore, Richard needs to use the complementary key in the key pair, his private key, to decrypt the message.
4. Which of the following IP addresses is not a private IP address as defined by RFC 1918? A. 10.0.0.18 B. 169.254.1.119 C. 172.31.8.204 D. 192.168.6.43
B. The 169.254.x.x subnet is in the APIPA range, which is not part of RFC 1918. The addresses in RFC 1918 are 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255.
2. Which cryptographic algorithm forms the basis of the El Gamal cryptosystem? A. RSA B. Diffie-Hellman C. 3DES D. IDEA
B. The El Gamal cryptosystem extends the functionality of the Diffie-Hellman key exchange protocol to support the encryption and decryption of messages.
8. What port is typically used to accept administrative connections using the SSH utility? A. 20 B. 22 C. 25 D. 80
B. The SSH protocol uses port 22 to accept administrative connections to a server.
19. Which AES finalist makes use of prewhitening and postwhitening techniques? A. Rijndael B. Twofish C. Blowfish D. Skipjack`
B. The Twofish algorithm, developed by Bruce Schneier, uses prewhitening and postwhitening.
7. For what type of information system security accreditation are the applications and systems at a specific, self-contained location evaluated? A. System accreditation B. Site accreditation C. Application accreditation D. Type accreditation
B. The applications and systems at a specific, self-contained location are evaluated for DITSCAP and NIACAP site accreditation.
20. What information security management task ensures that the organization's data protection requirements are met effectively? A. Account management B. Backup verification C. Log review D. Key performance indicators
B. The backup verification process ensures that backups are running properly and thus meeting the organization's data protection objectives.
19. Which commercial business/private sector data classification is used to control information about individuals within an organization? A. Confidential B. Private C. Sensitive D. Proprietary
B. The commercial business/private sector data classification of private is used to protect information about individuals.
17. Which of the following links would be protected by WPA encryption? A. Firewall to firewall B. Router to firewall C. Client to wireless access point D. Wireless access point to router
C. The Wi-Fi Protected Access protocol encrypts traffic passing between a mobile client and the wireless access point. It does not provide end-to-end encryption.
9. What is the most effective means of reducing the risk of losing the data on a mobile device, such as a notebook computer? A. Defining a strong logon password B. Minimizing sensitive data stored on the mobile device C. Using a cable lock D. Encrypting the hard drive
B. The risk of a lost or stolen notebook is the data loss, not the loss of the system itself. Thus, keeping minimal sensitive data on the system is the only way to reduce the risk. Hard drive encryption, cable locks, and strong passwords, although good ideas, are preventive tools, not means of reducing risk. They don't keep intentional and malicious data compromise from occurring; instead, they encourage honest people to stay honest.
7. Alan ran an nmap scan against a server and determined that port 80 is open on the server. What tool would likely provide him the best additional information about the server's purpose and the identity of the server's operator? A. SSH B. Web browser C. telnet D. ping
B. The server is likely running a website on port 80. Using a web browser to access the site may provide important information about the site's purpose.
16. What is the implied meaning of the simple property of Biba? A. Write down B. Read up C. No write up D. No read down
B. The simple property of Biba is no read down, but it implies that it is acceptable to read up.
19. While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information
B. The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment.
6. Beth would like to run an nmap scan against all of the systems on her organization's private network. These include systems in the 10.0.0.0 private address space. She would like to scan this entire private address space because she is not certain what subnets are used. What network address should Beth specify as the target of her scan? A. 10.0.0.0/0 B. 10.0.0.0/8 C. 10.0.0.0/16 D. 10.0.0.0/24
B. The use of an 8-bit subnet mask means that the first octet of the IP address represents the network address. In this case, that means 10.0.0.0/8 will scan any IP address beginning with 10.
5. If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security? A. Asset identification B. Third-party governance C. Exit interview D. Qualitative analysis
B. Third-party governance is the application of security oversight on third parties that your organization relies on.
Refer to the following scenario when answering questions 19 and 20: An organization has recently suffered a series of security breaches that have damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks. 19. What would the consultant use to identify potential attackers? A. Asset valuation B. Threat modeling C. Vulnerability analysis D. Access review and audit
B. Threat modeling helps identify, understand, and categorize potential threats. Asset valuation identifies the value of assets, and vulnerability analysis identifies weaknesses that can be exploited by threats. An access review and audit ensures that account management practices support the security policy.
