CISSP - Legal

1. What is not one of the three things that are needed to commit a computer crime? A. Means B. Skill C. Motive D. Opportunity

1. Answer: B. Although skill may be useful to those attempting to commit a computer crime, means, motive, and opportunity are required. Ready-to-use programs can be downloaded from the Internet that allow any layman to launch an attack.

10. Which of the following is not one of the three required actions that must be performed during a possible network intrusion? A. Authenticate B. Document C. Acquire D. Analyze

10. Answer: B. Although documentation is required, it is considered only a subsection of all three required actions that must be performed during an investigation: Acquisition: Evidence must be acquired in a forensically sound manner. Authentication: Any information or data that is recovered must be authenticated. Analysis: The evidence must be analyzed in a manner that is considered legal and that follows rules of procedure.

11. What is the most important aspect of incident response? A. A well-documented and approved response plan B. Honeypots C. Evidence handling D. Verification that no systems will be powered down until they are fully examined

11. Answer: A. Although evidence handling and system verification are important parts of incident response, the most important aspect of incident response is a well-documented and approved response plan. Before an actual incident, an organization should know who will be involved, what steps should be performed, and how the individuals should respond based on the type of threat or attack. Honeypots are used before incident response as a means of detecting or containing malicious users.

12. A coworker is thinking about becoming CISSP certified and has questions about ethics and RFC 1087. Which of the following is not specified in RFC 1087? A. Access to the Internet is a right that no individual should be denied. B. Negligence in conduct when performing activities on the Internet is unacceptable. C. It is unethical to disrupt the intended use of the Internet. D. The well-being of the Internet is the responsibility of all its users.

12. Answer: A. Access to the Internet is not a right, but a privilege, and should be treated as such. You can read the complete RFC at www.faqs.org/rfcs/rfc1087.html.

13. Louie is studying for his CISSP exam and comes to you with a question: What is the correct order of the items that make up the evidence life cycle? How will you answer him? A. Collection, storage, analysis, presentation, and return to victim B. Seizure, storage, analysis, presentation, and return to victim C. Seizure, storage, validation, presentation, and return to victim D. Collection, analysis, storage, presentation, and return to victim

13. Answer: D. Any type of evidence that is obtained from a possible crime must be handled under the strictest guidelines. The evidence life cycle is composed of the following five stages: Collection and identification Analysis Storage and preservation Presentation Return to the victim

14. During a computer intrusion, an attacker typically attempts to cover his tracks. Which commonly known principle states that trace evidence will always remain? A. Locard's principle B. Picard's principle C. Kruse's theory D. Gauntlett's theory

14. Answer: A. Locard's exchange principle states that whenever two objects come into contact, a transfer of material will occur. The resulting trace evidence can be used to associate objects, individuals, or locations to a crime (see http://suite101.com/article/lockards-exchange-principle-a47558). Simply stated, no matter how hard someone tries to cover his or her tracks, some trace evidence always remains. The complexity of modern computers makes it almost impossible for suspects to erase all evidence of their activities. Although suspects can make recovery harder by deleting files and caches, some trace evidence always remains. During an investigation, slack space, cache, the registry, browser history, and the page files are just a few of the items that can be examined.

15. A local law firm, Dewey and Cheatem, has asked you to examine some potential computer evidence. Even though you have yet to examine the evidence, you are concerned. You were told that the evidence was misplaced, but it has been found on a table in the law firm's storage room. What potential rule has been broken? A. Due process B. Chain of custody C. Habeas corpus D. Evidence objection

15. Answer: B. Chain of custody has been broken. The chain of custody is a critical component because the evidence it protects can be used in criminal court to convict persons of crimes or in civil court to punish them through monetary means. Therefore, evidence must always be handled in a careful manner to avoid allegations of tampering or misconduct. Someone must always have physical custody of the piece of evidence. Due process deals with the function of the legal process, habeas corpus deals with unlawful detention, and evidence objection is simply a distracter.

16. You are placed in charge of your company's new incident response team. Place the five steps of incident response in their proper order. A. Identify, analyze, mitigate, investigate, and train B. Train, identify, analyze, mitigate, and investigate C. Identify, coordinate, mitigate, investigate, and educate D. Educate, identify, coordinate, mitigate, and investigate

16. Answer: C. Five general steps outline the handling of an incident. The process starts at the point where the intrusion is detected: Identify the problem. Coordinate the response. Mitigate the damage. Investigate the root cause or culprit. Educate team members about avoiding future problems.

