CISSP | Test Questions | Domain 7 | Security Operations

Developing safe software is crucial to prevent loss of life, property damage, or liability. Which of the following practices is least useful to ensuring a safe software product? a. Use high coupling between critical functions and data from noncritical ones. b. Use low data coupling between critical units. c. Implement a fail-safe recovery system. d. Specify and test for unsafe conditions.

a. "Critical" may be defined as pertaining to safety, efficiency, and reliability. Each application system needs a clear definition of what "critical" means to it. Software hazards analysis and fault tree analysis can be performed to trace system-level hazards (for example, unsafe conditions) through design or coding structures back to software requirements that could cause the hazards. Functions and features of software that participate in avoiding unsafe conditions are termed critical. Critical functions and data should be separated from noncritical ones with low coupling, not with high coupling. Avoiding unsafe conditions or ensuring safe conditions is achieved by separating the critical units from noncritical units, by low data coupling between critical units, and by fail-safe recovery from unsafe conditions when they occur, and by testing for unsafe conditions. Data coupling is the sharing or passing of simple data between system modules via parameter lists. A low data coupling is preferred at interfaces as it is less error prone, ensuring a safety product.

For large software development projects, which of the following models provides greater satisfactory results on software reliability? a. Fault count model b. Mean-time-between-failures model c. Simple ratio model d. Simple regression model

a. A fault (defect) is an incorrect step, process, or data definition in a computer program, and it is an indication of reliability. Fault count models give more satisfactory results than the mean-time-between-failures (MTBF) model because the latter is used for hardware reliability. Simple ratio and simple regression models handle few variables and are used for small projects.

There is a possibility that incompatible functions may be performed by the same individual either in the IT department or in the user department. One compensating control for this situation is the use of: a. Log b. Hash totals c. Batch totals d. Check-digit control

a. A log, preferably a computer log, records the actions or inactions of an individual during his access to a computer system or a data file. If any abnormal activities occur, the log can be used to trace them. The purpose of a compensating control is balancing weak controls with strong controls. The other three choices are examples of application system-based specific controls not tied to an individual action, as a log is.

Which of the following is an example of improper separation of duties? a. Computer security is embedded into computer operations. b. Security administrators are separate from security auditors. c. Mission-critical functions and support functions are separate from each other. d. Quality assurance is separate from network security.

a. A natural tension often exists between computer security and computer operations functions. Some organizations embed a computer security program in computer operations to resolve this tension. The typical result of this organizational strategy is a computer security program that lacks independence, has minimal authority, receives little management attention, and has few resources to work with. The other three choices are examples of proper separation of duties.

All the following are examples of normal backup strategies except: a. Ad hoc backup b. Full backup c. Incremental backup d. Differential backup

a. Ad hoc means when needed and irregular. Ad hoc backup is not a well-thought-out strategy because there is no systematic way of backing up required data and programs. Full (normal) backup archives all selected files and marks each as having been backed up. Incremental backup archives only those files created or changed since the last normal backup and marks each file. Differential backup archives only those files that have been created or changed since the last normal backup. It does not mark the files as backed up. The backups mentioned in other three choices have a systematic procedure.

Fail-soft control is an example of which of the following? a. Continuity controls b. Accuracy controls c. Completeness controls d. Consistency controls

a. As a part of the preventive control category, fail-soft is a continuity control. It is the selective termination of affected nonessential processing when a hardware or software failure is detected in a computer system. A computer system continues to function because of its resilience. Accuracy controls are incorrect because they include data editing and validation routines. Completeness controls are incorrect because they look for the presence of all the required values or elements. Consistency controls are incorrect because they ensure repeatability of certain transactions with the same attributes.

Which of the following surveillance techniques is passive in nature? a. Audit logs b. Keyboard monitoring c. Network sniffing d. Online monitoring

a. Audit logs collect data passively on computer journals or files for later review and analysis followed by action. The other three choices are examples of active surveillance techniques where electronic (online) monitoring is done for immediate review and analysis followed by action.

Automatic file restoration requires which of the following? a. Log file and checkpoint information b. Access file and check digit information c. Transaction file and parity bit information d. Backup file and checkpoint information

a. Automatic file restoration requires log file and checkpoint information to recover from a system crash. A backup file is different from a log file in that it can be a simple copy of the original file whereas a log file contains specific and limited information. The other three choices do not have the log file capabilities.

Which of the following is not an effective, active, and preventive technique to protect the integrity of audit information and audit tools? a. Backing up the audit records b. Using a cryptographic-signed hash c. Protecting the key used to generate the hash d. Using the public key to verify the hash

a. Backing up the audit records is a passive and detective action, and hence not effective in protecting integrity. In general, backups provide availability of data, not integrity of data, and they are there when needed. The other three choices, which are active and preventive, use cryptographic mechanisms (for example, keys and hashes), and therefore are effective in protecting the integrity of audit-related information.

In which of the following types of denial-of-service attacks does a host send many requests with a spoofed source address to a service on an intermediate host? a. Reflector attack b. Amplifier attack c. Distributed attack d. SYNflood attack

a. Because the intermediate host unwittingly performs the attack, that host is known as reflector. During a reflector attack, a denial-of-service (DoS) could occur to the host at the spoofed address, the reflector itself, or both hosts. The amplifier attack does not use a single intermediate host, like the reflector attack, but uses a whole network of intermediate hosts. The distributed attack coordinates attacks among several computers. A synchronous (SYN) flood attack is a stealth attack because the attacker spoofs the source address of the SYN packet, thus making it difficult to identify the perpetrator.

Audit trails should be reviewed. Which of the following methods is not the best way to perform a query to generate reports of selected information? a. By a known damage or occurrence b. By a known user identification c. By a known terminal identification d. By a known application system name

a. Damage or the occurrence of an undesirable event cannot be anticipated or predicted in advance, thus making it difficult to make a query. The system design cannot handle unknown events. Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers need to understand what normal activity looks like. An audit trail review is easier if the audit trail function can be queried by user ID, terminal ID, application system name, date and time, or some other set of parameters to run reports of selected information.

The demand for reliable computing is increasing. Reliable computing has which of the following desired elements in computer systems? a. Data integrity and availability b. Data security and privacy c. Confidentiality and modularity d. Portability and feasibility

a. Data integrity and availability are two important elements of reliable computing. Data integrity is the concept of ensuring that data can be maintained in an unimpaired condition and is not subject to unauthorized modification, whether intentional or inadvertent. Products such as backup software, antivirus software, and disk repair utility programs help protect data integrity in personal computers (PCs) and workstations. Availability is the property that a given resource will be usable during a given time period. PCs and servers are becoming an integral part of complex networks with thousands of hardware and software components (for example, hubs, routers, bridges, databases, and directory services) and the complex nature of client/server networks drives the demand for availability. System availability is increased when system downtime or outages are decreased and when fault tolerance hardware and software are used. Data security, privacy, and confidentiality are incorrect because they deal with ensuring that data is disclosed only to authorized individuals and have nothing to do with reliable computing. Modularity deals with the breaking down of a large system into small modules. Portability deals with the ability of application software source code and data to be transported without significant modification to more than one type of computer platform or more than one type of operating system. Portability has nothing to do with reliable computing. Feasibility deals with the degree to which the requirements can be implemented under existing constraints.

Which of the following controls prevents a loss of data integrity in a local-areanetwork (LAN) environment? a. Data mirroring and archiving b. Data correction c. Data vaulting d. Data backup

a. Data mirroring refers to copying data as it is written from one device or machine to another. It prevents data loss. Data archiving is where files are removed from network online storage by copying them to long-term storage media such as optical disks, tapes, or cartridges. It prevents accidental deletion of files. Data correction is incorrect because it is an example of a corrective control where bad data is fixed. Data vaulting is incorrect because it is an example of corrective control. It is a way of storing critical data offsite either electronically or manually. Data backup is incorrect because it is an example of corrective control where a compromised system can be restored.

Regarding media sanitization, degaussing is not effective for which of the following? a. Nonmagnetic media b. Damaged media c. Media with large storage capacity d. Quickly purging diskettes

a. Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. It is not effective for purging nonmagnetic media (i.e., optical media), such as compact discs (CD) and digital versatile discs (DVD). However, degaussing can be an effective method for purging damaged media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes.

Which of the following redundant array of independent disks (RAID) technology classifications increases disk overhead? a. RAID-1 b. RAID-2 c. RAID-3 d. RAID-4

a. Disk array technology uses several disks in a single logical subsystem. To reduce or eliminate downtime from disk failure, database servers may employ disk shadowing or data mirroring. A disk shadowing, or RAID-1, subsystem includes two physical disks. User data is written to both disks at once. If one disk fails, all the data is immediately available from the other disk. Disk shadowing incurs some performance overhead (during write operations) and increases the cost of the disk subsystem because two disks are required. RAID levels 2 through 4 are more complicated than RAID-1. Each involves storage of data and error correction code information, rather than a shadow copy. Because the error correction data requires less space than the data, the subsystems have lower disk overhead.

In redundant array of independent disks (RAID) technology, when two drives or disks have a logical joining, it is called: a. Disk concatenation b. Disk striping c. Disk mirroring d. Disk replication

a. Disk concatenation is a logical joining of two series of data or disks. In data concatenation, two or more data elements or data files are often concatenated to provide a unique name or reference. In disk concatenation, several disk address spaces are concatenated to present a single larger address spaces. The other three choices are incorrect. Disk striping has more than one disk and more than one partition, and is same as disk arrays. Disk mirroring occurs when a file server contains two physical disks and one channel, and all information is written to both disks simultaneously. Disk replication occurs when data is written to two different disks to ensure that two valid copies of the data are always available.

What do fault-tolerant hardware control devices include? a. Disk duplexing and mirroring b. Server consolidation c. LAN consolidation d. Disk distribution

a. Disk duplexing means that the disk controller is duplicated. When one disk controller fails, the other one is ready to operate. Disk mirroring means the file server contains duplicate disks, and that all information is written to both disks simultaneously. Server consolidation, local-area network (LAN) consolidation, and disk distribution are meaningless to fault tolerance; although, they may have their own uses.

Indicate the correct sequence of degaussing procedures for magnetic disk files. 1. Write zeros 2. Write a special character 3. Write ones 4. Write nines a. 1, 3, and 2 b. 3, 1, 4, and 2 c. 2, 1, 4, and 3 d. 1, 2, 3, and 4

a. Disk files can be demagnetized by overwriting three times with zeros, ones, and a special character, in that order, so that sensitive information is completely deleted.

Which one of the following types of restores is used when performing system upgrades and reorganizations? a. Full restores b. Individual file restores c. Redirected restores d. Group file restores

a. Full restores are used to recover from catastrophic events or when performing system upgrades and system reorganizations and consolidations. All the data on media is fully restored. Individual file restores, by their name, restore the last version of a file that was written to media because it was deleted by accident or ruined. Redirected restores store files on a different location or system than the one they were copied from during the backup operations. Group file restores handle two or more files at a time.

Who initiates audit trails in computer systems? a. Functional users b. System auditors c. System administrators d. Security administrators

a. Functional users have the utmost responsibility in initiating audit trails in their computer systems for tracing and accountability purposes. Systems and security administrators help in designing and developing these audit trails. System auditors review the adequacy and completeness of audit trails and issue an opinion whether they are effectively working. Auditors do not initiate, design, or develop audit trails due to their independence in attitude and appearance as dictated by their Professional Standards.

What is a common security problem? a. Discarded storage media b. Telephone wiretapping c. Intelligence consultants d. Electronic bugs

a. Here, the keyword is common, and it is relative. Discarded storage media, such as CDs/DVDs, paper documents, and reports, is a major and common problem in every organization. Telephone wiretapping and electronic bugs require expertise. Intelligent consultants gather a company's proprietary data and business information and government trade strategies.

Which of the following is a policy-driven storage media? a. Hierarchical storage management b. Tape management c. Direct access storage device d. Optical disk platters

a. Hierarchical storage management follows a policy-driven strategy in that the data is migrated from one storage medium to another, based on a set of rules, including how frequently the file is accessed. On the other hand, the management of tapes, direct access storage devices, and optical disks is based on schedules, which is an operational strategy.

All the following are examples of denial-of-service attacks except: a. IP address spoofing b. Smurf attack c. SYNflood attack d. Sendmail attack

a. IP address spoofing is falsifying the identity of a computer system on a network. It capitalizes on the packet address the Internet Protocol (IP) uses for transmission. It is not an example of a denial-of-service attack because it does not flood the host computer. Smurf, synchronized flood (SYNflood), and sendmail attacks are examples of denial-of-service attacks. Smurf attacks use a network that accepts broadcast ping packets to flood the target computer with ping reply packets. SYN flood attack is a method of overwhelming a host computer on the Internet by sending the host a high volume of SYN packets requesting a connection, but never responding to the acknowledgment packets returned by the host. Recent attacks against sendmail include remote penetration, local penetration, and remote denial of service.

Which of the following is the best control to prevent a new user from accessing unauthorized file contents when a newly recorded file is shorter than those previously written to a computer tape? a. Degaussing b. Cleaning c. Certifying d. Overflowing

a. If the new file is shorter than the old file, the new user could have open access to the existing file. Degaussing is best used under these conditions and is considered a sound and safe practice. Tape cleaning functions are to clean and then to properly wind and create tension in the computer magnetic tape. Recorded tapes are normally not erased during the cleaning process. Tape certification is performed to detect, count, and locate tape errors and then, if possible, repair the underlying defects so that the tape can be placed back into active status. Overflowing has nothing to do with computer tape contents. Overflowing is a memory or file size issue where contents could be lost due to size limitations.

From a best security practices viewpoint, which of the following falls under the ounceof- prevention category? a. Patch and vulnerability management b. Incident response c. Symmetric cryptography d. Key rollover

a. It has been said that "An ounce of prevention equals a pound of cure." Patch and vulnerability management is the "ounce of prevention" compared to the "pound of cure" in the incident response, in that timely patches to software reduce the chances of computer incidents. Symmetric cryptography uses the same key for both encryption and decryption, whereas asymmetric cryptography uses separate keys for encryption and decryption, or to digitally sign and verify a signature. Key rollover is the process of generating and using a new key (symmetric or asymmetric key pair) to replace one already in use.

Locking-based attacks result in which of the following? 1. Denial-of-service 2. Degradation-of-service 3. Destruction-of-service 4. Distribution-of-service a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 3 and 4

a. Locking-based attack is used to hold a critical system locked most of the time, releasing it only briefly and occasionally. The result would be a slow running browser without stopping it: degradation-of-service. The degradation-of-service is a mild form of denial-of-service. Destruction of service and distribution of service are not relevant here.