4. What type of cipher relies on changing the location of characters within a message to achieve confidentiality? A. Stream cipher B. Transposition cipher C. Block cipher D. Substitution cipher
B. Transposition ciphers use a variety of techniques to reorder the characters within a message.
4. Which of the following is the least resistant to EMI? A. Thinnet B. UTP C. STP D. Fiber
B. UTP is the least resistant to EMI because it is unshielded. Thinnet (10Base2) is a type of coaxial cable that is shielded against EMI. STP is a shielded form of twisted pair that resists EMI. Fiber is not affected by terrestrial EMI.
18. What port is typically open on a system that runs an unencrypted HTTP server? A. 22 B. 80 C. 143 D. 443
B. Unencrypted HTTP communications take place over TCP port 80 by default.
16. What type of interface testing would identify flaws in a program's command-line interface? A. Application programming interface testing B. User interface testing C. Physical interface testing D. Security interface testing
B. User interface testing includes assessments of both graphical user interfaces (GUIs) and command-line interfaces (CLIs) for a software program.
17. Which of the following would provide the best protection against rainbow table attacks? A. Hashing passwords with MD5 B. Salt and pepper with hashing C. Account lockout D. Implement RBAC
B. Using both a salt and pepper when hashing passwords provides strong protection against rainbow table attacks. MD5 is no longer considered secure, so it isn't a good choice for hashing passwords. Account lockout helps thwart online password brute-force attacks, but a rainbow table attack is an offline attack. Role Based Access Control (RBAC) is an access control model and unrelated to password attacks.
9. What technology allows for phone conversations to occur over an existing TCP/IP network and internet connection? A. IPsec B. VoIP C. SSH D. TLS
B. Voice over IP (VoIP) allows for phone conversations to occur over an existing TCP/IP network and internet connection.
11. A significant benefit of a security control is when it goes unnoticed by users. What is this called? A. Invisibility B. Transparency C. Diversion D. Hiding in plain sight
B. When transparency is a characteristic of a service, security control, or access mechanism it is unseen by users.
12. Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for secure electronic communication? A. X.500 B. X.509 C. X.900 D. X.905
B. X.509 governs digital certificates and the public-key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke certificates.
4. When an employee is to be terminated, which of the following should be done? A. Inform the employee a few hours before they are officially terminated. B. Disable the employee's network access just as they are informed of the termination. C. Send out a broadcast email informing everyone that a specific employee is to be terminated. D. Wait until you and the employee are the only people remaining in the building before announcing the termination.
B. You should remove or disable the employee's network user account immediately before or at the same time they are informed of their termination.
7. If you are the victim of a bluejacking attack, what was compromised? A. Your firewall B. Your switch C. Your cell phone D. Your web cookies
C. A bluejacking attack is a wireless attack on Bluetooth, and the most common device compromised in a bluejacking attack is a cell phone.
19. Which of the following is not a denial-of-service attack? A. Exploiting a flaw in a program to consume 100 percent of the CPU B. Sending malformed packets to a system, causing it to freeze C. Performing a brute-force attack against a known user account when account lockout is not present D. Sending thousands of emails to a single address
C. A brute-force attack is not considered a DoS.
3. What is a closed system? A. A system designed around final, or closed, standards B. A system that includes industry standards C. A proprietary system that uses unpublished protocols D. Any machine that does not run Windows
C. A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and Option B describes an open system.
4. Which best describes a confined or constrained process? A. A process that can run only for a limited time B. A process that can run only during certain times of the day C. A process that can access only certain memory locations D. A process that controls access to an object
C. A constrained process is one that can access only certain memory locations. Options A, B, and D do not describe a constrained process.
10. Which one of the following is based on Blowfish and helps protect against rainbow table attacks? A. 3DES B. AES C. Bcrypt D. SCP
C. Linux systems use bcrypt to encrypt passwords, and bcrypt is based on Blowfish. Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks. Advanced Encryption Standard (AES) and Triple DES (or 3DES) are separate symmetric encryption protocols, and neither one is based on Blowfish, or directly related to protecting against rainbow table attacks. Secure Copy (SCP) uses Secure Shell (SSH) to encrypt data transmitted over a network.
12. What type of access controls rely on the use of labels? A. DAC B. Nondiscretionary C. MAC D. RBAC
C. Mandatory Access Control (MAC) models rely on the use of labels for subjects and objects. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management such as a rule-based access control model deployed on a firewall. Role Based Access Control (RBAC) models define a subject's access based on job-related roles.