17. Your boss has asked you to get a copy of SATAN to install on a networked computer. What is SATAN? A. An incident response tool B. A network vulnerability scanner C. The first automated penetration testing tool D. A network sniffer

17. Answer: B. Although SATAN (Security Administrator's Tool for Analyzing Networks) was not the first vulnerability scanner, it was big news upon its release. It was developed by Dan Farmer and Wietse Venema in 1995 to help administrators find network vulnerabilities before attackers could do so.

18. When a team is investigating a possible network intrusion, which of the following would be the best way for team members to communicate? A. Email B. VoIP phones C. Instant Messenger D. Cell phone

18. Answer: D. Any type of communication method that uses the company's network may have been compromised. Therefore, during a possible network intrusion, the best form of communication is out-of-band communications. This includes cell phones, telephones, and pagers.

19. Darla, your network support technician, comes to you with a question: What is Tripwire used for? A. Tripwire is a host-based IDS. B. Tripwire is a signature-based IDS. C. Tripwire is a network-based IDS. D. Tripwire is a file integrity monitoring tool.

19. Answer: D. Tripwire is one of the most well-known tools available for detecting unauthorized alterations to OS system files and software. It functions by creating a known-state database of checksums for each file and executable. Then it periodically checks the known checksum against a newly generated one. Unlike an IDS, Tripwire can detect any change to any file. It is very useful during an incident response operation.

2. The IAB (Internet Architecture Board) considers which of the following acts unethical? A. Disrupting the intended use of the Internet B. Rerouting Internet traffic C. Writing articles about security exploits D. Developing security patches

2. Answer: A. The IAB (Internet Activities Board) considers the following acts unethical: Gaining unauthorized access Disrupting the intended use of the Internet Wasting resources Destroying the integrity of computer-based information Being negligent when conducting Internet-based experiments Compromising privacy

20. What is the name of the software that prevents users from seeing all items or directories on a computer, changes process output, and is most commonly found on a compromised UNIX/Linux computer? A. Hidden file attributes B. File obscurity C. NTFS DataStreams D. Root kit

20. Answer: D. Root kits are software-based items that prevent users from seeing all items or directories on a computer. They are found in the UNIX/Linux and Windows environment. NTFS DataStreams are possible only in a Windows environment, hidden file attributes do not change program behavior, and file obscurity is a distracter.

21. Ted's nighttime job at Stop-n-Shop gives him time to reprogram the cash register. Now each time he scans an item that costs 99 cents, the register shows the cost as 49 cents. Ted then pockets the remaining 50 cents. He figures that he will have stolen enough for a used car by the time summer is over. What type of hacking attack has Ted performed? A. Privilege escalation B. Data diddling C. Tuple attack D. Salami

21. Answer: B. Data diddling is the process of altering data or dollar amounts before or after they are entered into an application. This type of hacking attack can be prevented by using good accounting controls, auditing, or increased supervision. Privilege escalation is the process of making oneself administrator or root on a computer. There is no such thing as a tuple attack. A salami attack involves skimming small amounts of money or funds from an account with the hope that it will go unnoticed.

22. You have just found out that a company that wants you to consult for it has had its phone system hacked, and more than $5,000 worth of illegal phone calls have been made. What is the name for individuals who perform this type of activity? A. Phreakers B. Script kiddies C. Hackers D. Crackers

22. Answer: A. Hackers, crackers, and script kiddies are individuals who commit computer crimes. Phreaking predates hacking and is a classification of attack that deals specifically with phone fraud. One famous phreaker was John Draper, also known as Cap'n Crunch. The website http://en.wikipedia.org/wiki/Phreaking has a ton of interesting information.

23. Which of the following is not one of the primary categories of evidence that can be presented in a court of law? A. Direct B. Indirect C. Real D. Demonstrative

23. Answer: B. The four types of evidence that can be presented in a court of law are direct, real, documentary, and demonstrative.

24. Chain of custody includes which of the following? A. Who, what, where, when, and how B. Who, when, why, how, motive, and where C. What, why, and how D. What, when, and where

24. Answer: A. The chain of custody provides accountability and protection for the evidence to ensure that it has not been tampered with. The following five items are required for proper chain of custody: who discovered it; what the evidence is; where it is being stored and where it was found; when it was discovered, seized, or analyzed; and how it has been collected, stored, or transported.

25. What is criminal activity that is directly targeted against network devices called? A. Computer crime B. Civil violations C. Criminal violations D. Illegal penetration testing

25. Answer: A. Computer crime can be broadly defined as any criminal offense or activity that involves computers. It could be that the computer has been used to commit a crime or that the computer has been the target of a crime.