Automated tools help in analyzing audit trail data. Which one of the following tools looks for anomalies in user or system behavior? a. Trend analysis tools b. Audit data reduction tools c. Attack signature detection tools d. Audit data-collection tools

a. Many types of tools have been developed to help reduce the amount of information contained in audit records, as well as to distill useful information from the raw data. Especially on larger systems, audit trail software can create large files, which can be extremely difficult to analyze manually. The use of automated tools is likely to be the difference between unused audit trail data and a robust program. Trend analysis and variance detection tools look for anomalies in user or system behavior. Audit data reduction tools are preprocessors designed to reduce the volume of audit records to facilitate manual review. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups. Attack signature detection tools look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example is repeated failed log-in attempts. Audit data-collection tools simply gather data for analysis later.

The fraud triangle includes which of the following elements? a. Pressure, opportunity, and rationalization b. Technique, target, and time c. Intent, means, and environment d. Place, ability, and need

a. Pressure includes financial and nonfinancial types, and it could be real or perceived. Opportunity includes real or perceived categories in terms of time and place. Rationalization means the illegal actions are consistent with the perpetrator's personal code of conduct or state of mind.

A dangerous misconception about software quality is that: a. It can be inspected after the system is developed. b. It can be improved by establishing a formal quality assurance function. c. It can be improved by establishing a quality assurance library in the system. d. It is tantamount to testing the software.

a. Quality should be designed at the beginning of the software development and maintenance process. Quality cannot be inspected or tested after the system is developed. Most seem to view final testing as quality testing. At best, this is quality control instead of quality assurance, hopefully preventing shipment of a defective product. Quality in the process needs to be improved, and quality assurance is a positive function. A software product displays quality to the extent that all aspects of the customer's requirements are satisfied. This means that quality is built into the product during its development process rather than inspected at the end. It is too late to inspect the quality when the product is already built. Most assurance is provided when the needs are fully understood, captured, and transformed (designed) into a software product.

Regarding a patch management program, which of the following is not a method of patch remediation? a. Developing a remediation plan b. Installing software patches c. Adjusting configuration settings d. Removing affected software

a. Remediation is the act of correcting vulnerability or eliminating a threat. A remediation plan includes remediation of one or more threats or vulnerabilities facing an organization's systems. The plan typically covers options to remove threats and vulnerabilities and priorities for performing the remediation. Three types of remediation methods include installing a software patch, adjusting a configuration setting, and removing affected software. Removing affected software requires uninstalling a software application. The fact that a remediation plan is developed does not itself provide actual remediation work because actions provide remediation work not just plans on a paper.

Which of the following provides total independence? a. Single-person control b. Dual-person control c. Two physical keys d. Two hardware tokens

a. Single-person control means total independence because there is only one person performing a task or activity. In the other three choices, two individuals or two devices (for example, keys and tokens) work together, which is difficult to bypass unless collusion is involved.

What is an attack in which someone compels system users or administrators into revealing information that can be used to gain access to the system for personal gain called? a. Social engineering b. Electronic trashing c. Electronic piggybacking d. Electronic harassment

a. Social engineering involves getting system users or administrators to divulge information about computer systems, including passwords, or to reveal weaknesses in systems. Personal gain involves stealing data and subverting computer systems. Social engineering involves trickery or coercion. Electronic trashing is incorrect because it involves accessing residual data after a file has been deleted. When a file is deleted, it does not actually delete the data but simply rewrites a header record. The data is still there for a skilled person to retrieve and benefit from. Electronic piggybacking is incorrect because it involves gaining unauthorized access to a computer system via another user's legitimate connection. Electronic harassment is incorrect because it involves sending threatening electronic-mail messages and slandering people on bulletin boards, news groups, and on the Internet. The other three choices do not involve trickery or coercion.

Software flaw remediation is best when it is incorporated into which of the following? a. Configuration management process b. Security assessments c. Continuous monitoring d. Incident response activities

a. Software flaws result in potential vulnerabilities. The configuration management process can track and verify the required or anticipated flaw remediation actions. Flaws discovered during security assessments, continuous monitoring, incident-response activities, or system error handling activities become inputs to the configuration management process. Automated patch management tools should facilitate flaw remediation by promptly installing security-relevant software updates (for example, patches, service packs, and hot fixes).

Which of the following identifies required functionality to protect against or mitigate failure of the application software? a. Software safety analysis b. Software hazard analysis c. Software fault tree analysis d. Software sneak circuit analysis

a. Software needs to be developed using specific software development and software assurance processes to protect against or mitigate failure of the software. A complete software safety standard references other standards that address these mechanisms and includes a software safety policy identifying required functionality to protect against or mitigate failure. Software hazard analysis is incorrect because it is a part of software safety. Hazard analysis is the process of identifying and evaluating the hazards of a system, and then making change recommendations that either eliminate the hazard or reduce its risk to an acceptable level. Software hazard analysis makes recommendations to eliminate or control software hazards and hazards related to interfaces between the software and the system (includes hardware and human components). It includes analyzing the requirements, design, code, user interfaces, and changes. Software hazards may occur if the software is improperly developed (designed), the software dispatches incorrect information, or the software fails to transmit information when it should. Software fault tree analysis is incorrect because its purpose is to demonstrate that the software will not cause a system to reach an unsafe state, and to discover what environmental conditions will allow the system to reach an unsafe state. Software fault tree analysis is often conducted on the program code but can also be applied at other stages of the life cycle process (for example, requirements and design). This analysis is not always applied to all the program code, only to the portion that is safety critical. Software sneak analysis is incorrect because it is based on sneak circuit analysis, which is used to evaluate electrical circuitry—hence the name software sneak circuit analysis. Sneaks are the latest design conditions or design flaws that have inadvertently been incorporated into electrical, software, and integrated systems designs. They are not caused by component failure.

Which of the following factors is an important consideration during application system design and development project? a. Software safety b. Completing the project on schedule c. Spending less than budgeted d. Documenting all critical work

a. Software safety is important compared to the other three choices because lack of safety considerations in a computer-based application system can cause danger or injury to people and damage to equipment and property.

Which of the following determines the system availability rate for a computer-based application system? a. (Available time / scheduled time) x 100 b. [(1 + available time) / (scheduled time)] x 100 c. [(Available time)/(1 - scheduled time)] x 100 d. [(Available time - scheduled time) / (scheduled time)] x 100

a. System availability is expressed as a rate between the number of hours the system is available to the users during a given period and the scheduled hours of operation. Overall hours of operation also include sufficient time for scheduled maintenance activities. Scheduled time is the hours of operation, and available time is the time during which the computer system is available to the users.

In which of the following areas do the objectives of systems auditors and information systems security officers overlap the most? a. Determining the effectiveness of security-related controls b. Evaluating the effectiveness of communicating security policies c. Determining the usefulness of raising security awareness levels d. Assessing the effectiveness of reducing security incidents

a. The auditor's objective is to determine the effectiveness of security-related controls. The auditor reviews documentation and tests security controls. The other three choices are the sole responsibilities of information systems security officers.

The automatic termination and protection of programs when a failure is detected in a computer system are called a: a. Fail-safe b. Fail-soft c. Fail-over d. Fail-open

a. The automatic termination and protection of programs when a failure is detected in a computer system is called fail-safe. The selective termination of affected nonessential processing when a failure is detected in a computer system is called a fail-soft. Fail-over means switching to a backup mechanism. Fail-open means that a program has failed to open due to errors or failures.

The scope of formal technical reviews conducted for software defect removal would not include: a. Configuration management specification b. Requirements specification c. Design specification d. Test specification

a. The formal technical review is a software quality assurance activity that is performed by software developers. The objectives of these reviews are to (i) uncover errors in function and logic, (ii) verify that software under review meets its requirements, (iii) ensure that software represents the predefined standards. Configuration management specifications are a part of project planning documents, not technical documents. The purpose is to establish the processes that the project uses to manage the configuration items and changes to them. Program development, quality, and configuration management plans are subject to review but are not directly germane to the subject of defect removal. The other three choices are incorrect because they are part of technical documents. The subject matter for formal technical reviews includes requirements specifications, detailed design, and code and test specifications. The objectives of reviewing the technical documents are to verify that (i) the work reviewed is traceable to the requirements set forth by the predecessor's tasks, (ii) the work is complete, (iii) the work has been completed to standards, and (iv) the work is correct.

The objective "To provide management with appropriate visibility into the process being used by the software development project and of the products being built" is addressed by which of the following? a. Software quality assurance management b. Software configuration management c. Software requirements management d. Software project management

a. The goals of software quality assurance management include (i) software quality assurance activities are planned, (ii) adherence of software products and activities to the applicable standards, procedures, and requirements is verified objectively, and (iii) noncompliance issues that cannot be resolved are addressed by higher levels of management. The objectives of software configuration management are to establish and maintain the integrity of products of the software project throughout the project's software life cycle. The objectives of software requirements management are to establish a common understanding between the customer and the software project requirements that will be addressed by the software project. The objectives of software project management are to establish reasonable plans for performing the software engineering activities and for managing the software development project.

Which of the following is the foundation of the incident response program? a. Incident response policies b. Incident response procedures c. Incident response standards d. Incident response guidelines

a. The incident response policies are the foundation of the incident response program. They define which events are considered as incidents, establish the organizational structure for the incident response program, define roles and responsibilities, and list the requirements for reporting incidents.

What is the major purpose of conducting a post-incident analysis for a computer security incident? a. To determine how security threats and vulnerabilities were addressed b. To learn how the attack was done c. To re-create the original attack d. To execute the response to an attack

a. The major reason for conducting a post-incident analysis is to determine whether security weaknesses were properly and effectively addressed. Security holes must be plugged to prevent recurrence. The other three choices are minor reasons.

Which of the following updates the applications software and the systems software with patches and new versions? a. Preventive maintenance b. Component maintenance c. Hardware maintenance d. Periodic maintenance

a. The scope of preventive maintenance includes updating applications software and systems software with patches and new versions, replacing failed hardware components, and more. The other three choices are incorrect because they can be a part of corrective maintenance (fixing errors) or remedial maintenance (fixing faults).

Which of the following zero-day attack protection mechanisms is not suitable to computing environments with a large number of users? a. Port knocking b. Access control lists c. Local server-based firewalls d. Hardware-based firewalls

a. The use of port knocking or single packet authorization daemons can provide effective protection against zero-day attacks for a small number of users. However, these techniques are not suitable for computing environments with a large number of users. The other three choices are effective protection mechanisms because they are a part of multiple layer security, providing the first line-of-defense. These include implementing access control lists (one layer), restricting network access via local server firewalling (i.e., IP tables) as another layer, and protecting the entire network with a hardware-based firewall (another layer). All three of these layers provide redundant protection in case a compromise in any one of them is discovered.

A computer security incident handling capability should meet which of the following? a. Users' requirements b. Auditors' requirements c. Security requirements d. Safety requirements

a. There are a number of start-up costs and funding issues to consider when planning an incident handling capability. Because the success of an incident handling capability relies so heavily on the users' perceptions of its worth and whether they use it, it is important that the capability meets users' requirements. Two important funding issues are personnel and education and training.

Which of the following decreases the response time for computer security incidents? a. Electronic mail b. Physical bulletin board c. Terminal and modem d. Electronic bulletin board

a. With computer security incidents, rapid communications is important. The incident team may need to send out security advisories or collect information quickly; thus some convenient form of communication, such as electronic mail (e-mail), is generally highly desirable. With email, the team can easily direct information to various subgroups within the constituency, such as system managers or network managers, and broadcast general alerts to the entire constituency as needed. When connectivity already exists, e-mail has low overhead and is easy to use. Although there are substitutes for e-mail, they tend to increase response time. An electronic bulletin board system (BBS) can work well for distributing information, especially if it provides a convenient user interface that encourages its use. A BBS connected to a network is more convenient to access than one requiring a terminal and modem; however, the latter may be the only alternative for organizations without sufficient network connectivity. In addition, telephones, physical bulletin boards, and flyers can be used, but they increase response time.

Denial-of-service attacks compromise which one of the following properties of information systems? a. Integrity b. Availability c. Confidentiality d. Reliability

b. A denial-of-service (DoS) is an attack in which one user takes up so much of the shared resource that none of the resource is left for other users. It compromises the availability of system resources (for example, disk space, CPU, print paper, and modems), resulting in degradation or loss of service. A DoS attack does not affect integrity because the latter is a property that an object is changed only in a specified and authorized manner. A DoS attack does not affect confidentiality because the latter is a property ensuring that data is disclosed only to authorized subjects or users. A DoS attack does not affect reliability because the latter is a property defined as the probability that a given system is performing its mission adequately for a specified period of time under the expected operating conditions.

Which of the following protects the information confidentiality against a robust keyboard attack? a. Disposal b. Clearing c. Purging d. Destroying

b. A keyboard attack is a data scavenging method using resources available to normal system users with the help of advanced software diagnostic tools. Clearing information is the level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Clearing must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. The other three choices are incorrect. Disposal is the act of discarding media by giving up control in a manner short of destruction. Purging is removing obsolete data by erasure, by overwriting of storage, or by resetting registers. Destroying is ensuring that media cannot be reused as originally intended.

Which of the following is not a special privileged user? a. System administrator b. Business end-user c. Security administrator d. Computer operator

b. A special privileged user is defined as an individual who has access to system control, monitoring, or administration functions. A business end-user is a normal system user performing day-to-day and routine tasks required by his job duties, and should not have special privileges as does with the system administrator, security administrator, computer operator, system programmer, system maintainer, network administrator, or desktop administrator. Privileged users have access to a set of access rights on a given system. Privileged access to privileged function should be limited to only few individuals in the IT department and should not be given to or shared with business end-users who are so many.

A computer fraud occurred using an online accounts receivable database application system. Which of the following logs is most useful in detecting which data files were accessed from which terminals? a. Database log b. Access control security log c. Telecommunications log d. Application transaction log

b. Access control security logs are detective controls. Access logs show who accessed what data files, when, and from what terminal, including the nature of the security violation. The other three choices are incorrect because database logs, telecommunication logs, and application transaction logs do not show who accessed what data files, when, and from what terminal, including the nature of the security violation.

Which of the following must be manually keyed into an automated IT resources inventory tool used in patch management to respond quickly and effectively? a. Connected network port b. Physical location c. Software configuration d. Hardware configuration

b. Although most information can be taken automatically from the system data, the physical location of an IT resource must be manually entered. Connected network port numbers can be taken automatically from the system data. Software and hardware configuration information can be taken automatically from the system data.