1. Many PC operating systems provide functionality that enables them to support the simultaneous execution of multiple applications on single-processor systems. What term is used to describe this capability? A. Multiprogramming B. Multithreading C. Multitasking D. Multiprocessing
C. Multitasking is processing more than one task at the same time. In most cases, multitasking is simulated by the operating system even when not supported by the processor.
14. Paul would like to test his application against slightly modified versions of previously used input. What type of test does Paul intend to perform? A. Code review B. Application vulnerability review C. Mutation fuzzing D. Generational fuzzing
C. Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.
11. What ensures that the subject of an activity or event cannot deny that the event occurred? A. CIA Triad B. Abstraction C. Nonrepudiation D. Hash totals
C. Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.
17. Which wireless frequency access method offers the greatest throughput with the least interference? A. FHSS B. DSSS C. OFDM D. OSPF
C. Orthogonal Frequency-Division Multiplexing (OFDM) offers high throughput with the least interference. OSPF is a routing protocol, not a wireless frequency access method.
12. Badin Industries runs a web application that processes ecommerce orders and handles credit card transactions. As such, it is subject to the Payment Card Industry Data Security Standard (PCI DSS). The company recently performed a web vulnerability scan of the application and it had no unsatisfactory findings. How often must Badin rescan the application? A. Only if the application changes B. At least monthly C. At least annually D. There is no rescanning requirement.
C. PCI DSS requires that Badin rescan the application at least annually and after any change in the application.
8. Which of the following is the most secure method of deleting data on a DVD? A. Formatting B. Deleting C. Destruction D. Degaussing
C. Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux, so degaussing a DVD doesn't destroy data.
8. _______________ refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. A. Seclusion B. Concealment C. Privacy D. Criticality
C. Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion is to store something in an out-of-the-way location. Concealment is the act of hiding or preventing disclosure. The level to which information is mission critical is its measure of criticality.
18. What security principle helps prevent users from accessing memory spaces assigned to applications being run by other users? A. Separation of privilege B. Layering C. Process isolation D. Least privilege
C. Process isolation provides separate memory spaces to each process running on a system. This prevents processes from overwriting each other's data and ensures that a process can't read data from another process.
5. Which would an administrator do to classified media before reusing it in a less secure environment? A. Erasing B. Clearing C. Purging D. Overwriting
C. Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.
15. What type of memory is directly available to the CPU and is often part of the CPU? A. RAM B. ROM C. Register memory D. Virtual memory
C. Registers are small memory locations that are located directly on the CPU chip itself. The data stored within them is directly available to the CPU and can be accessed extremely quickly.
11. Which one of the following storage devices is most likely to require encryption technology in order to maintain data security in a networked environment? A. Hard disk B. Backup tape C. Removable drives D. RAM
C. Removable drives are easily taken out of their authorized physical location, and it is often not possible to apply operating system access controls to them. Therefore, encryption is often the only security measure short of physical security that can be afforded to them. Backup tapes are most often well controlled through physical security measures. Hard disks and RAM chips are often secured through operating system access controls.
3. If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which key does he use to encrypt the message? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
C. Richard must encrypt the message using Sue's public key so that Sue can decrypt it using her private key. If he encrypted the message with his own public key, the recipient would need to know Richard's private key to decrypt the message. If he encrypted it with his own private key, any user could decrypt the message using Richard's freely available public key. Richard could not encrypt the message using Sue's private key because he does not have access to it. If he did, any user could decrypt it using Sue's freely available public key.
8. Which of the following is not an element of the risk analysis process? A. Analyzing an environment for risks B. Creating a cost/benefit report for safeguards to present to upper management C. Selecting appropriate safeguards and implementing them D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage
C. Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.
7. Which of the following statements is not true? A. IT security can provide protection only against logical or technical attacks. B. The process by which the goals of risk management are achieved is known as risk analysis. C. Risks to an IT infrastructure are all computer based. D. An asset is anything used in a business process or task.
C. Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.
6. Which of the following statements correctly identifies a problem with sanitization methods? A. Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data. B. Even fully incinerated media can offer extractable data. C. Personnel can perform sanitization steps improperly. D. Stored data is physically etched into the media.
C. Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.
8. Which one of the following types of memory might retain information after being removed from a computer and, therefore, represent a security risk? A. Static RAM B. Dynamic RAM C. Secondary memory D. Real memory
C. Secondary memory is a term used to describe magnetic, optical, or flash media. These devices will retain their contents after being removed from the computer and may later be read by another user.