26. The 1996 U.S. Kennedy-Kassenbaum Act is also known by what other name? A. HIPAA B. The 1996 Federal Privacy Act C. GASSP D. The 1996 U.S. National Information Infrastructure Protection Act

26. Answer: A. The 1996 U.S. Kennedy-Kassenbaum Act is also known as the Health Insurance and Portability Accountability Act (HIPAA). The Federal Privacy Act deals with the handling of personal information. GASSP (Generally Accepted Systems Security Principles) is not a law but an accepted group of security principles. The U.S. National Information Infrastructure Protection Act deals with the protection of confidentiality, integrity, and availability of data and networked systems.

27. Fred is concerned that he may be called into civil court. Which of the following penalties can be levied against an individual found guilty in a civil case? A. Imprisonment B. Fines C. Imprisonment and fines D. Community service

27. Answer: B. The only penalty that can be awarded in a civil case is a fine.

28. According to CERT, one of the key elements of establishing that a computer user has no right to privacy on a corporate computer includes which of the following? A. Passwords B. Notification of privacy policy at the time of employment C. Login banners D. Verbal warnings

28. Answer: C. CERT (Computer Emergency Response Team) recommends that corporations implement login banners that are displayed each time a computer user boots his or her computer. To read more about this, check out the CERT article at www.cert.org/advisories/CA-1992-19.html.

29. Which type of evidence is preferred in trials because it provides the most reliability and may include documents or contracts? A. Direct evidence B. Collaborative evidence C. Secondary evidence D. Best evidence

29. Answer: D. Best evidence is considered the most reliable in a court case. It includes documents, contracts, and legal papers. An example of direct evidence is evidence provided by a witness. Collaborative evidence supports a point or helps prove a theory. Secondary evidence includes copies of original documents or oral evidence provided by a witness.

3. What category of attack is characterized by the removal of small amounts of money over long periods of time? A. Slicing attack B. Skimming attack C. Bologna attack D. Salami attack

3. Answer: D. A salami attack is characterized by the removal of very small amounts of money over a long period of time. This may be only fractions of a cent, but the idea is that the amount is so small that it goes unnoticed.

30. Which of the following is considered a commercial application of steganography? A. Hashing B. Data diddling C. Digital watermarks D. XOR encryption

30. Answer: C. The commercial application of steganography lies mainly in the use of digital watermarks. Digital watermarks act as a type of digital fingerprint and can verify proof of source. Individuals who own data or create original art want to protect their intellectual property. In cases of intellectual property theft, digital watermarks can be used to show proof of ownership.

31. Which type of evidence is based on information gathered from a witness's five senses? A. Direct evidence B. Collaborative evidence C. Secondary evidence D. Best evidence

31. Answer: A. An example of direct evidence is evidence provided by a witness. It could be something he saw, something he heard, or something he knows. Collaborative evidence supports a point or helps prove a theory. Secondary evidence includes copies of documents or oral evidence provided by a witness. Best evidence is considered the most reliable in a court case. It includes original documents, contracts, and legal papers.

32. Enticement is best described by which of the following statements? A. It is not legal. B. It is legal. C. It is neither legal nor ethical. D. It is legal with a court order or warrant.

32. Answer: B. Enticement is considered legal because it may lure someone into leaving some type of evidence after he or she has committed a crime. Entrapment is considered illegal and unethical because it may encourage someone to commit a crime that was not intended.

33. Keyboard monitoring is an example of which of the following? A. Enticement B. Physical surveillance C. Entrapment D. Computer surveillance

33. Answer: D. Keyboard monitoring is a type of computer surveillance. Before an organization decides to attempt this type of surveillance, it is critical that employees be informed that their computer activity may be monitored. Login banners are a good way to accomplish this legal notification.

34. Fred has been asked to help examine a seized computer hard drive. He comes to you with a question. On most common disk systems, storage space is allocated in units called what? A. Bytes B. Bits C. Clusters D. Nibbles

34. Answer: C. The smallest unit of storage on a hard disk is known as a cluster or a logical unit of storage. Cluster size, as defined by Microsoft, is based on the drive's total capacity. As drive capacity increases, so does the cluster size. The other answers are incorrect because bits, bytes, and nibbles are all examples of binary notation.

35. Mike has recently discovered that the material he wrote for a new book is being used by a competitor as a course manual. What law has the competitor potentially broken? A. Trademark B. Copyright C. Trade secret D. Patent

35. Answer: B. A copyright is a protective measure that covers any published or unpublished literature, artistic work, or scientific work. This allows the creator of a work to enjoy protection of that work for a period of time. Usually, this includes the stipulation that the owner of the copyright is the only person who can legally profit from the work, unless the owner gives express permission that a third party can use the work during that period. For example, the creator of a piece of software owns the copyright. Often, the creator can profit from this software by selling licenses to others as a means to allow them to legally use the software too. Essentially, this means that if you can see it, hear it, and/or touch it, it may be protected.