An audit trail record should include sufficient information to trace a user's actions and events. Which of the following information in the audit trail record helps the most to determine if the user was a masquerader or the actual person specified? a. The user identification associated with the event b. The date and time associated with the event c. The program used to initiate the event d. The command used to initiate the event

b. An audit trail should include sufficient information to establish what events occurred and who (or what) caused them. Date and timestamps can help determine if the user was a masquerader or the actual person specified. With date and time, one can determine whether a specific user worked on that day and at that time. The other three choices are incorrect because the masquerader could be using a fake user identification (ID) number or calling for invalid and inappropriate programs and commands. In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result.

Which of the following is not an example of denial-of-service attacks? a. Flaw-based attacks b. Information attacks c. Flooding attacks d. Distributed attacks

b. An information attack is not relevant here because it is too general. Flaw-based attacks take advantage of a flaw in the target system's software to cause a processing failure, escalate privileges, or to cause it to exhaust system resources. Flooding attacks simply send a system more information than it can handle. A distributed attack is a subset of denial-of-service (DoS) attacks, where the attacker uses multiple computers to launch the attack and flood the system.

All the following are examples of technical controls for ensuring information systems security except: a. User identification and authentication b. Assignment of security responsibility c. Access controls d. Data validation controls

b. Assignment of security responsibility is a part of management controls. Screening of personnel is another example of management controls. The other three choices are part of technical controls.

Audit trail records contain vast amounts of data. Which of the following review methods is best to review all records associated with a particular user or application system? a. Batch-mode analysis b. Real-time audit analysis c. Audit trail review after an event d. Periodic review of audit trail data

b. Audit trail data can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Audit analysis tools can be used in a real-time, or near real-time, fashion. Manual review of audit records in real time is not feasible on large multiuser systems due to the large volume of records generated. However, it might be possible to view all records associated with a particular user or application and view them in real time. Batch-mode analysis is incorrect because it is a traditional method of analyzing audit trails. The audit trail data are reviewed periodically. Audit records are archived during that interval for later analysis. The three incorrect choices do not provide the convenience of displaying or reporting all records associated with a user or application, as do the real-time audit analysis.

Which of the following statements is not true about audit trails from a computer security viewpoint? a. There is interdependency between audit trails and security policy. b. If a user is impersonated, the audit trail establishes events and the identity of the user. c. Audit trails can assist in contingency planning. d. Audit trails can be used to identify breakdowns in logical access controls.

b. Audit trails have several benefits. They are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, audit trails collect events and associate them with the perceived user (i.e., the user ID provided). If a user is impersonated, the audit trail establishes events but not the identity of the user. It is true that there is interdependency between audit trails and security policy. Policy dictates who has authorized access to particular system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails. It is true that audit trails can assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files). It is true that audit trails can be used to identify breakdowns in logical access controls. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity by identifying breakdowns in logical access controls or verifying that access control restrictions are behaving as expected.

What are labels used on internal data structures called? a. Automated marking b. Automated labeling c. Hard-copy labeling d. Output labeling

b. Automated labeling refers to labels used on internal data structures such as records and files within the information system. Automated marking refers to labels used on external media such as hard-copy documents and output from the information system (for example, reports).

From a CleanRoom software engineering viewpoint, software quality is certified in terms of: a. Mean-time between failures (MTBF) b. Mean-time-to-failure (MTTF) c. Mean-time-to-repair (MTTR) d. Mean-time between outages (MTBO)

b. CleanRoom operations are carried out by small independent development and certification (test) teams. In CleanRoom, all testing is based on anticipated customer usage. Test cases are designed to practice the more frequently used functions. Therefore, errors that are likely to cause frequent failures to the users are found first. For measurement, software quality is certified in terms of mean-time-to failure (MTTF). MTTF is most often used with safetycritical systems such as airline traffic control systems because it measures the time taken for a system to fail for the first time. Mean-time between failures (MTBF) is incorrect because it is the average length of time a system is functional. Mean-time-to-repair (MTTR) is incorrect because it is the total corrective maintenance time divided by the total number of corrective maintenance actions during a given period of time. Mean-time-between outages (MTBO) is incorrect because it is the mean time between equipment failures that result in loss of system continuity or unacceptable degradation.

Which of the following is an example of a reactive approach to software security? a. Patch-and-patch b. Penetrate-and-patch c. Patch-and-penetrate d. Penetrate-and-penetrate

b. Crackers and hackers attempt to break into computer systems by finding flaws in software, and then system administrators apply patches sent by vendors to fix the flaws. In this scenario of penetrate-and-patch, patches are applied after penetration has occurred, which is an example of a reactive approach. The scenario of patch-and patch is good because one is always patching, which is a proactive approach. The scenario of patch-and-penetrate is a proactive approach in which organizations apply vendor patches in a timely manner. There is not much damage done when crackers and hackers penetrate (break) into the computer system because all known flaws are fixed. In this scenario, patches are applied before penetration occurs. The scenario of penetrate-and-penetrate is bad because patches are not applied at all or are not effective.

Which of the following is the most malicious Internet-based attack? a. Spoofing attack b. Denial-of-service attack c. Spamming attack d. Locking attack

b. Denial-of-service (DoS) attack is the most malicious Internet-based attack because it floods the target computer with hundreds of incomplete Internet connections per second, effectively preventing any other network connections from being made to the victim network server. The result is a denial-of-service to users, consumption of system resources, or a crash in the target computer. Spoofing attacks use various techniques to subvert IP-based access control by masquerading as another system by using its IP address. Spamming attacks post identical messages to multiple unrelated newsgroups. They are often used in cheap advertising to promote pyramid schemes or simply to annoy people. Locking attack prevents users from accessing and running shared programs such as those found in Microsoft Office product.

Which of the following incident response life-cycle phases is most challenging for many organizations? a. Preparation b. Detection c. Recovery d. Reporting

b. Detection, for many organizations, is the most challenging aspect of the incident response process. Actually detecting and assessing possible incidents is difficult. Determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem is not an easy task. The other three phases such as preparation, recovery, and reporting are not that challenging. The scope of preparation and prevention phase covers establishing plans, policies, and procedures. The scope of recovery phase includes containment, restore, and eradication. The scope of reporting phase involves understanding the internal and external reporting requirements in terms of the content and timeliness of the reports.

Which of the following can prevent dumpster diving? a. Installing surveillance equipment b. Using a data destruction process c. Hiring additional staff to watch data destruction d. Sending an e-mail message to all employees

b. Dumpster diving can be avoided by using a high-quality data destruction process on a regular basis. This should include paper shredding and electrical disruption of data on magnetic media such as tape, cartridge, or disk.

Redundant arrays of independent disks (RAID) provide which of the following security services most? a. Data confidentiality b. Data reliability c. Data availability d. Data integrity

b. Forensic investigators are encountering redundant arrays of independent disks (RAID) systems with increasing frequency as businesses elect to utilize systems that provide greater data reliability. RAID provides data confidentiality, data availability, and data integrity security services to a lesser degree than data reliability.

Which of the following data integrity problems can be caused by multiple sources? a. Disk failure b. File corruption c. Power failure d. Memory failure

b. Hardware malfunction, network failures, human error, logical errors, and other disasters are possible threats to ensuring data integrity. Files can be corrupted as a result of some physical (hardware) or network problems. Files can also become corrupted by some flaw in an application program's logic. Users can contribute to this problem due to inexperience, accidents, or missed communications. Therefore, most data integrity problems are caused by file corruption. Disk failure is a hardware malfunction caused by physical wear and tear. Power failure is a hardware malfunction that can be minimized by installing power conditioning equipment and battery backup systems. Memory failure is an example of hardware malfunction due to exposure to strong electromagnetic fields. File corruption has many problem sources to consider.

Which one of the following database backup strategies is executed when a database is running in a local-area-network environment? a. Cold backup b. Hot backup c. Logical backup d. Offline backup

b. Hot backups are taken when the database is running and updates are being written to it. They depend heavily on the ability of log files to stack up transaction instructions without actually writing any data values into database records. While these transactions are stacking up, the database tables are not being updated, and therefore can be backed up with integrity. One major problem is that if the system crashes in the middle of the backup, all the transactions stacking up in the log file are lost. The idea of cold backup is to shut down the database and back it up while no end users are working on the system. This is the best approach where data integrity is concerned, but it does not service the customer (end user) well. Logical backups use software techniques to extract data from the database and write the results to an export file, which is an image file. The logical backup approach is good for incremental backups. Offline backup is another term for cold backup.

A computer security incident was detected. Which of the following is the best reaction strategy for management to adopt? a. Protect and preserve b. Protect and recover c. Trap and prosecute d. Pursue and proceed

b. If a computer site is vulnerable, management may favor the protect-and-recover reaction strategy because it increases defenses available to the victim organization. Also, this strategy brings normalcy to the network's users as quickly as possible. Management can interfere with the intruder's activities, prevent further access, and begin damage assessment. This interference process may include shutting down the computer center, closing of access to the network, and initiating recovery efforts. Protect-and-preserve strategy is a part of a protect-and-recover strategy. Law enforcement authorities and prosecutors favor the trap-and-prosecute strategy. It lets intruders continue their activities until the security administrator can identify the intruder. In the mean time, there could be system damage or data loss. Pursue-and-proceed strategy is not relevant here.

Regarding incident response data, nonperformance of which one of the following items makes the other items less important? a. Quality of data b. Review of data c. Standard format for data d. Actionable data

b. If the incident response data is not reviewed regularly, the effectiveness of detection and analysis of incidents is questionable. It does not matter whether the data is of high quality with standard format for data, or actionable data. Proper and efficient reviews of incident-related data require people with extensive specialized technical knowledge and experience.

When a system preserves a secure state, during and after a failure is called a: a. System failure b. Fail-secure c. Fail-access d. System fault

b. In fail-secure, the system preserves a secure condition during and after an identified failure. System failure and fault are generic and do not preserve a secure condition like failsecure. Fail-access is a meaningless term here.

All the following are tools that help both system intruders and systems administrators except: a. Network discovery tools b. Intrusion detection tools c. Port scanners d. Denial-of-service test tools

b. Intrusion detection tools detect computer attacks in several ways: (i) outside of a network's firewall, (ii) behind a network's firewall, or (iii) within a network to monitor insider attacks. Network discovery tools and port scanners can be used both by intruders and system administrators to find vulnerable hosts and network services. Similarly, denial-of-service test tools can be used to determine how much damage can be done to a computing site.

The return on investment on quality is highest in which of the following software defect prevention activities? a. Code inspection b. Reviews with users c. Design reviews d. Unit test

b. It is possible to quantify the return on investment (ROI) for various quality improvement activities. Studies have shown that quality ROI is highest when software products are reviewed with user customers. This is followed by code inspection by programmers, design reviews with the project team, and unit testing by programmers.

Network availability is increased with which of the following? a. Data redundancy b. Link redundancy c. Software redundancy d. Power redundancy

b. Link redundancy, due to redundant cabling, increases network availability because it provides a parallel path that runs next to the main data path and a routing methodology that can establish an alternative path in case the main path fails. The other three redundancies are good in their own way, but they do not increase network availability. In other words, there are two paths: a main path and an alternative path.

What is a detective control in a computer operations area? a. Policy b. Log c. Procedure d. Standard

b. Logs, whether manual or automated, capture relevant data for further analysis and tracing. Policy, procedure, and standard are directive controls and are part of management controls because they regulate human behavior.

Predictable failure prevention means protecting an information system from harm by considering which of the following? a. Mean-time-to-repair (MTTR) b. Mean-time-to-failure (MTTF) c. Mean-time between failures (MTBF) d. Mean-time between outages (MTBO)

b. MTTF focuses on the potential failure of specific components of the information system that provide security capability. MTTF is the amount of mean-time to the next failure. MTTR is the amount of time it takes to resume normal operation. MTBF is the average length of time the system is functional. MTBO is the mean time between equipment failures that result in a loss of system continuity or unacceptable degradation.

As the information system changes over time, which of the following is required to maintain the baseline configuration? a. Enterprise architecture b. New baselines c. Operating system d. Network topology

b. Maintaining the baseline configuration involves creating new baselines as the information system changes over time. The other three choices deal with information provided by the baseline configuration as a part of standard operating procedure.

Performing automated deployment of patches is difficult for which of the following? a. Homogeneous computing platforms b. Legacy systems c. Standardized desktop systems d. Similarly configured servers

b. Manual patching is useful and necessary for many legacy and specialized systems due to their nature. Automated patching tools allow an administrator to update hundreds or even thousands of systems from a single console. Deployment is fairly simple when there are homogeneous computing platforms, with standardized desktop systems, and similarly configured servers.

Which of the following is not allowed when an information system cannot be sanitized due to a system failure? a. Periodic maintenance b. Remote maintenance c. Preventive maintenance d. Detective maintenance

b. Media sanitization (scrubbing) means removing information from media such that information recovery is not possible. Specifically, it removes all labels, markings, and activity logs. An organization approves, controls, and monitors remotely executed maintenance and diagnostic activities. If the information system cannot be sanitized due to a system failure, remote maintenance is not allowed because it is a high-risk situation. The other three types of maintenance are low risk situations.

Media sanitization ensures which of the following? a. Data integrity b. Data confidentiality c. Data availability d. Data accountability

b. Media sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance, in proportion to the confidentiality of the data, that the data may not be retrieved and reconstructed. The other three choices are not relevant here.

Which of the following items is not related to the other items? a. Keystroke monitoring b. Penetration testing c. Audit trails d. Telephone wiretap

b. Penetration testing is a test in which the evaluators attempt to circumvent the security features of a computer system. It is unrelated to the other three choices. Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer's response during an interactive session. It is considered as a special case of audit trails. Some consider the keystroke monitoring as a special case of unauthorized telephone wiretap and others are not.

In software configuration management, changes to software should be subjected to which of the following types of testing prior to software release and distribution? a. Black-box testing b. Regression testing c. White-box testing d. Gray-box testing

b. Regression testing is a method to ensure that changes to one part of the software system do not adversely impact other parts. The other three choices do not have such capabilities. Black-box testing is a functional analysis of a system, and known as generalized testing. Whitebox testing is a structural analysis of a system, and known as detailed testing or logic testing. Gray-box testing assumes some knowledge of the internal structures and implementation details of the assessment object, and known as focused testing.

Regarding media sanitization, what is residual information remaining on storage media after clearing called? a. Residue b. Remanence c. Leftover data d. Leftover information

b. Remanence is residual information remaining on storage media after clearing. Choice (a) is incorrect because residue is data left in storage after information-processing operations are complete but before degaussing or overwriting (clearing) has taken place. Leftover data and leftover information are too general as terms to be of any use here.

Which of the following corrects faults and returns a system to operation in the event a system component fails? a. Preventive maintenance b. Remedial maintenance c. Hardware maintenance d. Software maintenance

b. Remedial maintenance corrects faults and returns the system to operation in the event of hardware or software component fails. Preventive maintenance is incorrect because it is done to keep hardware in good operating condition. Both hardware and software maintenance are included in the remedial maintenance.