4. Which one of the following is not normally included in a security assessment? A. Vulnerability scan B. Risk assessment C. Mitigation of vulnerabilities D. Threat assessment
C. Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities.
18. Which of the following can be used to bypass even the best physical and logical security mechanisms to gain access to a system? A. Dictionary attacks B. Denial of service C. Social engineering D. Port scanning
C. Social engineering can often be used to bypass even the most effective physical and logical controls. Whatever activity the attacker convinces the victim to perform, it is usually directed toward opening a back door that the attacker can use to gain access to the network.
11. By examining the source and destination addresses, the application usage, the source of origin, and the relationship between current packets with the previous packets of the same session, ______________ firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities. A. Static packet-filtering B. Application-level gateway C. Stateful inspection D. Circuit-level gateway
C. Stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities.
8. How many major categories do the TCSEC criteria define? A. Two B. Three C. Four D. Five
C. TCSEC defines four major categories: Category A is verified protection, Category B is mandatory protection, Category C is discretionary protection, and Category D is minimal protection.
16. What block size is used by the Advanced Encryption Standard? A. 32 bits B. 64 bits C. 128 bits D. Variable
C. The Advanced Encryption Standard uses a 128-bit block size, even though the Rijndael algorithm it is based on allows a variable block size.
17. What kind of attack makes the Caesar cipher virtually unusable? A. Meet-in-the-middle attack B. Escrow attack C. Frequency analysis attack D. Transposition attack
C. The Caesar cipher (and other simple substitution ciphers) are vulnerable to frequency analysis attacks that analyze the rate at which specific letters appear in the ciphertext.
11. Which one of the following algorithms is not supported by the Digital Signature Standard? A. Digital Signature Algorithm B. RSA C. El Gamal DSA D. Elliptic Curve DSA
C. The Digital Signature Standard allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.
19. Which one of the following is the final step of the Fagin inspection process? A. Inspection B. Rework C. Follow-up D. None of the above
C. The Fagin inspection process concludes with the follow-up phase.
9. What is a trusted computing base (TCB)? A. Hosts on your network that support secure transmissions B. The operating system kernel and device drivers C. The combination of hardware, software, and controls that work together to enforce a security policy D. The software and controls that certify a security policy
C. The TCB is the combination of hardware, software, and controls that work together to enforce a security policy.
10. What type of network discovery scan only follows the first two steps of the TCP handshake? A. TCP connect scan B. Xmas scan C. TCP SYN scan D. TCP ACK scan
C. The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.
7. Which one of the following technologies is considered flawed and should no longer be used? A. SHA-3 B. PGP C. WEP D. TLS
C. The WEP algorithm has documented flaws that make it trivial to break. It should never be used to protect wireless networks.
2. What is the intent of least privilege? A. Enforce the most restrictive rights required by users to run system processes. B. Enforce the least restrictive rights required by users to run system processes. C. Enforce the most restrictive rights required by users to complete assigned tasks. D. Enforce the least restrictive rights required by users to complete assigned tasks.
C. The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don't execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.
11. What part of the TCB concept validates access to every resource prior to granting the requested access? A. TCB partition B. Trusted library C. Reference monitor D. Security kernel
C. The reference monitor validates access to every resource prior to granting the requested access. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions. In other words, the security kernel is the implementation of the reference monitor concept. Options A and B are not valid TCB concept components.
14. Which of the following best defines "rules of behavior" established by a data owner? A. Ensuring that users are granted access to only what they need B. Determining who has access to a system C. Identifying appropriate use and protection of data D. Applying security controls to a system
C. The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures that users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.
3. Which one of the following factors should not be taken into consideration when planning a security testing schedule for a particular system? A. Sensitivity of the information stored on the system B. Difficulty of performing the test C. Desire to experiment with new testing tools D. Desirability of the system to attackers
C. The sensitivity of information stored on the system, difficulty of performing the test, and likelihood of an attacker targeting the system are all valid considerations when planning a security testing schedule. The desire to experiment with new testing tools should not influence the production testing schedule.
20. Which of the following is not part of the access control relationship of the Clark-Wilson model? A. Object B. Interface C. Programming language D. Subject
C. The three parts of the Clark-Wilson model's access control relationship (aka access triple) are subject, object, and program (or interface).