36. You are placed in charge of a forensic investigation. Now that you have seized the suspect's computer, what should your next step be? A. Create a logical copy B. Create cryptographic checksums of all files and folders C. Create a physical copy D. Examine the hard drive

36. Answer: C. You need to create a physical copy. Programs that create a physical copy not only copy all the files and folders but literally duplicate all the information, down to the track, sector, and cluster of the original. Creating a logical copy consists of duplicating files and folders. This is the same process that occurs when you use any number of standard backup programs, such as Microsoft Backup or Norton Ghost. Files and folders are duplicated, but the information is not restored in the same location as the original, nor are the free space and slack space copied.

37. Entrapment is best described by which of the following statements? A. It is not legal. B. It is legal. C. It is neither legal nor ethical. D. It is legal with a court order or warrant.

37. Answer: C. Entrapment is considered illegal and unethical in that it may encourage someone to commit a crime that was not intended (such as with honeypots). In contrast, enticement is considered legal because it may lure someone into leaving some type of evidence after the crime was committed.

38. Which of the following best describes file slack? A. File slack is the free space remaining in a used cluster. B. File slack is the free space remaining on a hard drive. C. File slack is the free space remaining in a used byte. D. File slack is the space remaining when a file is erased.

38. Answer: A. When a computer writes files to the drive and the file size does not come out to be an even multiple of the cluster size, extra space must be used in the next cluster to hold the file. This cluster is only partially used. The remaining space in that cluster is called file slack. The file slack can hold information that can be important during an incident response investigation or forensic analysis.

39. You recently received a company-issued laptop that formerly belonged to another individual. While setting up your Documents folder, you notice remaining proprietary information from the former user. What does the ISC2 Code of Ethics direct you to do? A. Leave the information, but make sure that it is backed up along with your data. B. Contact the individual about the information you found. C. Delete the information, and verify that it has been permanently removed. D. Inform your manager of your findings, and seek guidance.

39. Answer: D. The ISC2 Code of Ethics dictates that CISSP certified individuals should discourage unsafe and insecure practices. In this situation, inform management of your findings. If you are unauthorized to view such information, you should not back it up or keep a copy. Contacting the individual will not increase the likelihood that the problem will not happen in the future. Deleting the information only ignores the fact that there may be a security lapse or problem. You can view the complete Code of Ethics at https://www.isc2.org/cgi-bin/content.cgi?category=12#code.

4. You are assigned to a team that is investigating a computer crime. You are asked to make sure that the original data remains unchanged. Which of the following programs can be used to create a cryptographic checksum to verify the data's integrity? A. PKZip B. MD5sum C. DES D. PGP

4. Answer: B. MD5sum can be used to verify data, to compare files, and to detect file corruption and tampering. Extremely fast and lightweight, it produces a 128-bit checksum.

40. Which of the following is not required of evidence for it to be admissible in court? A. Reliable B. Sufficient C. Validated D. Relevant

40. Answer: C. For evidence to be admissible in court, it must meet three challenges: it must be reliable, it must be sufficient, and it must be relevant.

41. Senior management and directors are expected to protect the company from network attacks or security breaches. What is this type of behavior called? A. Due care B. In good faith C. Risk negligence D. Due prudence

41. Answer: A. Due care is considered what a reasonable person or corporation would exercise under a given set of circumstances. Corporations that fail to practice due care in protecting the organization's network or information assets may open the organization to some legal liability.

42. Jack has decided to try his hand at phone hacking. He has built a box that simulates the sound of coins being dropped into a payphone. What is the device called? A. A blue box B. A black box C. A red box D. A white box

42. Answer: C. A red box is a device that simulates the sound of coins being dropped in a payphone. Blue boxes simulate telephone tones, black boxes manipulate telephone line voltages, and white boxes turn a normal touch-tone keypad into a portable unit.

43. Because of your recent good work in building the incident response team, you are asked to work with the newly created mobile sales force. Your success in this venture will certainly move you up the corporate ladder. You are asked to propose the best way to secure the data on the laptops that each salesperson will carry. Which of the following will you recommend? A. Issue each salesperson a laptop locking cable. B. Use file encryption on the hard drives. C. Require each salesperson to VPN into the network remotely. D. Enforce the use of WEP for all wireless communication.