Which of the following is not essential to ensure operational assurance of a computer system? a. System audits b. System changes c. Policies and procedures d. System monitoring

b. Security is not perfect when a system is implemented. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare over time, and procedures become outdated. Thinking risk is minimal, users may tend to bypass security measures and procedures. Operational assurance is the process of reviewing an operational system to see that security controls, both automated and manual, are functioning correctly and effectively. To maintain operational assurance, organizations use three basic methods: system audits, policies and procedures, and system monitoring. A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users. In general, the more real time an activity is, the more it falls into the category of monitoring. Policies and procedures are the backbone for both auditing and monitoring. System changes drive new requirements for changes. In response to various events such as user complaints, availability of new features and services, or the discovery of new threats and vulnerabilities, system managers and users modify the system and incorporate new features, new procedures, and software updates. System changes by themselves do not assure that controls are working properly.

Which one of the following is a direct example of social engineering from a computer security viewpoint? a. Computer fraud b. Trickery or coercion techniques c. Computer theft d. Computer sabotage

b. Social engineering is a process of tricking or coercing people into divulging their passwords. Computer fraud involves deliberate misrepresentation, alteration, or disclosure of data to obtain something of value. Computer theft involves stealing of information, equipment, or software for personal gain. Computer sabotage includes planting a Trojan horse, trapdoor, time bomb, virus, or worm to perform intentional harm or damage. The difference in the other three choices is that there is no trickery or coercion involved.

Which of the following is an example of a static quality attribute of a software product? a. Mean-time-between-failure b. Simplicity in functions c. Mean-time-to-repair d. Resource utilization statistics

b. Software quality attributes can be classified as either dynamic or static. Dynamic quality attributes are validated by examining the dynamic behavior of software during its execution. Examples include mean time between failures (MTBF), mean-time-to-repair (MTTR), failure recovery time, and percent of available resources used (i.e., resource utilization statistics). Static quality attributes are validated by inspecting nonexecuting software products and include modularity, simplicity, and completeness. Simplicity looks for straightforward implementation of functions. It is the characteristic of software that ensures definition and implementation of functions in the most direct and understandable manner. Reliability models can be used to predict software reliability (for example, MTBF and MTTR) based on the rate of occurrence of defects and errors. There is a trade-off between complexity and security, meaning that complex systems are difficult to secure whereas simple systems are easy to secure.

Information availability controls do not include which of the following? a. Backup and recovery b. Storage media c. Physical and logical security d. Alternative computer equipment and facilities

b. Storage media has nothing to do with information availability. Data will be stored somewhere on some media. It is not a decision criterion. Management's goal is to gather useful information and to make it available to authorized users. System backup and recovery procedures and alternative computer equipment and facilities help ensure that the recovery is as timely as possible. Both physical and logical access controls become important. System failures and other interruptions are common.

System users seldom consider which of the following? a. Internet security b. Residual data security c. Network security d. Application system security

b. System users seldom consider residual data security as part of their job duties because they think it is the job of computer operations or information security staff. Residual data security means data remanence where corporate spies can scavenge discarded magnetic or paper media to gain access to valuable data. Both system users and system managers usually consider the measures mentioned in the other three choices.

Regarding media sanitization, which of the following is the correct order for fully and physically destroying hand-held devices, such as cell phones? 1. Incinerate 2. Disintegrate 3. Pulverize 4. Shred a. 3, 2, 1, and 4 b. 4, 2, 3, and 1 c. 1, 4, 3, and 2 d. 1, 2, 4, and 3

b. The correct order for fully and physically destroying hand-held devices such as cell phones is shred, disintegrate, pulverize, and incinerate. This is the best recommended practice for both public and private sector organizations. Shredding is a method of sanitizing media and is the act of cutting or tearing into small particles. Here, the shredding step comes first to make the cell phone inoperable quickly. Disintegration is a method of sanitizing media and is the act of separating the equipment into component parts. Disintegration cannot be the first step because some determined attacker can assemble these parts and can make the cell phone work. Pulverization is a method of sanitizing media and is the act of grinding to a powder or dust. Incineration is a method of sanitizing media and is the act of burning completely to ashes done in a licensed incinerator. Note that one does not need to complete all these methods, but can stop after any specific method and after reaching the final goal based on the sensitivity and criticality of data on the device.

In terms of security functionality verification, which of the following is the correct order of information system's transitional states? 1. Startup 2. Restart 3. Shutdown 4. Abort a. 1, 2, 3, and 4 b. 1, 3, 2, and 4 c. 3, 2, 1, and 4 d. 4, 3, 2, and 1

b. The correct order of information system's transitional states is startup, shutdown, restart, and abort. Because the system is in transitional states, which is an unstable condition, if the restart procedures are not performed correctly or facing technical recovery problems, then the system has no choice except to abort.

Which of the following is the correct sequence of events taking place in the incident response life cycle process? a. Prevention, detection, preparation, eradication, and recovery b. Detection, response, reporting, recovery, and remediation c. Preparation, containment, analysis, prevention, and detection d. Containment, eradication, recovery, detection, and reporting

b. The correct sequence of events taking place in the incident response life cycle is detection, response, reporting, recovery, and remediation. Although the correct sequence is started with detection, there are some underlying activities that should be in place prior to detection. These prior activities include preparation and prevention, addressing the plans, policies, procedures, resources, support, metrics, patch management processes, host hardening measures, and properly configuring the network perimeter. Detection involves the use of automated detection capabilities (for example, log analyzers) and manual detection capabilities (for example, user reports) to identify incidents. Response involves security staff offering advice and assistance to system users for the handling and reporting of security incidents (for example, held desk or forensic services). Reporting involves understanding the internal and external reporting requirements in terms of the content and timeliness of the reports. Recovery involves containment, restore, and eradication. Containment addresses how to control an incident before it spreads to avoid consuming excessive resources and increasing damage caused by the incident. Restore addresses bringing systems to normal operations and hardening systems to prevent similar incidents. Eradication addresses eliminating the affected components of the incident from the overall system to minimize further damage to the overall system. Remediation involves tracking and documenting security incidents on an ongoing basis.

A computer system is clogged in which of the following attacks? a. Brute force attack b. Denial-of-service attack c. IP spoofing attack d. Web spoofing attack

b. The denial-of-service (DoS) type of attack denies services to users by either clogging the system with a series of irrelevant messages or sending disruptive commands to the system. It does not damage the data. A brute force attack is trying every possible decryption key combination to break into a computer system. An Internet Protocol (IP) spoofing attack means intruders creating packets with spoofed source IP addresses. The intruder then takes over an open-terminal and login-connections. In a Web spoofing attack, the intruder sits between the victim user and the Web, thereby making it a man-in-the-middle attack. The user is duped into supplying the intruder with passwords, credit card information, and other sensitive and useful data.

Contrary to best practices, which of the following parties is usually not notified at all or is notified last when a computer security incident occurs? a. System administrator b. Legal counsel c. Disaster recovery coordinator d. Hardware and software vendors

b. The first part of a response mechanism is notification, whether automatic or manual. Besides technical staff, several others must be notified, depending on the nature and scope of the incident. Unfortunately, legal counsel is not always notified or is notified thinking that involvement is not required.

Which of the following provides an assessment of software design quality? a. Trace system requirements specifications to system requirements in requirements definition documentation. b. Trace design specifications to system requirements and system requirements specifications to design. c. Trace source code to design specifications and design specifications to source code. d. Trace system test cases and test data designs to system requirements.

b. The goal is to identify requirements with no design elements (under-design) and design elements with no requirements (over-design). It is too early to assess software design quality during system requirements definition. It is too late to assess software design quality during coding. The goal is to identify design elements with no source code and source codes with no design elements. It is too late to assess software design quality during testing.

Fault-tolerance systems provide which of the following security services? a. Confidentiality and integrity b. Integrity and availability c. Availability and accountability d. Accountability and confidentiality

b. The goal of fault-tolerance systems is to detect and correct a fault and to maintain the availability of a computer system. Fault-tolerance systems play an important role in maintaining high data and system integrity and in ensuring high-availability of systems. Examples include disk mirroring and server mirroring techniques.

Developing a superior quality or safe software product requires special attention. Which of the following techniques to achieve superior quality are based on mathematical theory? a. Multiversion software b. Proof-of-correctness c. Software fault tree analysis d. Software reliability models

b. The proof-of-correctness (formal verification) involves the use of theoretical and mathematical models to prove the correctness of a program without executing it. Using this method, the program is represented by a theorem and is proved with first-order predicate calculus. The other three choices do not use mathematical theory. Multiversion software is incorrect because its goal is to provide high reliability, especially useful in applications dealing with loss of life, property, and damage. The approach is to develop more than one version of the same program to minimize the detrimental effect on reliability of latent defects. Software fault tree analysis is incorrect because it identifies and analyzes software safety requirements. It is used to determine possible causes of known hazards. This is done by creating a fault tree, whose root is the hazard. The system fault tree is expanded until it contains at its lowest level basic events that cannot be further analyzed. Software reliability models are incorrect because they can predict the future behavior of a software product, based on its past behavior, usually in terms of failure rates.

Magnetic storage media sanitization is important to protect sensitive information. Which of the following is not a general method of purging magnetic storage media? a. Overwriting b. Clearing c. Degaussing d. Destruction

b. The removal of information from a storage medium such as a hard disk or tape is called sanitization. Different kinds of sanitization provide different levels of protection. Clearing information means rendering it unrecoverable by keyboard attack, with the data remaining on the storage media. There are three general methods of purging magnetic storage media: overwriting, degaussing, and destruction. Overwriting means obliterating recorded data by writing different data on the same storage surface. Degaussing means applying a variable, alternating current fields for the purpose of demagnetizing magnetic recording media, usually tapes. Destruction means damaging the contents of magnetic media through shredding, burning, or applying chemicals.

What is the selective termination of affected nonessential processing when a failure is detected in a computer system called? a. Fail-safe b. Fail-soft c. Fail-over d. Fail-under

b. The selective termination of affected nonessential processing when a failure is detected in a computer system is called fail-soft. The automatic termination and protection of programs when a failure is detected in a computer system is called a fail-safe. Fail-over means switching to a backup mechanism. Fail-under is a meaningless phrase.

Regarding a patch management program, which of the following does not always return the system to its previous state? a. Disable b. Uninstall c. Enable d. Install

b. There are many options available to a system administrator in remediation testing. The ability to "undo" or uninstall a patch should be considered; however, even when this option is provided, the uninstall process does not always return the system to its previous state. Disable temporarily disconnects a service. Enable or install is not relevant here.

Which of the following provides network redundancy in a local-area-network (LAN) environment? a. Mirroring b. Shadowing c. Dual backbones d. Journaling

c. A backbone is the high traffic density connectivity portion of any communications network. Backbones are used to connect servers and other service providing machines on the network. The use of dual backbones means that if the primary network goes down, the secondary network will carry the traffic. In packet switched networks, a backbone consists of switches and interswitch trunks. Switched networks can be managed with a network management console. Network component failures can be identified on the console and responded to quickly. Many switching devices are built modularly with hot swappable circuit boards. If a chip fails on a board in the device, it can be replaced relatively quickly just by removing the failed card and sliding in a new one. If switching devices have dual power supplies and battery backups, network uptime can be increased as well. Mirroring, shadowing, and duplexing provide application system redundancy, not network redundancy. Mirroring refers to copying data as it is written from one device or machine to another. Shadowing is where information is written in two places, one shadowing the other, for extra protection. Any changes made will be reflected in both places. Journaling is a chronological description of transactions that have taken place, either locally, centrally, or remotely.

A good computer security incident handling capability is closely linked to which of the following? a. Systems software b. Applications software c. Training and awareness program d. Help desk

c. A good incident handling capability is closely linked to an organization's training and awareness program. It will have educated users about such incidents so users know what to do when they occur. This can increase the likelihood that incidents will be reported early, thus helping to minimize damage. The help desk is a tool to handle incidents. Intruders can use both systems software and applications software to create security incidents.

Which of the following protects the confidentiality of information against a laboratory attack? a. Disposal b. Clearing c. Purging d. Disinfecting

c. A laboratory attack is a data scavenging method through the aid of what could be precise or elaborate and powerful equipment. This attack involves using signal-processing equipment and specially trained personnel. Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack and renders the sanitized data unrecoverable. This is accomplished through the removal of obsolete data by erasure, by overwriting of storage, or by resetting registers. The other three choices are incorrect. Disposal is the act of discarding media by giving up control in a manner short of destruction, and is not a strong protection. Clearing is the overwriting of classified information such that the media may be reused. Clearing media would not suffice for purging. Disinfecting is a process of removing malware within a file.

Which of the following does not trigger zero-day attacks? a. Malware b. Web browsers c. Zombie programs d. E-mail attachments

c. A zombie is a computer program that is installed on a personal computer to cause it to attack other computers. Attackers organize zombies as botnets to launch denial-of-server (DoS) attacks and distributed DoS attacks, not zero-day attacks. The other three choices trigger zeroday attacks. With zero-day (zero-hour) attacks, attackers try to exploit computer application vulnerabilities that are unknown to system owners and system administrators, undisclosed to software vendors, or for which no security fix is available. Malware writers can exploit zero-day vulnerabilities through several different attack vectors to compromise attacked systems or steal confidential data. Web browsers are a major target because of their widespread distribution and usage. Hackers send e-mail attachments to exploit vulnerabilities in the application opening the attachment and send other exploits to take advantage of weaknesses in common file types.

Computer security incident handling can be considered that portion of contingency planning that responds to malicious technical threats (for example, a virus). Which of the following best describes a secondary benefit of an incident handling capability? a. Containing and repairing damage from incidents b. Preventing future damage c. Using the incident data in enhancing the risk assessment process d. Enhancing the training and awareness program

c. An incident capability may be viewed as a component of contingency planning because it provides the ability to react quickly and efficiently to disruptions in normal processing. Incidents can be logged and analyzed to determine whether there is a recurring problem, which would not be noticed if each incident were viewed only in isolation. Statistics on the numbers and types of incidents in the organization can be used in the risk assessment process as an indication of vulnerabilities and threats. Containing and repairing damage from incidents and preventing future damages are incorrect because they are examples of primary benefits of an incident handling capability. An incident handling capability can provide enormous benefits by responding quickly to suspicious activity and coordinating incident handling with responsible offices and individuals as necessary. Incidents can be studied internally to gain a better understanding of the organization's threats and vulnerabilities. Enhancing the training and awareness program is an example of a secondary benefit. Based on incidents reported, training personnel will have a better understanding of users' knowledge of security issues. Training that is based on current threats and controls recommended by incident handling staff provides users with information more specifically directed to their current needs. Using the incident data in enhancing the risk assessment process is the best answer when compared to enhancing the training and awareness program.