19. What security model has a feature that in theory has one name or label, but when implemented into a solution, takes on the name or label of the security kernel? A. Graham-Denning model B. Deployment modes C. Trusted computing base D. Chinese Wall
C. The trusted computing base (TCB) has a component known as the reference monitor in theory, which becomes the security kernel in implementation.
14. Which of the following is not a routing protocol? A. OSPF B. BGP C. RPC D. RIP
C. There are numerous dynamic routing protocols, including RIP, OSPF, and BGP, but RPC is not a routing protocol.
1. How many possible keys exist in a 4-bit key space? A. 4 B. 8 C. 16 D. 128
C. To determine the number of keys in a key space, raise 2 to the power of the number of bits in the key space. In this example, 24 = 16.
17. What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination
C. Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.
14. What TCP/IP communications port is used by Transport Layer Security traffic? A. 80 B. 220 C. 443 D. 559
C. Transport Layer Security uses TCP port 443 for encrypted client-server communications.
5. Which of the following is not true? A. Violations of confidentiality include human error. B. Violations of confidentiality include management oversight. C. Violations of confidentiality are limited to direct intentional attacks. D. Violations of confidentiality can occur when a transmission is not properly encrypted.
C. Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.
18. What type of attack uses email and attempts to trick high-level executives? A. Phishing B. Spear phishing C. Whaling D. Vishing
C. Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).
9. Which one of the following tests provides the most accurate and detailed information about the security state of a server? A. Unauthenticated scan B. Port scan C. Half-open scan D. Authenticated scan
D. Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.
7. A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this? A. DAC model B. An access control list (ACL) C. Rule-based access control model D. RBAC model
D. A Role Based Access Control (RBAC) model can group users into roles based on the organization's hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects that subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.
5. Which of the following is not an example of network segmentation? A. Intranet B. DMZ C. Extranet D. VPN
D. A VPN is a secure tunnel used to establish connections across a potentially insecure intermediary network. Intranet, extranet, and DMZ are examples of network segmentation.
17. What form of attack abuses a program's lack of length limitation on the data it receives before storing the input in memory, which can lead to arbitrary code execution? A. ARP poisoning B. XSS C. Domain hijacking D. Buffer overflow
D. A buffer overflow attack occurs when an attacker submits data to a process that is larger than the input variable is able to contain. Unless the program is properly coded to handle excess input, the extra data is dropped into the system's execution stack and may execute as a fully privileged operation.
6. What is a security control? A. A security component that stores attributes that describe an object B. A document that lists all data classification types C. A list of valid access rules D. A mechanism that limits access to an object
D. A control limits access to an object to protect it from misuse by unauthorized users.
20. You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? A. Exposure factor B. Single loss expectancy (SLE) C. Asset value D. Annualized rate of occurrence
D. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.
12. Which one of the following tasks would a custodian most likely perform? A. Access the data B. Classify the data C. Assign permissions to the data D. Back up data
D. A data custodian performs day to day tasks to protect the integrity and security of data, and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.
6. A central authority determines which files a user can access. Which of the following best describes this? A. An access control list (ACL) B. An access control matrix C. Discretionary Access Control model D. Nondiscretionary access control model
D. A nondiscretionary access control model uses a central authority to determine which objects (such as files) that users (and other subjects) can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model. An access control matrix includes multiple objects, and it lists the subject's access to each of the objects.
6. A portion of the __________________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, and cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk. A. Hybrid assessment B. Risk aversion process C. Countermeasure selection D. Documentation review
D. A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.
9. Which of the following is the best choice for a role within an organization using a RBAC model? A. Web server B. Application C. Database D. Programmer
D. A programmer is a valid role in a Role Based Access Control (RBAC) model. Administrators would place programmers' user accounts into the Programmer role and assign privileges to this role. Roles are typically used to organize users, and the other answers are not users.
10. Which of the following best describes a rule-based access control model? A. It uses local rules applied to users individually. B. It uses global rules applied to users individually. C. It uses local rules applied to all users equally. D. It uses global rules applied to all users equally.
D. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.
2. Tunnel connections can be established over all except for which of the following? A. WAN links B. LAN pathways C. Dial-up connections D. Stand-alone systems
D. A stand-alone system has no need for tunneling because no communications between systems are occurring and no intermediary network is present.
7. What is the concept of a computer implemented as part of a larger system that is typically designed around a limited set of specific functions (such as management, monitoring, and control) in relation to the larger product of which it's a component? A. IoT B. Application appliance C. SoC D. Embedded system
D. An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it's a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller.