43. Answer: B. Using strong encryption on the hard drives is the best way to secure the data. Although locking cables may prevent the laptops from being removed from a hotel room or another location, they would not prevent someone from accessing the data. Neither would the use of WEP or the use of a VPN protect the data if someone could successfully gain physical access.

44. Financial institutions are most affected by which of the following laws? A. Federal Privacy Act of 1974 B. Gramm-Leach-Bliley Act of 1999 C. HIPAA D. Interpol FRA

44. Answer: B. The Gramm-Leach-Bliley Act of 1999 requires financial institutions to develop privacy policies. The Federal Privacy Act of 1974 places limits on what type of information the federal government can collect and disseminate about U.S. citizens. HIPAA (Health Insurance Portability and Accountability Act) is focused on the medical and health-care industry. There is no such thing as the Interpol FRA.

45. Employee monitoring through the use of CCTV is an example of which of the following? A. Enticement B. Physical surveillance C. Entrapment D. Computer surveillance

45. Answer: B. Physical surveillance can be hidden cameras, closed-circuit TVs, security cameras, hardware keyloggers, or security guards. The goal of physical surveillance is to capture evidence about a suspect's behavior or activities.

46. Your consulting company is poised to gain a large defense contract. Your director wants you to learn more about your company's responsibility for security if the contract is approved. Which government entity is responsible for managing government systems that contain sensitive or classified information? A. The FBI B. The NSA C. U.S. marshals D. NIST

46. Answer: B. The National Security Agency (NSA) is responsible for all systems that maintain classified or sensitive information.

47. Your director is so pleased about your prior findings that now she wants you to investigate who is responsible for managing government systems that do not contain sensitive or classified information. What will you tell her? A. The FBI B. The NSA C. The Secret Service D. NIST

47. Answer: D. Although the National Security Agency is responsible for all systems that maintain classified or sensitive information, nonsensitive information systems are managed by NIST (the National Institute of Standards and Technology).

48. Your director also wants you to investigate who is responsible for investigating computer crimes within the U.S. Specifically, she wants to know which federal agencies are responsible for tracking and prosecuting individuals who deal in stolen passwords. What do you tell her? A. The FBI B. The NSA C. The Secret Service and the NSA D. The FBI and the Secret Service

48. Answer: D. The FBI and the Secret Service are responsible for the tracking and apprehension of individuals dealing in stolen passwords. You can find more information at www.cybercrime.gov/reporting.htm.

49. What did the 1987 Computer Security Act do? A. It made it illegal for the government to eavesdrop on electronic communications without a warrant or court order. B. It required the U.S. government to conduct security-related training and identify federal systems that maintain sensitive information. C. It strengthened the penalties that an individual faces if caught eavesdropping on electronic communications without legal consent. D. It placed minimum requirements on private businesses for the practice of due diligence by requiring them to provide security-related training to all employees.

49. Answer: B. The 1987 Computer Security Act required federal government agencies to conduct security-related training, identify sensitive systems, and develop plans to secure sensitive data that is stored on such systems. You can read more about this act at www.epic.org/crypto/csa/csa.html.

5. Paul is concerned about the proper disposal of old hard drives that contain propriety information. Which of the following techniques ensures that the data cannot be recovered? A. Formatting B. FDISK C. Drive wiping D. Data parsing

5. Answer: C. Drive-wiping programs work by overwriting all addressable locations on the disk. Some programs even make several passes to further decrease the possibility of data recovery. What they provide for the individual who wants to dispose of unused drives is a verifiably clean medium. However, in the hands of a criminal, these programs offer the chance to destroy evidence. All other answers are incorrect because they do not adequately erase the data.

50. You are asked to authenticate a hard drive that was seized during an investigation. Your superiors want to make sure that subsequent copies are exact duplicates and that no changes occur to the data stored on the seized drive. Which of the following would be the best method of validating the data's integrity? A. MD5 B. SHA C. NTLM D. PGP

50. Answer: B. SHA-1 (SHA) creates a message digest that is 160 bits long, which is considered more robust than the 128-bit message digest created by MD5. NTLM and PGP are not hashing algorithms.

51. Which of the following is a computer-targeted crime? A. DDoS B. Sharing child porn C. Browsing corporate secrets D. Hacktivism

51. Answer: A. Computer-targeted crimes are ones that could not have been committed without the presence of a computer. DDoS differs from a regular DoS attack by using multiple zombie machines to attack your network. Answers B, C, and D are all crimes in which the computer is incidental to the crime (the crime can take place without the computer); they are called computer-assisted crimes. Hacktivism refers to hacking for a social cause or agenda (protesting).