Which of the following is the best action to take when an information system media cannot be sanitized? a. Clearing b. Purging c. Destroying d. Disposal

c. An information system media that cannot be sanitized should be destroyed. Destroying is ensuring that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive to do. Sanitization techniques include disposal, clearing, purging, and destruction. Disposal is the act of discarding media by giving up control in a manner short of destruction and is not a strong protection. Clearing is the overwriting of classified information such that that the media may be reused. Purging is the removal of obsolete data by erasure, by overwriting of storage, or by resetting registers. Clearing media would not suffice for purging.

Which of the following is the correct sequence of activities involved in media sanitization? 1. Assess the risk to confidentiality. 2. Determine the future plans for the media. 3. Categorize the information to be disposed of. 4. Assess the nature of the medium on which it is recorded. a. 1, 2, 3, and 4 b. 2, 3, 4, and 1 c. 3, 4, 1, and 2 d. 4, 3, 2, and 1

c. An information system user must first categorize the information to be disposed of, assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the future plans for the media.

In terms of audit records, which of the following information is most useful? 1. Timestamps 2. Source and destination address 3. Privileged commands 4. Group account users a. 1 only b. 1 and 2 c. 3 and 4 d. 1, 2, 3, and 4

c. Audit records contain minimum information such as timestamps, source and destination addresses, and outcome of the event (i.e., success or failure). But the most useful information is recording of privileged commands and the individual identities of group account users.

Computer fraud is increased when: a. Employees are not trained. b. Documentation is not available. c. Audit trails are not available. d. Employee performance appraisals are not given.

c. Audit trails indicate what actions are taken by the system. Because the system has adequate and clear audit trails deters fraud perpetrators due to fear of getting caught. For example, the fact that employees are trained, documentation is available, and employee performance appraisals are given (preventive measures) does not necessarily mean that employees act with due diligence at all times. Hence, the need for the availability of audit trails (detection measures) is very important because they provide a concrete evidence of actions and inactions.

An inexpensive security measure is which of the following? a. Firewalls b. Intrusion detection c. Audit trails d. Access controls

c. Audit trails provide one of the best and most inexpensive means for tracking possible hacker attacks, not only after attack, but also during the attack. You can learn what the attacker did to enter a computer system, and what he did after entering the system. Audit trails also detect unauthorized but abusive user activity. Firewalls, intrusion detection systems, and access controls are expensive when compared to audit trails.

Regarding a patch management program, which of the following should be done before performing the patch remediation? a. Test on a nonproduction system. b. Check software for proper operation. c. Conduct a full backup of the system. d. Consider all implementation differences.

c. Before performing the remediation, the system administrator may want to conduct a full backup of the system to be patched. This allows for a timely system restoration to its previous state if the patch has an unintended or unexpected impact on the host. The other three choices are part of the patch remediation testing procedures.

Regarding access restrictions associated with changes to information systems, which of the following makes it easy to discover unauthorized changes? a. Physical access controls b. Logical access controls c. Change windows d. Software libraries

c. Change windows mean changes occur only during specified times, and making unauthorized changes outside the window are easy to discover. The other three choices are also examples of access restrictions, but changes are not easy to discover in them.

Which one of the following situations renders backing up program and data files ineffective? a. When catastrophic accidents happen b. When disruption to the network occurs c. When viruses are timed to activate at a later date d. When backups are performed automatically

c. Computer viruses that are timed to activate at a later date can be copied onto the backup media thereby infecting backup copies as well. This makes the backup copy ineffective, unusable, or risky. Backups are useful and effective (i) in the event of a catastrophic accident, (ii) in case of disruption to the network, and (iii) when they are performed automatically. Human error is eliminated.

Software quality is based on user needs. Which of the following software quality factors address the user's need for performance? a. Integrity and survivability b. Verifiability and manageability c. Correctness and interoperability d. Expandability and flexibility

c. Correctness asks, "Does it comply with requirements?" whereas interoperability asks, "Does it interface easily?" Quality factors such as efficiency, correctness, safety, and interoperability are part of the performance need. Integrity and survivability are incorrect because they are a part of functional need. Integrity asks, "How secure is it?" whereas survivability asks, "Can it survive during a failure?" Quality factors such as integrity, reliability, survivability, and usability are part of the functional need. Verifiability and manageability are incorrect because they are a part of the management need. Verifiability asks, "Is performance verification easy?" whereas manageability asks, "Is the software easily managed?" Expandability and flexibility are incorrect because they are a part of the changes needed. Expandability asks, "How easy is it to expand?" whereas flexibility asks, "How easy is it to change?"

What is the residual physical representation of data that has been in some way erased called? a. Clearing b. Purging c. Data remanence d. Destruction

c. Data remanence is the residual physical representation of data that has been in some way erased. After storage media is erased, there may be some physical characteristics that allow the data to be reconstructed, which represents a security threat. Clearing, purging, and destruction are all risks involved in storage media. In clearing and purging, data is removed, but the media can be reused. The need for destruction arises when the media reaches the end of its useful life.

Which of the following makes a computer system more reliable? a. N-version programming b. Structured programming c. Defensive programming d. GOTO-less programming

c. Defensive or robust programming has several attributes that makes a computer system more reliable. The major attribute is expected exception domain (i.e., errors and failures); when discovered, it makes the system reliable. N-version programming is based on design or version diversity, meaning different versions of the software are developed independently with the thinking that these versions are independent in their failure behavior. Structured programming and GOTO-less programming are part of robust programming techniques to make programs more readable and executable.

Regarding media sanitization, degaussing is an acceptable method for which of the following? a. Disposal b. Clearing c. Purging d. Disinfecting

c. Degaussing is demagnetizing magnetic media to remove magnetic memory and to erase the contents of media. Purging is the removal of obsolete data by erasure, by overwriting of storage, or by resetting registers. Thus, degaussing and executing the firmware Secure Purge command (for serial advanced technology attachment (SATA) drives only) are acceptable methods for purging. The other three choices are incorrect. Disposal is the act of discarding media by giving up control in a manner short of destruction and is not a strong protection. Clearing is the overwriting of classified information such that that the media may be reused. Clearing media would not suffice for purging. Disinfecting is a process of removing malware within a file.

Regarding media sanitization, degaussing is the same as: a. Incinerating b. Melting c. Demagnetizing d. Smelting

c. Degaussing reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. It is also called demagnetizing.

An exception-based security report is an example of which of the following? a. Preventive control b. Detective control c. Corrective control d. Directive control

c. Detecting an exception in a transaction or process is detective in nature, but reporting it is an example of corrective control. Both preventive and directive controls do not either detect or correct an error; they simply stop it if possible.

Sometimes a combination of controls works better than a single category of control, such as preventive, detective, or corrective. Which of the following is an example of a combination of controls? a. Edit and limit checks, digital signatures, and access controls b. Error reversals, automated error correction, and file recovery c. Edit and limit checks, file recovery, and access controls d. Edit and limit checks, reconciliation, and exception reports

c. Edit and limit checks are an example of preventive or detective control, file recovery is an example of corrective control, and access controls are an example of preventive control. A combination of controls is stronger than a single type of control. Edit and limit checks, digital signatures, and access controls are incorrect because they are an example of a preventive control. Preventive controls keep undesirable events from occurring. In a computing environment, preventive controls are accomplished by implementing automated procedures to prohibit unauthorized system access and to force appropriate and consistent action by users. Error reversals, automated error correction, and file recovery are incorrect because they are an example of a corrective control. Corrective controls cause or encourage a desirable event or corrective action to occur after an undesirable event has been detected. This type of control takes effect after the undesirable event has occurred and attempts to reverse the error or correct the mistake. Edit and limit checks, reconciliation, and exception reports are incorrect because they are an example of a detective control. Detective controls identify errors or events that were not prevented and identify undesirable events after they have occurred. Detective controls should identify expected error types, as well as those that are not expected to occur.

Which of the following methods used to safeguard against disclosure of sensitive information is effective? a. Degaussing b. Overwriting c. Encryption d. Destruction

c. Encryption makes the data unreadable without the proper decryption key. Degaussing is a process whereby the magnetic media is erased, i.e., returned to its initial virgin state. Overwriting is a process whereby unclassified data are written to storage locations that previously held sensitive data. The need for destruction arises when the media reaches the end of its useful life.

Which of the following is not a prerequisite for system monitoring? a. System logs and audit trails b. Software patches and fixes c. Exception reports d. Security policies and procedures

c. Exception reports are the result of a system monitoring activity. Deviations from standards or policies will be shown in exception reports. The other three choices are needed before the monitoring process starts.

In general, a fail-over mechanism is an example of which of the following? a. Corrective control b. Preventive control c. Recovery control d. Detective control

c. Fail-over mechanism is a backup concept in that when the primary system fails, the backup system is activated. This helps in recovering the system from a failure or disaster.

Which of the following statements about incident management and response is not true? a. Most incidents require containment. b. Containment strategies vary based on the type of incident. c. All incidents need eradication. d. Eradication is performed during recovery for some incidents.

c. For some incidents, eradication is either unnecessary or is performed during recovery. Most incidents require containment, so it is important to consider it early in the course of handling each incident. Also, it is true that containment strategies vary based on the type of incident.

Which of the following is not an example of the defect prevention method in software development and maintenance processes? a. Documented standards b. CleanRoom processes c. Formal technical reviews d. Documentation standards

c. Formal technical reviews (for example, inspections and walkthroughs) are used for defect detection, not prevention. If properly conducted, formal technical reviews are the most effective way to uncover and correct errors, especially early in the life cycle, where they are relatively easy and inexpensive to correct. Documented standards are incorrect because they are just one example of defect prevention methods. Documented standards should be succinct and possibly placed into a checklist format as a ready application reference. A documented standard also permits audits for adherence and compliance with the approved method. CleanRoom processes are incorrect because they are just one example of defect prevention methods. The CleanRoom process consists of (i) defining a set of software increments that combine to form the required system, (ii) using rigorous methods for specification, development, and certification of each increment, (iii) applying strict statistical quality control during the testing process, and (iv) enforcing a strict separation of the specification and design tasks from testing activities. Documentation standards are incorrect because they are just one example of defect prevention methods. Standard methods can be applied to the development of requirements and design documents.

All the following are needed for a timely and emergency maintenance work to reduce the risk to an organization except: a. Maintenance vendor service-level agreement b. Spare parts inventory c. Help-desk staff d. Commercial courier delivery service agreement

c. Information system components, when not operational, can result in increased risk to organizations because the security functionality intended by that component is not being provided. Examples of security-critical components include firewalls, hardware/software guards, gateways, intrusion detection and prevention systems, audit repositories, and authentication servers. The organizations need to have a maintenance vendor service-level agreement, stock spare parts inventory, and a delivery service agreement with a commercial transportation courier to deliver the required parts on time to reduce the risk of running out of components and parts. Help-desk staff, whether they are internal or external, are not needed for all types of maintenance work, whether it is scheduled or unscheduled, or whether it is normal or emergency. Their job is to help system users on routine matters (problems and issues) and escalate them to the right party when they cannot resolve these matters.

An information system initiates session auditing work at system: a. Restart b. Shutdown c. Startup d. Abort

c. Information system transitional states include startup, restart, shutdown, and abort. It is critical to initiate session audit work at system startup time so that the system captures and logs all the content related to a user system. These audit logs can be locally or remotely reviewed for later evidence.

What does an ineffective local-area-network backup strategy include? a. Backing up servers daily b. Securing the backup workstations c. Scheduling backups during regular work hours d. Using file recovery utility programs

c. It is not a good operating practice to schedule backups during regular work hours because it interrupts the business functions. It is advised to schedule backups during off hours to avoid file contention (when files are open and the backup program is scheduled to run). As the size and complexity of local-area networks (LANs) increase, backups have assumed greater importance with many options available. It is a common practice to back up servers daily, taking additional backups when extensive database changes occur. It is good to secure the backup workstations to prevent interruption of backup processes that can result in the loss of backup data. It is a better practice to use the network operating system's file recovery utility for immediate restoration of accidentally deleted files before resorting to the time consuming process of file recovery from backup tapes.

Portable and removable storage devices should be sanitized to prevent the entry of malicious code to launch: a. Man-in-the-middle attack b. Meet-in-the-middle attack c. Zero-day attack d. Spoofing attack

c. Malicious code is capable of initiating zero-day attacks when portable and removable storage devices are not sanitized. The other three attacks are network-based, not storage device-based. A man-in-the-middle (MitM) attack occurs to take advantage of the store-andforward mechanism used by insecure networks such as the Internet. A meet-in-the-middle attack occurs when one end of the network is encrypted and the other end is decrypted, and the results are matched in the middle. A spoofing attack is an attempt to gain access to a computer system by posing as an authorized user.

Which of the following encourages compliance with IT security policies? a. Use b. Results c. Monitoring d. Reporting

c. Monitoring encourages compliance with IT security policies. Results can be used to hold managers accountable for their information security responsibilities. Use for its own sake does not help here. Reporting comes after monitoring.

In maintenance, which of the following is most risky? a. Local maintenance b. Scheduled maintenance c. Nonlocal maintenance d. Unscheduled maintenance

c. Nonlocal maintenance work is conducted through either an external network (mostly through the Internet) or an internal network. Because of communicating across a network connection, nonlocal maintenance work is most risky. Local maintenance work is performed without communicating across a network connection. For local maintenance, the vendor brings the hardware and software into the IT facility for diagnostic and repair work, which is less risky. Local or nonlocal maintenance work can be either scheduled or unscheduled.

The primary contingency strategy for application systems and data is regular backup and secure offsite storage. From an operations viewpoint, which of the following decisions is least important to address? a. How often is the backup performed? b. How often is the backup stored offsite? c. How often is the backup used? d. How often is the backup transported?

c. Normally, the primary contingency strategy for applications and data is regular backup and secure offsite storage. Important decisions to be addressed include how often the backup is performed, how often it is stored offsite, and how it is transported to storage, to an alternative processing site, or to support the resumption of normal operations. How often the backup is used is not relevant because it is hoped that it may never have to be used.