5. Which of the following cannot be linked over a VPN? A. Two distant internet-connected LANs B. Two systems on the same LAN C. A system connected to the internet and a LAN connected to the internet D. Two systems without an intermediary network connection
D. An intermediary network connection is required for a VPN link to be established.
7. When correctly implemented, what is the only cryptosystem known to be unbreakable? A. Transposition cipher B. Substitution cipher C. Advanced Encryption Standard D. One-time pad
D. Assuming that it is used properly, the onetime pad is the only known cryptosystem that is not vulnerable to attacks.
18. Of the following choices, what would have prevented this loss without sacrificing security? A. Mark the media kept offsite. B. Don't store data offsite. C. Destroy the backups offsite. D. Use a secure offsite storage facility.
D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won't protect it if it is stored in an unstaffed warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite, or offsite backups are destroyed, security is sacrificed by risking availability.
4. What is the most important aspect of marking media? A. Date labeling B. Content description C. Electronic labeling D. Classification
D. Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn't as important as marking the classification. Electronic labels or marks can be used, but they are applied to the files, not the media, and when they are used, it is still important to mark the media.
14. Which of the following is not a valid access control model? A. Discretionary Access Control model B. Nondiscretionary access control model C. Mandatory Access Control model D. Compliance-based access control model
D. Compliance-based access control model is not a valid type of access control model. The other answers list valid access control models.
3. Which of the following answers would not be included as sensitive data? A. Personally identifiable information (PII) B. Protected health information (PHI) C. Proprietary data D. Data posted on a website
D. Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.
9. Which of the following does not erase data? A. Clearing B. Purging C. Overwriting D. Remanence
D. Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data.
17. When a trusted subject violates the star property of Bell-LaPadula in order to write an object into a lower level, what valid operation could be taking place? A. Perturbation B. Polyinstantiation C. Aggregation D. Declassification
D. Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.
6. STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE? A. Spoofing B. Elevation of privilege C. Repudiation D. Disclosure
D. Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
8. At which OSI model layer does the IPsec protocol function? A. Data Link B. Transport C. Session D. Network
D. IPsec operates at the Network layer (layer 3).
10. Which of the following is not a benefit of NAT? A. Hiding the internal IP addressing scheme B. Sharing a few public internet addresses with a large number of internal clients C. Using the private IP addresses from RFC 1918 on an internal network D. Filtering network traffic to prevent brute-force attacks
D. NAT does not protect against or prevent brute-force attacks.
2. Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker's perspective on the scan. Which one of the following results is the greatest cause for alarm? A. 80/open B. 22/filtered C. 443/open D. 1433/open
D. Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network.
13. Which one of the following Data Encryption Standard (DES) operating modes can be used for large messages with the assurance that an error early in the encryption/decryption process won't spoil results throughout the communication? A. Cipher Block Chaining (CBC) B. Electronic Code Book (ECB) C. Cipher Feedback (CFB) D. Output feedback (OFB)
D. Output feedback (OFB) mode prevents early errors from interfering with future encryption/decryption. Cipher Block Chaining and Cipher Feedback modes will carry errors throughout the entire encryption/decryption process. Electronic Code Book (ECB) operation is not suitable for large amounts of data.
10. What element of data categorization management can override all other forms of access control? A. Classification B. Physical access C. Custodian responsibilities D. Taking ownership
D. Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.
7. Which of the following choices is the most reliable method of destroying data on a solid state drive (SSD)? A. Erasing B. Degaussing C. Deleting D. Purging
D. Purging is the most reliable method of the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure that data is removed. While not an available answer choice, destruction of the drive is a more reliable method. Erasing or deleting processes rarely remove the data from media, but instead mark it for deletion. Solid state drives (SSDs) do not have magnetic flux, so degaussing an SSD doesn't destroy data.
1. Which of the following is the weakest element in any security solution? A. Software products B. Internet connections C. Security policies D. Humans
D. Regardless of the specifics of a security solution, humans are the weakest element.
11. Matthew would like to test systems on his network for SQL injection vulnerabilities. Which one of the following tools would be best suited to this task? A. Port scanner B. Network vulnerability scanner C. Network discovery scanner D. Web vulnerability scanner
D. SQL injection attacks are web vulnerabilities, and Matthew would be best served by a web vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but the web vulnerability scanner is specifically designed for the task and more likely to be successful.