52. When updating data contained in remote databases housed in your subsidiary locations in Europe, what additional international requirements might you have to abide by? A. Safe Harbor B. European Commission's Directive on Data Protection C. Export Regulations Administration (EAR) D. Wassenaar Arrangement

52. Answer: A. The European Commission's Directive prevents the transfer of any personal data to non-European communities that do not comply with European standards for protecting privacy. The Safe Harbor agreement was created by the U.S. Department of Commerce working with the European Union. It establishes certification for companies that want to exchange data. EAR defines screening regulations for the U.S. The Wassenaar Arrangement regulates arms and dual-use goods but not data.

53. Microsoft Corporation (microsoft.com) was permitted to force Mike Rowe to release the domain name he had set up to market his software products (MikeRoweSoft.com). On what grounds was Mike Rowe guilty? A. Copyright violation B. Trade secret violation C. Trademark violation D. Patent infringement

53. Answer: C. Mike Rowe was guilty of a trademark violation because of the possibility of confusion from hearing the name Microsoft versus MikeRoweSoft. A trademark is a name or symbol. Copyright protects original works. A trade secret is a proprietary intellectual property that gives a company its competitive advantage. A patent protects a process.

54. When a company chooses to monitor its employees' email, what action must it take? A. Spell out this policy in its Security Policy. B. Remind the employees in a warning banner. C. Provide periodic refresher training. D. All of the above.

54. Answer: D. The company must be transparent about all policies that remove, or could invade, an employee's expected right to privacy. Furthermore, all employees of the company must be subjected to the same monitoring if monitoring is to be deployed. Simply identifying this as a policy is not enough. Neither are warning banners or training sufficient when done separately. All these items are required.

55. Corporations must be able to prove in a court of law that they took reasonable care to protect their employees and their data from crime. What term describes this? A. Prudent person B. Due diligence C. Safety net D. Due care

55. Answer: D. A company must show that it took due care. A prudent person is someone who supplies due care. Due diligence refers to performing proper research so that due care can be supplied. Safety net is a distracter.

56. In a court of law, a case revolves around whether a particular license was signed by a particular person. Which evidence would be the best evidence to provide the court in this case? A. A clear copy of a dated licensing agreement B. A witness who saw the license being signed C. A certificate awarded after the license was signed D. The tattered original document, lacking a date

56. Answer: D. The best evidence is an original document. All other answers are secondary evidence and is therefore are incorrect.

57. A forensic copy of a suspect's server needs to be created as a what? A. Bit stream copy B. Complete backup C. Archive copy D. Data dump

57. Answer: A. Forensic copies are bit stream copies that include files, slack space, and unallocated clusters.

58. Many crimes that are known to have occurred are not reported to officials. This lack of reporting results in criminals not being prosecuted and keeps improved defensive measures from being developed. Which statement describes the most probable reason for a company's failure to report a crime? A. Expected loss of revenue as soon as the computer is removed for the investigation B. Embarrassment and financial impact C. The belief that someone made a mistake that is unlikely to be repeated D. The desire to quietly study the activity without alerting the criminal

58. Answer: B. There are many reasons why companies do not report security breeches. By and large the most common reason is embarrassment or financial impact. Although laws have changed that require most incidents to be reported, in the past this was not always the case, and some companies preferred to hide this information.

59. Which of the following is not one of the reasons that prosecuting international crime is difficult? A. Lack of universal cooperation B. Low priority C. Ease of extradition D. Outdated laws and technology

59. Answer: C. With computer crime being a global problem, you might think countries would work together to extradite computer criminals. But extradition is not easy. Answers A, B, and D are incorrect because lack of universal cooperation, low priority, and outdated laws and technology are all reasons why criminals are not brought to justice.

6. Clement recently discovered that his grandmother's secret chocolate-chip cookie recipe was stolen and is being used by Mike to sell the exact same cookies at half the price. What intellectual property law has Mike broken? A. Trademark B. Copyright C. Trade secret D. Patent

6. Answer: C. Organizations rely on proprietary information for their survival. This may include formulas, inventions, recipes, strategies, or processes. If this information is improperly disclosed, it could endanger the organization's financial capability to continue as a going concern. In other words, it could potentially cause a bankruptcy. If this information has been illegally acquired, the organization can seek protection and remedies under trade-secret laws.

60. Which of the following best describes the steps an organization takes to implement best security practices? A. Certification B. Due care C. Accreditation D. Due diligence

60. Answer: B. The steps an organization takes to implement best security practices are known as due care. Certification is the technical aspect of validating a process or procedure. Accreditation is management's acceptance of the certification process. Due diligence is known as prudent management and the execution of due care.