Which of the following is the most complex phase of incident response process for malware incidents? a. Preparation b. Detection c. Recovery d. Remediation

c. Of all the malware incident-response life-cycle phases, recovery phase is the most complex. Recovery involves containment, restore, and eradication. Containment addresses how to control an incident before it spreads to avoid consuming excessive resources and increasing damage caused by the incident. Restore addresses bringing systems to normal operations and hardening systems to prevent similar incidents. Eradication addresses eliminating the affected components of the incident from the overall system to minimize further damage to it. More tools and technologies are relevant to the recovery phase than to any other phase; more technologies mean more complexity. The technologies involved and the speed of malware spreading make it more difficult to recover. The other three phases such as preparation, detection, and remediation are less complex. The scope of preparation and prevention phase covers establishing plans, policies, and procedures. The scope of detection phase covers identifying classes of incidents and defining appropriate actions to take. The scope of remediation phase covers tracking and documenting security incidents on an ongoing basis to help in forensics analysis and in establishing trends.

For media sanitization, overwriting cannot be used for which of the following? 1. Damaged media 2. Nondamaged media 3. Rewriteable media 4. Nonrewriteable media a. 1 only b. 4 only c. 1 or 4 d. 2 or 3

c. Overwriting cannot be used for media that are damaged or not rewriteable. The media type and size may also influence whether overwriting is a suitable sanitization method.

Which of the following is not a recovery action after a computer security incident was contained? a. Rebuilding systems from scratch b. Changing passwords c. Preserving the evidence d. Installing patches

c. Preserving the evidence is a containment strategy, whereas all the other choices are part of recovery actions. Preserving the evidence is a legal matter, not a recovery action, and is a part of the containment strategy. In recovery action, administrators restore systems to normal operation and harden systems to prevent similar incidents, including the actions taken in the other three choices.

Which of the following fault tolerance metrics are most applicable to the proper functioning of redundant array of disks (RAID) systems? 1. Mean time between failures (MTBF) 2. Mean time to data loss (MTTDL) 3. Mean time to recovery (MTTR) 4. Mean time between outages (MTBO) a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 3 and 4

c. Rapid replacement of RAID's failed drives or disks and rebuilding them quickly is important, which is facilitated specifically and mostly through applying MTTDL and MTTR metrics. The MTTDL metric measures the average time before a loss of data occurred in a given disk array. The MTTR metric measures the amount of time it takes to resume normal operation, and includes the time to replace a failed disk and the time to rebuild the disk array. Thus, MTTDL and MTTR metrics prevent data loss and ensure data recovery. MTBF and MTBO metrics are incorrect because they are broad measures of providing system reliability and availability respectively, and are not specifically applicable to RAID systems. The MTBF metric measures the average time interval between system failures and the MTBO metric measures the mean time between equipment failures.

Increasing which one of the following items increases the other three items? a. Reliability b. Availability c. Redundancy d. Serviceability

c. Reliability minimizes the possibility of failure and availability is a measurement of uptime while serviceability is a measure of the amount of time it takes to repair a problem or to restore a system following a failure. Increasing redundancy increases reliability, availability, and serviceability.

Identify the computer-related crime and fraud method that involves obtaining information that may be left in or around a computer system after the execution of a job. a. Data diddling b. Salami technique c. Scavenging d. Piggybacking

c. Scavenging is obtaining information that may be left in or around a computer system after the execution of a job. Data diddling involves changing data before or during input to computers or during output from a computer system. The salami technique is theft of small amounts of assets (primarily money) from a number of sources. Piggybacking can be done physically or electronically. Both methods involve gaining access to a controlled area without authorization.

From a security risk viewpoint, the job duties of which one of the following should be fully separated from the others? a. System administrator b. Security administrator c. Computer operator d. System programmer

c. Separation of duties is a security principle that divides critical functions among different employees in an attempt to ensure that no one employee has enough information or access privileges to perpetrate damaging fraud or conduct other irregularities such as damaging data and/or programs. The computer operator's job duties should be fully and clearly separated from the others. Due to concentration of risks in one job and if the computer operator's job duties are not fully separated from other conflicting job duties (for example, system administrator, security administrator, or system programmer), there is a potential risk that the operator can issue unprivileged commands from his console to the operating system, thus causing damage to the integrity of the system and its data. In other words, the operator has full access to the computer in terms of running the operating system, application systems, special program, and utility programs where the others do not have such full access. It is good to limit the computer operator's access to systems and their documentation, which will help him in understanding the inner working of the systems running on the computer. At the same time it is good to limit the others' access to the computer systems just enough to do their limited job duties.

An example of ill-defined software metrics is which of the following? a. Number of defects per thousand lines of code b. Number of defects over the life of a software product c. Number of customer problems reported to the size of the product d. Number of customer problems reported per user month

c. Software defects relate to source code instructions, and problems encountered by users relate to usage of the product. If the numerator and denominator are mixed up, poor metrics result. An example of an ill-defined metric is the metric relating total customer problems to the size of the product, where size is measured in millions of shipped source instructions. This metric has no meaningful relation. On the other hand, the other three choices are examples of meaningful metrics. To improve customer satisfaction, you need to reduce defects and overall problems.

Regarding a patch management program, which of the following is not an example of a threat? a. Exploit scripts b. Worms c. Software flaws d. Viruses

c. Software flaw vulnerabilities cause a weakness in the security of a system. Threats are capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and potentially cause harm to a computer system or network. Threats usually take the form of exploit scripts, worms, viruses, rootkits, exploits, and Trojan horses.

Which of the following is the most important function of software inventory tools in maintaining a consistent baseline configuration? a. Track operating system version numbers. b. Track installed application systems. c. Scan for unauthorized software. d. Maintain current patch levels.

c. Software inventory tools scan information for unauthorized software to validate against the official list of authorized and unauthorized software programs. The other three choices are standard functions of software inventory tools.

A software product has the least impact on: a. Loss of life b. Loss of property c. Loss of physical attributes d. Loss of quality

c. Software is an intangible item with no physical attributes such as color and size. Although software is not a physical product, software products have a major impact on life, health, property, safety, and quality of life. Failure of software can have a serious economic impact such as loss of sales, revenues, and profits.

All the following can co-exist with computer security incident handling except: a. Help-desk function b. System backup schedules c. System development activity d. Risk management process

c. System development activity is engaged in designing and constructing a new computer application system, whereas incident handling is needed during operation of the same application system. For example, for purposes of efficiency and cost-savings, incident-handling capability is co-operated with a user help desk. Also, backups of system resources need to be used when recovering from an incident. Similarly, the risk analysis process benefits from statistics and logs showing the numbers and types of incidents that have occurred and the types of controls that are effective in preventing such incidents. This information can be used to help select appropriate security controls and practices.

Which of the following is the basis for ensuring software reliability? a. Testing b. Debugging c. Design d. Programming

c. The basis for software reliability is design, not testing, debugging, or programming. For example, using the top-down design and development techniques and employing modular design principles, software can be made more reliable than otherwise. Reliability is the degree of confidence that a system will successfully function in a certain environment during a specified time period. Testing is incorrect because its purpose is to validate that the software meets its stated requirements. Debugging is incorrect because its purpose is to detect, locate, and correct faults in a computer program. Programming is incorrect because its purpose is to convert the design specifications into program instructions that the computer can understand.

Which of the following is the correct sequence of solutions for containing a denial-ofservice incident? 1. Relocate the target computer. 2. Have the Internet service provider implement filtering. 3. Implement filtering based on the characteristics of the attack. 4. Correct the vulnerability that is being exploited. a. 2, 3, 1, and 4 b. 2, 4, 3, and 1 c. 3, 4, 2, and 1 d. 4, 3, 1, and 2

c. The decision-making process for containing a denial-of-service (DoS) incident should be easier if recommended actions are predetermined. The containment strategy should include several solutions in sequence as shown in the correct answer.

Who should measure the effectiveness of security-related controls in an organization? a. Local security specialist b. Business manager c. Systems auditor d. Central security manager

c. The effectiveness of security-related controls should be measured by a person fully independent of the information systems department. The systems auditor located within an internal audit department of an organization is the right party to perform such measurement.

Contrary to best practices, information systems' security training is usually not given to which of the following parties? a. Information systems security staff b. Functional users c. Computer operations staff d. Corporate internal audit staff

c. The information systems' security training program should be specifically tailored to meet the needs of computer operations staff so that they can deal with problems that have security implications. However, the computer operations staff is usually either taken for granted or completely forgotten from training plans. The information systems' security staff is provided with periodic training to keep its knowledge current. Functional users will definitely be given training so that they know how to practice security. Corporate internal audit staff is given training because it needs to review the IT security goals, policies, procedures, standards, and practices.

The process of degaussing involves which of the following? a. Retrieving all stored information b. Storing all recorded information c. Removing all recorded information d. Archiving all recorded information

c. The purpose of degaussing is to remove all recorded information from a computerrecorded magnetic tape. It does this by demagnetizing (removing) the recording media, the tape, or the hard drive. After degaussing is done, the magnetic media is in a fully demagnetized state. However, degaussing cannot retrieve, store, or archive information.

Which of the following is the major consideration when an organization gives its incident response work to an outsourcer? a. Division of responsibilities b. Handling incidents at multiple locations c. Current and future quality of work d. Lack of organization-specific knowledge

c. The quality of the outsourcer's work remains an important consideration. Organizations should consider not only the current quality of work, but also the outsourcer's efforts to ensure the quality of future work, which are the major considerations. Organizations should think about how they could audit or otherwise objectively assess the quality of the outsourcer's work. Lack of organization-specific knowledge will reflect in the current and future quality of work. The other three choices are minor considerations and are a part of the major considerations.

What is the security goal of the media sanitization requiring an overwriting process? a. To replace random data with written data. b. To replace test data with written data. c. To replace written data with random data. d. To replace written data with statistical data.

c. The security goal of the overwriting process is to replace written data with random data. The process may include overwriting not only the logical storage of a file (for example, file allocation table) but also may include all addressable locations.

Verification is an essential activity in ensuring quality software, and it includes tracing. Which of the following tracing techniques is not often used? a. Forward tracing b. Backward tracing c. Cross tracing d. Ad hoc tracing

c. Traceability is the ease in retracing the complete history of a software component from its current status to its requirements specification. Cross tracing should be used more often because it cuts through the functional boundaries, but it is not performed due to its difficulty in execution. The other three choices are often used due to their ease-of-use. Forward tracing is incorrect because it focuses on matching inputs to outputs to demonstrate their completeness. Similarly, backward tracing is incorrect because it focuses on matching outputs to inputs to demonstrate their completeness. Ad hoc tracing is incorrect because it involves spot-checking of reconcilement procedures to ensure output totals agree with input totals, less any rejects or spot checking of accuracy of computer calculations such as interest on deposits, late charges, service charges, and past-due loans. During system development, it is important to verify the backward and forward traceability of the following: (i) user requirements to software requirements, (ii) software requirements to design specifications, (iii) system tests to software requirements, and (iv) acceptance tests to user requirements. Requirements or constraints can also be traced downward and upward due to master-subordinate and predecessor-successor relationships to one another.

Which of the following individuals or items cause the highest economic loss to organizations using computer-based information systems? a. Dishonest employees b. Disgruntled employees c. Errors and omissions d. Outsiders

c. Users, data entry clerks, system operators, and programmers frequently make errors that contribute directly or indirectly to security problems. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, the errors create vulnerabilities. Errors can occur during all phases of the system life cycle. Many studies indicate that 65 percent of losses to organizations are the result of errors and omissions followed by dishonest employees (13%), disgruntled employees (6%), and outsiders/hackers (3%).

A fault-tolerant design feature for large distributed systems considers all the following except: a. Using multiple components to duplicate functionality b. Using duplicated systems in separate locations c. Using modular components d. Providing backup power supplies

d. A fault tolerant design should make a system resistant to failure and able to operate continuously. Many ways exist to develop fault tolerance in a system, including using two or more components to duplicate functionality, duplicating systems in separate locations, or using modular components in which failed components can be replaced with new ones. It does not include providing backup power supplies because it is a part of preventive maintenance, which should be used with fault tolerant design. Preventive maintenance measures reduce the likelihood of significant impairment to components.

A security configuration checklist is referred to as which of the following? 1. Lockdown guide 2. Hardening guide 3. Security guide 4. Benchmark guide a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 1, 2, 3, and 4

d. A security configuration checklist is referred to as several names, such as a lockdown guide, hardening guide, security technical implementation guide, or benchmark guide. These guides provide a series of instructions or procedures for configuring an information system's components to meet operational needs and regulatory requirements.

Which of the following is the most important requirement for a software quality program to work effectively? a. Quality metrics b. Process improvement c. Software reengineering d. Commitment from all parties

d. A software quality program should reduce defects, cut service costs, increase customer satisfaction, and increase productivity and revenues. To achieve these goals, commitment by all parties involved is the most important factor. The other three factors such as quality metrics, process improvement, and software reengineering have some merit, but none is sufficient on its own.

Prior to initiating maintenance work by maintenance vendor personnel who do not have the needed security clearances and access authorization to classified information, adequate controls include: 1. Sanitize all volatile information storage components 2. Remove all nonvolatile storage media 3. Physically disconnect the storage media from the system 4. Properly secure the storage media with physical or logical access controls a. 1 only b. 2 only c. 2, 3, and 4 d. 1, 2, 3, and 4

d. All four items are adequate controls to reduce the risk resulting from maintenance vendor personnel's access to classified information. For handling classified information, maintenance personnel should possess security clearance levels equal to the highest level of security required for an information system.

When controlling access to information, an audit log provides which of the following? a. Review of security policy b. Marking files for reporting c. Identification of jobs run d. Accountability for actions

d. An audit log must be kept and protected so that any actions impacting security can be traced. Accountability can be established with the audit log. The audit log also helps in verifying the other three choices indirectly.

What is an audit trail is an example of? a. Recovery control b. Corrective control c. Preventive control d. Detective control

d. Audit trails show an attacker's actions after detection; hence they are an example of detective controls. Recovery controls facilitate the recovery of lost or damaged files. Corrective controls fix a problem or an error. Preventive controls do not detect or correct an error; they simply stop it if possible.

Many errors were discovered during application system file-maintenance work. What is the best control? a. File labels b. Journaling c. Run-to-run control d. Before and after image reporting

d. Before and after image reporting ensures data integrity by reporting data field values both before and after the changes so that functional users can detect data entry and update errors. File labels are incorrect because they verify internal file labels for tapes to ensure that the correct data file is used in the processing. Journaling is incorrect because it captures system transactions on a journal file so that recovery can be made should a system failure occur. Runto- run control is incorrect because it verifies control totals resulting from one process or cycle to the subsequent process or cycle to ensure their accuracy.

Regarding a patch management program, an experienced administrator or security officer should perform which of the following? a. Test file settings. b. Test configuration settings. c. Review patch logs. d. Conduct exploit tests.

d. Conducting an exploit test means performing a penetration test to exploit the vulnerability. Only an experienced administrator or security officer should perform exploit tests because this involves launching actual attacks within a network or on a host. Generally, this type of testing should be performed only on nonproduction equipment and only for certain vulnerabilities. Only qualified staff who are thoroughly aware of the risk and who are fully trained should conduct the tests. Testing file settings, testing configuration settings, and reviewing patch logs are routine tasks a less experienced administrator or security officer can perform.