61. What kind of oral or written evidence comes from an eyewitness account? A. Secondary evidence B. Real evidence C. Direct evidence D. Demonstrative evidence

61. Answer: C. Direct evidence is evidence that is provided by oral or written statement. The witness provides this information by means of an eyewitness account. Secondary evidence is a copy or approved duplicate of evidence. Real evidence is evidence that speaks for itself. Demonstrative evidence is evidence that is provided by experts and can be considered opinions.

62. What kind of evidence can be a tangible object, tool, or property that was gathered from the crime scene? A. Secondary evidence B. Real evidence C. Direct evidence D. Demonstrative evidence

62. Answer: B. Real evidence can be a tangible object, tool, or property that was gathered from the crime scene. Secondary evidence is a copy or approved duplicate of evidence. Direct evidence is provided by oral or written statement; the witness provides this information by means of an eyewitness account. Demonstrative evidence is provided by experts and can be considered opinions.

63. How can the term "relevant" best be described? A. An item that has substance or that can be treated as fact B. Reasonably proven C. Tends to prove or disprove facts that are important and material to the case D. Luring someone into creating additional evidence

63. Answer: C. "Relevant" can best be described as something that tends to prove or disprove facts that are important and material to the case. "Material" can best be described as having substance or capable of being treated as fact. "Reliable" can best be described as reasonably proven. "Enticement" can best be described as luring someone into creating additional evidence to help prosecute a crime.

64. Which of the following is not one of the commonly approved reasons that allow law enforcement to seize evidence? A. Suspicion B. Search warrant C. Writ D. Extenuating circumstances

64. Answer: A. Evidence typically can be seized for any of the following reasons: subpoena, search warrant, writ of possession, consensual, or extenuating circumstances. Suspicion is not a valid reason.

65. During the incident-handling process, it is critical to detect that a security breach has occurred. With this is mind, which of the following best describes an event? A. A violation of security policy or law B. A noticeable occurrence C. A false negative trigger or event on an IDS D. A negative event on an IDS

65. Answer: B. An event can best be described as a noticeable occurrence. An incident is an event that has been proven to violate security policy and/or law. A negative and a false negative would not set off an alarm and most likely would be undetectable.

66. You are asked to set up and configure an IDS. Which of the following is the worst state an IDS can operate in? A. Positive B. False positive C. Negative D. False negative

66. Answer: D. The worst state an IDS can be in is a false negative, because this means an attack took place but the IDS did not detect it. A positive event means an attack took place and was detected. A false positive means no attack occurred but an alarm was triggered. A negative means no attack occurred and none was detected.

67. The following statement can be found in which of the following ethical standards? "Act honorably, honestly, justly, responsibly, and legally." A. RFC 1087 B. ISC2 Code of Ethics C. The Computer Game Fallacy D. Generally Accepted Information Security Principles (GAISP)

67. Answer: B. The ISC2 Code of Ethics lays out four items, one of which is to act honorably, honestly, justly, responsibly, and legally. This statement is not found in RFC 1087, Computer Game Fallacy, or GAISP.

68. The following statement can be found in which of the following ethical standards? "Wastes resources." A. RFC 1087 B. ISC2 Code of Ethics C. The Computer Game Fallacy D. Generally Accepted Information Security Principles (GAISP)

68. Answer: A. RFC 1087 states the following as unethical and unacceptable any activity that purposely: Seeks to gain unauthorized access to the resources of the Internet, disrupts the intended use of the Internet, wastes resources (people, capacity, computers) through such actions, and destroys the integrity of computer-based information. These statements are not found in the ISC2 Code of Ethics, Computer Game Fallacy, or GAISP.

69. The following statement can be found in which of the following ethical standards? "Systems that are not protected are fair game to attack." A. RFC 1087 B. ISC2 Code of Ethics C. The Computer Game Fallacy D. Generally Accepted Information Security Principles (GAISP)

69. Answer: C. The Computer Game Fallacy is the belief that any computer system that is not protected is fair game. This statement is not found in RFC 1087, ISC2 Code of Ethics, or GAISP.

7. Which of the following is not one of the three categories of common law? A. Criminal B. Civil C. Environmental D. Administrative

7. Answer: C. The three categories of common law are criminal, civil, and administrative. Although there may be environmental laws, they would fall under the category of administrative law.