Which of the following situations provides no security protection? a. Controls that are designed and implemented b. Controls that are developed and implemented c. Controls that are planned and implemented d. Controls that are available, but not implemented

d. Controls that are available in a computer system, but not implemented, provide no protection.

From an operations viewpoint, the first step in contingency planning is to perform a(n): a. Operating systems software backup b. Applications software backup c. Documentation backup d. Hardware backup

d. Hardware backup is the first step in contingency planning. All computer installations must include formal arrangements for alternative processing capability in the event their data center or any portion of the work environment becomes disabled. These plans can take several forms and involve the use of another data center. In addition, hardware manufacturers and software vendors can be helpful in locating an alternative processing site and in some cases provide backup equipment under emergency conditions. The more common plans are service bureaus, reciprocal arrangements, and hot sites. After hardware is backed up, operating systems software is backed up next, followed by applications software backup and documentation.

Regarding a patch management program, which of the following helps system administrators most in terms of monitoring and remediating IT resources? 1. Supported equipment 2. Supported applications software 3. Unsupported hardware 4. Unsupported operating systems a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

d. Here, supported and unsupported means whether a company management has approved the acquisition, installation, and operation of hardware and software; approved in the former case and not approved in the latter case. System administrators should be taught how to independently monitor and remediate unsupported hardware, operating systems, and applications software because unsupported resources are vulnerable to exploitation. This is because non-compliant employees could have purchased and installed the unsupported hardware and software on their personal computers, which is riskier than the supported ones. A potential risk is that the unsupported systems could be incompatible with the supported systems and may not have the required security controls. A list of supported resources is needed to analyze the inventory and identify those resources that are used within the organization. This allows the system administrators to know which hardware, operating systems, and applications will be checking for new patches, vulnerabilities, and threats. Note that not patching the unsupported systems can negatively impact the patching of the supported systems as they both coexist and operate on the same computer or network.

Which of the following denial-of-service attacks in networks is least common in occurrence? a. Service overloading b. Message flooding c. Connection clogging d. Signal grounding

d. In denial-of-service (DoS) attacks, some users prevent other legitimate users from using the network. Signal grounding, which is located in wiring closets, can be used to disable a network. This can prevent users from transmitting or receiving messages until the problem is fixed. Signal grounding is the least common in occurrence as compared to other choices because it requires physical access. Service overloading occurs when floods of network requests are made to a server daemon on a single computer. It cannot process regular tasks in a timely manner. Message flooding occurs when a user slows down the processing of a system on the network, to prevent the system from processing its normal workload, by "flooding" the machine with network messages addressed to it. The system spends most of its time responding to these messages. Connection clogging occurs when users make connection requests with forged source addresses that specify nonexistent or unreachable hosts that cannot be contacted. Thus, there is no way to trace the connection back; they remain until they time out or reset. The goal is to use up the limit of partially open connections.

When an IT auditor becomes reasonably certain about a case of fraud, what should the auditor do next? a. Say nothing now because it should be kept secret. b. Discuss it with the employee suspected of fraud. c. Report it to law enforcement officials. d. Report it to company management.

d. In fraud situations, the auditor should proceed with caution. When certain about a fraud, he should report it to company management, not to external organizations. The auditor should not talk to the employee suspected of fraud. When the auditor is not certain about fraud, he should talk to the audit management.

Regarding a patch management program, which of the following should not be done to a compromised system? a. Reformatting b. Reinstalling c. Restoring d. Remigrating

d. In most cases a compromised system should be reformatted and reinstalled or restored from a known safe and trusted backup. Remigrating deals with switching between using automated and manual patching tools and methods should not be performed on a compromised system.

Which of the following is not a viable option in the event of an audit processing failure or audit storage capacity being reached? a. Shut down the information system. b. Overwrite the oldest-audit records. c. Stop generating the audit records. d. Continue processing after notification.

d. In the event of an audit processing failure or audit storage capacity being reached, the information system alerts appropriate management officials and takes additional actions such as shutting down the system, overwriting the oldest-audit records, and stopping the generation of audit records. It should not continue processing, either with or without notification because the audit-related data would be lost.

Which of the following security control techniques assists system administrators in protecting physical access of computer systems by intruders? a. Access control lists b. Host-based authentication c. Centralized security administration d. Keystroke monitoring

d. Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer's response during an interactive session. It is usually considered a special case of audit trails. Keystroke monitoring is conducted in an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority. Monitoring keystrokes typed by intruders can help administrators assess and repair any damage they may cause. Access control lists refer to a register of users who have been given permission to use a particular system resource and the types of access they have been permitted. Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user making the request. Centralized security administration allows control over information because the ability to make changes resides with few individuals, as opposed to many in a decentralized environment. The other three choices do not protect computer systems from intruders, as does the keystroke monitoring.

What is an example of a security policy that can be legally monitored? a. Keystroke monitoring b. Electronic mail monitoring c. Web browser monitoring d. Password monitoring

d. Keystroke monitoring, e-mail monitoring, and Web browser monitoring are controversial and intrusive. These kinds of efforts could waste time and other resources due to their legal problems. On the other hand, examples of effective security policy statements include (i) passwords shall not be shared under any circumstances and (ii) password usage and composition will be monitored.

Which of the following control terms can be used in a broad sense? a. Administrative controls b. Operational controls c. Technical controls d. Management controls

d. Management controls are actions taken to manage the development, maintenance, and use of the system, including system-specific policies, procedures, and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions. Administrative controls include personnel practices, assignment of responsibilities, and supervision and are part of management controls. Operational controls are the day-to-day procedures and mechanisms used to protect operational systems and applications. Operational controls affect the system and application environment. Technical controls are hardware and software controls used to provide automated protection for the IT system or application. Technical controls operate within the technical system and applications.

In a local-area network environment, which of the following requires the least redundancy planning? a. Cables b. Servers c. Power supplies d. Hubs

d. Many physical problems in local-area networks (LANs) are related to cables because they can be broken or twisted. Servers can be physically damaged due to disk head crash or power irregularities such as over or under voltage conditions. An uninterruptible power supply provides power redundancy and protection to servers and workstations. Servers can be disk duplexed for redundancy. Redundant topologies such as star, mesh, or ring can provide a duplicate path should a main cable link fail. Hubs require physical controls such as lock and key because they are stored in wiring closets; although, they can also benefit from redundancy, which can be expensive. Given the choices, it is preferable to have redundant facilities for cables, servers, and power supplies.

Which of the following is the ultimate form of media sanitization? a. Disposal b. Clearing c. Purging d. Destroying

d. Media destruction is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended, and that information is virtually impossible to recover or prohibitively expensive from that media. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverization, shredding, melting, sanding, and chemical treatment.

An information system can be protected against denial-of-service (DoS) attacks through: 1. Network perimeter devices 2. Increased capacity 3. Increased bandwidth 4. Service redundancy a. 2 only b. 3 only c. 4 only d. 1, 2, 3, and 4

d. Network perimeter devices can filter certain types of packets to protect devices on an organization's internal network from being directly affected by denial-of-service (DoS) attacks. Employing increased capacity and increased bandwidth combined with service redundancy may reduce the susceptibility to some type of DoS attacks. A side-benefit of this is enabling availability of data, which is a good thing.

Which of the following file backup strategies is preferred when a full snapshot of a server is required prior to upgrading it? a. Full backups b. Incremental backups c. Differential backups d. On-demand backups

d. On-demand backups refer to the operations that are done outside of the regular backup schedule. This backup method is most useful when backing up a few files/directories or when taking a full snapshot of a server prior to upgrading it. On-demand backups can act as a backup for regular backup schedules. Full backups are incorrect because they copy all data files and programs. It is a brute force method providing a peace of mind at the expense of valuable time. Incremental backups are incorrect because they are an inefficient method and copy only those files that have changed since the last backup. Differential backups are incorrect because they copy all data files that have changed since the last full backup. Only two files are needed to restore the entire system: the last full backup and the last differential backup.

Organizations that outsource media sanitization work should exercise: a. Due process b. Due law c. Due care d. Due diligence

d. Organizations can outsource media sanitization and destruction if business and security management decide this would be the most reasonable option for maintaining confidentiality while optimizing available resources. When choosing this option, organizations exercise due diligence when entering into a contract with another party engaged in media sanitization. Due diligence requires organizations to develop and implement an effective security program to prevent and detect violation of policies and laws. Due process means each person is given an equal and a fair chance of being represented or heard and that everybody goes through the same process for consideration and approval. It means all are equal in the eyes of the law. Due law covers due process and due care. Due care means reasonable care in promoting the common good and maintaining the minimal and customary practices.

Which of the following detects unauthorized changes to software and information for commercial off-the-shelf integrity mechanisms? 1. Tamper-evident system components 2. Parity checks 3. Cyclical redundancy checks 4. Cryptographic hashes a. 2 only b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. Organizations employ integrity verification mechanisms to look for evidence of tampering, errors, and omissions. Software engineering techniques such as parity checks, cyclical redundancy checks, and cryptographic hashes are applied to the information system. In addition, tamper-evident system components are required to ship from software vendors to operational sites, and during their operation.

Patch management is a part of which of the following? a. Directive controls b. Preventive controls c. Detective controls d. Corrective controls

d. Patch management is a part of corrective controls, as it fixes software problems and errors. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment. Directive controls are broad-based controls to handle security incidents, and they include management's policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.

The incident response team should work with which of the following when attempting to contain, eradicate, and recover from large-scale incidents? a. Advisory distribution team b. Vulnerability assessment team c. Technology watch team d. Patch management team

d. Patch management staff work is separate from that of the incident response staff. Effective communication channels between the patch management team and the incident response team are likely to improve the success of a patch management program when containing, eradicating, and recovering from large-scale incidents. The activities listed in the other choices are the responsibility of the incident response team.

Which of the following is an example of directive controls? a. Passwords and firewalls b. Key escrow and software escrow c. Intrusion detection systems and antivirus software d. Policies and standards

d. Policies and standards are an example of directive controls. Passwords and firewalls are an example of preventive controls. Key escrow and software escrow are an example of recovery controls. Intrusion detection systems and antivirus software are an example of detective controls.

Which of the following redundant array of independent disks (RAID) data storage systems is used for high-availability systems? a. RAID3 b. RAID4 c. RAID5 d. RAID6

d. RAID6 is used for high-availability systems due to its high tolerance for failure. Each RAID level (i.e., RAID0 to RAID6) provides a different balance between increased data reliability through redundancy and increased input/output performance. For example, in levels from RAID3 to RAID5, a minimum of three disks is required and only one disk provides a fault tolerance mechanism. In the RAID6 level, a minimum of four disks is required and two disks provide fault tolerance mechanisms. In the single disk fault tolerance mechanism, the failure of that single disk will result in reduced performance of the entire system until the failed disk has been replaced and rebuilt. On the other hand, the double parity (two disks) fault tolerance mechanism gives time to rebuild the array without the data being at risk if a single disk fails before the rebuild is complete. Hence, RAID6 is suitable for high-availability systems due to high fault tolerance mechanisms.

Regarding a patch management program, which of the following should be used when comparing the effectiveness of the security programs of multiple systems? 1. Number of patches needed 2. Number of vulnerabilities found 3. Number of vulnerabilities per computer 4. Number of unapplied patches per computer a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

d. Ratios, not absolute numbers, should be used when comparing the effectiveness of the security programs of multiple systems. Ratios reveal better information than absolute numbers. In addition, ratios allow effective comparison between systems. Number of patches needed and number of vulnerabilities found are incorrect because they deal with absolute numbers.

Which of the following is an example of software reliability metrics? a. Number of defects per million lines of source code with comments b. Number of defects per function point c. Number of defects per million lines of source code without comments d. The probability of failure-free operation in a specified time

d. Software quality can be expressed in two ways: defect rate and reliability. Software quality means conformance to requirements. If the software contains too many functional defects, the basic requirement of providing the desired function is not met. Defect rate is the number of defects per million lines of source code or per function point. Reliability is expressed as number of failures per "n" hours of operation, mean-time-to failure, or the probability of failure-free operation in a specified time. Reliability metrics deal with probabilities and timeframes.

Incident handling is not closely related to which of the following? a. Contingency planning b. System support c. System operations d. Strategic planning

d. Strategic planning involves long-term and major issues such as management of the computer security program and the management of risks within the organization and is not closely related to the incident handling, which is a minor issue. Incident handling is closely related to contingency planning, system support, and system operations. An incident handling capability may be viewed as a component of contingency planning because it provides the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning that responds to malicious technical threats.

Current operating systems are far more resistant to which of the following types of denial-of-service attacks and have become less of a threat? a. Reflector attack b. Amplified attack c. Distributed attack d. SYNflood attack

d. Synchronized flood (SYNflood) attacks often target an application and daemon, like a Web server, and not the operating system (OS) itself; although the OS may get impacted due to resources used by the attack. It is good to know that current operating systems are far more resistant to SYNflood attacks, and many firewalls now offer protections against such attacks, so they have become less of a threat. Still, SYNfloods can occur if attackers initiate many thousands of transmission control protocol (TCP) connections in a short time. The other three types of attacks are more of a threat. In a reflector attack, a host sends many requests with a spoofed source address to a service on an intermediate host. Like a reflector attack, an amplified attack involves sending requests with a spoofed source address to an intermediate host. However, an amplified attack does not use a single intermediate host; instead, its goal is to use a whole network of intermediate hosts. Distributed attacks coordinate attacks among many computers (i.e., zombies).

TEMPEST is used for which of the following? a. To detect electromagnetic disclosures b. To detect electronic dependencies c. To detect electronic destructions d. To detect electromagnetic emanations

d. TEMPEST is a short name, and not an acronym. It is the study and control of spurious electronic signals emitted by electrical equipment. It is the unclassified name for the studies and investigations of compromising electromagnetic emanations from equipment. It is suggested that TEMPEST shielded equipment is used to prevent compromising emanations.