70. The following statement can be found in which of the following ethical standards? "Promote broad awareness of information security." A. RFC 1087 B. ISC2 Code of Ethics C. The Computer Game Fallacy D. Generally Accepted Information Security Principles (GAISP)

70. Answer: D. GAISP seeks to promote good security practices. This statement is not found in the Computer Game Fallacy, RFC 1087, or ISC2 Code of Ethics.

71. Which of the following best describes a logic bomb? A. A program or portion of a program that remains inactive until a specific action occurs B. The action of removing fractions of a cent from each transaction C. A program or portion of a program that can round down a monetary value D. A security-breaking program that is disguised as something benign

71. Answer: A. A logic bomb is a program or portion of one that remains inactive until a specific action occurs. The most commonly used value is a date. Answer B describes a salami attack. Answer C describes a rounding-down attack. Answer D describes a Trojan attack.

72. What is another name for tort law? A. Criminal law B. Civil law C. Administrative D. Regulatory

72. Answer: B. Tort law and civil law are the same thing. This type of law uses financial restitution to address the wrongs of the perpetrator. Criminal law uses jail time to punish the offender. Both administrative and regulatory law addresses regulatory standards that companies must adhere to.

73. You are asked to help in a forensic investigation. Which of the following should you do first? A. Copy the hard drive. B. Copy the USB thumb drive. C. Copy the contents of RAM memory. D. Clear the printer buffer.

73. Answer: C. During a forensic investigation, the analyst should always work from most volatile to least volatile. As such, the contents of memory should be copied first. The hard drive and thumb drive should be copied later. The printer buffer should not be cleared.

74. As a forensic specialist, you are asked which of the following actions would most help with the admissibility of computer evidence. A. Back up all computer files on the hard drive. B. Create a bit-level mirror image of the hard drive. C. Use the copy command to duplicate the hard drive. D. Reboot the hard drive with a write blocker before using a backup tool to logically copy all files.

74. Answer: B. A bit-level copy of the hard drive is the best possible answer. A bit-level copy copies all files, along with drive slack and file slack. A logical copy, backup, or use of the copy command does not provide this ability and therefore does not make an exact duplicate.

75. What is the primary reason for the importance of the chain of custody? A. It is used to account for everyone who had access to the evidence. B. It is used to prevent challenges from the defense. C. It is used to verify the admissibility and accuracy of the information contained within. D. It is used to verify the accuracy of the duplication process.

75. Answer: A. The chain of custody is used to account for everyone who had access to the information or data. Chain of custody is important because it verifies that the information remains in an unchanged state. Its primary purpose is not to prevent challenges from the defense, verify admissibility, or verify the accuracy of the duplication process.

76. Who is responsible for PCI-DSS standards? A. ISO B. EU C. U.S. Government D. Major credit-card companies

76. Answer: D. The major credit-card companies, such as MasterCard, Visa, and American Express, are responsible for PCI-DSS standards. It is not U.S.-specific, European-specific, or overseen by the ISO and the international PCI board. More than 70 companies are currently on the board.

77. Which of the following protects the expression of ideas? A. Patent B. Copyright C. Trademark D. Tradedress

77. Answer: B. Copyright covers the expression of ideas and not the ideas themselves; therefore, answers A, C, and D are incorrect.

78. Which of the following legal systems covers two or more legal systems? A. Religious law B. Civil law C. Mixed law D. Dual law

78. Answer: C. A mixed law system is comprised of two or more legal systems. Answers A, B, and D are incorrect.

79. Which of the following is the primary reason for chain of custody? A. To prevent the defense from challenging B. To demonstrate it was properly controlled and handled C. To verify whether the copy that was used is admissible D. To verify changes to data

79. Answer: B. For evidence to be admissible in court, it needs to be shown that it was properly controlled and handled.

8. You are part of a study group that is preparing for the CISSP exam. Each group member must present a certain body of knowledge each week. You are asked to discuss the six categories of computer crimes as they are identified by ISC2. Which of the following is not one of those types of attacks? A. Grudge attacks B. Financial attacks C. Malicious attacks D. Fun attacks

8. Answer: C. The CISSP CBK identifies six types of computer crimes: Grudge attacks Financial attacks Fun attacks Business attacks Military attacks Terrorist attacks

9. Brad overhears someone say that Bryce is planning to attack John's computer network. What type of evidence would a court consider this testimony? A. Best evidence B. Hearsay C. Conclusive D. Admissible

9. Answer: B. Hearsay evidence is defined as information that is not based on personal firsthand knowledge but was obtained through third parties. As such, it may not be admissible in court. Best evidence is recorded, written, or photographed. Conclusive evidence is irrefutable. Admissible evidence is any evidence that can be allowed in court.