The IT operations management of RDS Corporation is concerned about how to increase its data storage capacity to meet its increased growth in business systems. Based on a storage management consultant's report, the RDS management is planning to install redundant array of independent disks 6 (RAID6), which is a block-level striping with double distributed parity system to meet this growth. If four disks are arranged in RAID6 where each disk has a storage capacity of 250GB, and if space efficiency is computed as [1-(2/n)] where "n" is the number of disks, how much of this capacity is available for data storage purposes? a. 125GB b. 250GB c. 375GB d. 500GB

d. The RAID6 storage system can provide a total of 500GB of usable space for data storage purposes. Space efficiency represents the fraction of the sum of the disks' capacities that is available for use. Space efficiency = [1-(2/n)] = [1-(2/4)] = 1-0.5= 0.5 Total available space for data storage = 0.5 × 4 × 250 = 500GB

The audit log does not include which of the following? a. Timestamp b. User's identity c. Object's identity d. The results of action taken

d. The audit log includes a timestamp, user's identity, object's identity, and type of action taken, but not the results from the action taken. The person reviewing the audit log needs to verify that the results of the action taken were appropriate.

Regarding the verification of correct operation of security functions, which of the following is the correct order of alternative actions when anomalies are discovered? 1. Report the results. 2. Notify the system administrator. 3. Shut down the system. 4. Restart the system. a. 1, 2, 3, and 4 b. 3, 4, 2, and 1 c. 2, 1, 3, and 4 d. 2, 3, 4, and 1

d. The correct order of alternative actions is notify the system administrator, shut down the system, restart the system, and report the results of security function verification.

Regarding media sanitization, which of the following is the correct sequence of fully and physically destroying magnetic disks, such as hard drives? 1. Incinerate 2. Disintegrate 3. Pulverize 4. Shred a. 4, 1, 2, and 3 b. 3, 4, 2, and 1 c. 1, 4, 3, and 2 d. 2, 4, 3, and 1

d. The correct sequence of fully and physically destroying magnetic disks such as hard drives (for example, advanced technology attachment (ATA) and serial ATA (SATA) hard drives), is disintegrate, shred, pulverize, and incinerate. This is the best recommended practice for both public and private sector organizations. Disintegration is a method of sanitizing media and is the act of separating the equipment into component parts. Here, the disintegration step comes first to make the hard drive inoperable quickly. Shredding is a method of sanitizing media and is the act of cutting or tearing into small particles. Shredding cannot be the first step because it is not practical to do for many companies. Pulverization is a method of sanitizing media and is the act of grinding to a powder or dust. Incineration is a method of sanitizing media and is the act of burning completely to ashes done in a licensed incinerator. Note that one does not need to complete all these methods, but can stop after any specific method and after reaching the final goal based on the sensitivity and criticality of data on the disk.

A successful incident handling capability should serve which of the following? a. Internal users only b. All computer platforms c. All business units d. Both internal and external users

d. The focus of a computer security incident handling capability may be external as well as internal. An incident that affects an organization may also affect its trading partners, contractors, or clients. In addition, an organization's computer security incident handling capability may help other organizations and, therefore, help protect the industry as a whole.

Ping-of-death is an example of which of the following? a. Keyboard attack b. Stream attack c. Piggyback attack d. Buffer overflow attack

d. The ping-of-death is an example of buffer overflow attack, a part of a denial-of-service attack, where large packets are sent to overfill the system buffers, causing the system to reboot or crash. A keyboard attack is a resource starvation attack in that it consumes system resources (for example, CPU utilization and memory), depriving legitimate users. A stream attack sends TCP packets to a series of ports with random sequence numbers and random source IP addresses, resulting in high CPU usage. In a piggybacking attack, an intruder can gain unauthorized access to a system by using a valid user's connection.

Which of the following is not a primary benefit of an incident handling capability? a. Containing the damage b. Repairing the damage c. Preventing the damage d. Preparing for the damage

d. The primary benefits of an incident handling capability are containing and repairing damage from incidents and preventing future damage. Preparing for the damage is a secondary and side benefit.

Indicate the correct sequence in which primary questions must be addressed when an organization is determined to do a security review for fraud. 1. How vulnerable is the organization? 2. How can the organization detect fraud? 3. How would someone go about defrauding the organization? 4. What does the organization have that someone would want to defraud? a. 1, 2, 3, and 4 b. 3, 4, 2, and 1 c. 2, 4, 1, and 3 d. 4, 3, 1, and 2

d. The question is asking for the correct sequence of activities that should take place when reviewing for fraud. The organization should have something of value to others. Detection of fraud is least important; prevention is most important.

The use of a no-trespassing warning banner at a computer system's initial logon screen is an example of which of the following? a. Correction tactic b. Detection tactic c. Compensating tactic d. Deterrence tactic

d. The use of no-trespassing warning banners on initial logon screens is a deterrent tactic to scare system intruders and to provide legal evidence. The other three choices come after the deterrence tactic.

Regarding a patch management program, which of the following benefits confirm that the remediations have been conducted appropriately? 1. Avoiding an unstable website 2. Avoiding an unusable website 3. Avoiding a security incident 4. Avoiding unplanned downtime a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

d. There are understandable benefits in confirming that the remediations have been conducted appropriately, possibly avoiding a security incident or unplanned downtime. Central system administrators can send remediation information on a disk to local administrators as a safe alternative to an e-mail list if the network or the website is unstable or unusable.

All the following can increase an information system's resilience except: a. A system achieves a secure initial state. b. A system reaches a secure failure state after failure. c. A system's recovery procedures take the system to a known secure state after failure. d. All of a system's identified vulnerabilities are fixed.

d. There are vulnerabilities in a system that cannot be fixed, those that have not yet been fixed, those that are not known, and those that are not practical to fix due to operational constraints. Therefore, a statement that "all of a system's identified vulnerabilities are fixed" is not correct. The other three choices can increase a system's resilience.

An effective relationship between risk level and internal control level is which of the following? a. Low risk and strong controls b. High risk and weak controls c. Medium risk and weak controls d. High risk and strong controls

d. There is a direct relationship between the risk level and the control level. That is, highrisk situations require stronger controls, low-risk situations require weaker controls, and medium-risk situations require medium controls. A control is defined as the policies, practices, and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events would be prevented or detected and corrected. Controls should facilitate accomplishment of an organization's objectives.

A user's session auditing activities are performed in consultation with which of the following? a. Internal legal counsel and internal audit b. Consultants and contractors c. Public affairs or media relations d. External law enforcement authorities and previous court cases

a. An information system should provide the capability to capture/record, log, and view all the content related to a user's session in real time. Session auditing activities are developed, integrated, and used with internal legal counsel and internal audit departments. This is because these auditing activities can have legal and audit implications. Consultants and contractors should not be contacted at all. It is too early to talk to the public affairs or media relations within the organization. External law enforcement authorities should be contacted only after the session auditing work is completed and only after there is a discovery of high-risk incidents.

Audit trails are least useful to which of the following? a. Training b. Deterrence c. Detection d. Prosecution

a. Audit trails are useful in detecting unauthorized and illegal activities. They also act as a deterrent and aid in prosecution of transgressors. They are least useful in training because audit trails are recorded after the fact. They show what was done, when, and by whom.

System reliability controls for hardware include which of the following? a. Mechanisms to decrease mean time to repair and to increase mean time between failures b. Redundant computer hardware c. Backup computer facilities d. Contingency plans

a. Mean time to repair (MTTR) is the amount of time it takes to resume normal operation. It is expressed in minutes or hours taken to repair computer equipment. The smaller the MTTR for hardware, the more reliable it is. Mean time between failures (MTBF) is the average length of time the hardware is functional. MTBF is expressed as the average number of hours or days between failures. The larger the MTBF for hardware, the more reliable it is. Redundant computer hardware and backup computer facilities are incorrect because they are examples of system availability controls. They also address contingencies in case of a computer disaster.

Regarding a patch management program, which of the following is an example of vulnerability? a. Misconfigurations b. Rootkits c. Trojan horses d. Exploits

a. Misconfiguration vulnerabilities cause a weakness in the security of a system. Vulnerabilities can be exploited by a malicious entity to violate policies such as gaining greater access or permission than is authorized on a computer. Threats are capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and potentially cause harm to a computer system or network. Threats usually take the form of exploit scripts, worms, viruses, rootkits, Trojan horses, and other exploits.

Denial-of-service attacks can be prevented by which of the following? a. Redundancy b. Isolation c. Policies d. Procedures

a. Redundancy in data and/or equipment can be designed so that service cannot be removed or denied. Isolation is just the opposite of redundancy. Policies and procedures are not effective against denial-of-service (DoS) attacks because they are examples of management controls. DoS requires technical controls such as redundancy.

Which of the following go hand-in-hand? a. Zero-day warez and content delivery networks b. Zero-day warez and ad-hoc networks c. Zero-day warez and wireless sensor networks d. Zero-day warez and converged networks

a. Zero-day warez (negative day or zero-day) refers to software, games, music, or movies (media) unlawfully released or obtained on the day of public release. An internal employee of a content delivery company or an external hacker obtains illegal copies on the day of the official release. Content delivery networks distribute such media from the content owner. The other three networks do not distribute such media. Bluetooth mobile devices use ad-hoc networks, wireless sensor networks monitor security of a building perimeter and environmental status in a building (temperature and humidity), and converged networks combine two different networks such as voice and data.

What does an effective backup method for handling large volumes of data in a localarea- network environment include? a. Backing up at the workstation b. Backing up at the file server c. Using faster network connection d. Using RAID technology

b. Backing up at the file server is effective for a local-area network due to its greater storage capacity. Backing up at the workstation lacks storage capacity, and redundant array of independent disks (RAID) technology is mostly used for the mainframe. Using faster network connection increases the speed but not backup.

The major reason for retaining older versions of baseline configuration is to support: a. Roll forward b. Rollback c. Restart d. Restore

b. A rollback is restoring a database from one point in time to an earlier point. A roll forward is restoring the database from a point in time when it is known to be correct to a later time. A restart is the resumption of the execution of a computer system using the data recorded at a checkpoint. A restore is the process of retrieving a dataset migrated to offline storage and restoring it to online storage.

Which of the following responds to security incidents on an emergency basis? a. Tiger team b. White team c. Red team d. Blue team

b. A white team is an internal team that initiates actions to respond to security incidents on an emergency basis. Both the red team and blue team perform penetration testing of a system, and the tiger team is an old name for the red team.

Network reliability is increased most with which of the following? a. Alternative cable b. Alternative network carrier c. Alternative supplies d. Alternative controllers

b. An alternative network carrier as a backup provides the highest reliability. If the primary carrier goes down, the backup can still work. The other three choices do provide some reliability, but not the ultimate reliability as with the alternative network carrier.

Auditing an information system is not reliable under which of the following situations? a. When audit records are stored on hardware-enforced, write-once media b. When the user being audited has privileged access c. When the audit activity is performed on a separate system d. When the audit-related privileges are separated from nonaudit privileges

b. Auditing an information system is not reliable when performed by the system to which the user being audited has privileged access. This is because the privileged user can inhibit the auditing activity or modify the audit records. The other three choices are control enhancements that reduce the risk of audit compromises by the privileged user.

Regarding configuration change management, organizations should analyze new software in which of the following libraries before installation? a. Development library b. Test library c. Quarantine library d. Operational library

b. Organizations should analyze new software in a separate test library before installation in an operational environment. They should look for security impacts due to software flaws, security weaknesses, data incompatibility, or intentional malice in the test library. The development library is used solely for new development work or maintenance work. Some organizations use a quarantine library, as an intermediate library, before moving the software into operational library. The operational library is where the new software resides for day-today use.

Which of the following is not totally possible from a security control viewpoint? a. Detection b. Prevention c. Correction d. Recovery

b. Prevention is totally impossible because of its high cost and technical limitations. Under these conditions, detection becomes more important, which could be cheaper than prevention; although, not all attacks can be detected in time. Both correction and recovery come after prevention or detection.

Smurf is an example of which of the following? a. IP address spoofing attack b. Denial-of-service attack c. Redirect attack d. TCP sequence number attack

b. Smurf attacks use a network that accepts broadcast ping packets to flood the target computer with ping reply packets. The goal of a smurf attack is to deny service. Internet Protocol (IP) address spoofing attack and transmission control protocol (TCP) sequence number attack are examples of session hijacking attacks. The IP address spoofing is falsifying the identity of a computer system. In a redirect attack, a hacker redirects the TCP stream through the hacker's computer. The TCP sequence number attack is a prediction of the sequence number needed to carry out an unauthorized handshake.

Audit trails establish which of the following information security objectives? a. Confidentiality b. Integrity c. Accountability d. Availability

c. Accountability is the existence of a record that permits the identification of an individual who performed some specific activity so that responsibility for that activity can be established through audit trails. Audit trails do not establish the other three choices.

When executed incorrectly, which of the following nonlocal maintenance and diagnostic activities can expose an organization to potential risks? a. Using strong authenticators b. Separating the maintenance sessions from other network sessions c. Performing remote disconnect verification feature d. Using physically separated communications paths

c. An organization should employ remote disconnect verification feature at the termination of nonlocal maintenance and diagnostic sessions. If this feature is unchecked or performed incorrectly, this can increase the potential risk of introducing malicious software or intrusions due to open ports and protocols. The other three choices do not increase risk exposure. Nonlocal maintenance work is conducted through either an external network (mostly through the Internet) or an internal network.

All the following have redundancy built in except: a. Fast Ethernet b. Fiber distributed data interface c. Normal Ethernet d. Synchronous optical network

c. Normal Ethernet does not have a built-in redundancy. Fast Ethernet has built-in redundancy with redundant cabling for file servers and network switches. Fiber distributed data interface (FDDI) offers an optional bypass switch at each node for addressing failures. Synchronous optical network (SONET) is inherently redundant and fault tolerant by design.

Software quality is not measured by: a. Defect levels b. Customer satisfaction c. Time-to-design d. Continuous process improvement

c. Quality is more than just defect levels. It should include customer satisfaction, time-tomarket, and a culture committed to continuous process improvement. Time-to-design is not a complete answer because it is a part of time-to-market, where the latter is defined as the total time required for planning, designing, developing, and delivering a product. It is the total time from concept to delivery. These software quality values lead to quality education, process assessments, and customer satisfaction.

Which of the following is often overlooked in building redundancy? a. Disks b. Processors c. Electrical power d. Controllers

c. Redundant electric power and cooling is an important but often overlooked part of a contingency plan. Network administrators usually plan for backup disks, processors, controllers, and system boards.

Which of the following software quality characteristics is difficult to define and test? a. Functionality b. Reliability c. Usability d. Efficiency

c. Usability is a set of attributes that bear on the effort needed for use, and on the individual assessment of such use, by a stated or implied set of users. In a way, usability means understandability and ease of use. Because of its subjective nature, varying from person to person, it is hard to define and test. Functionality is incorrect because it can easily be defined and tested. It is a set of attributes that bear on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs. Reliability is incorrect because it can easily be defined and tested. It is the ability of a component to perform its required functions under stated conditions for a specified period of time. Efficiency is incorrect because it can easily be defined and tested. It is the degree to which a component performs its designated functions with minimum consumption of resources.

Which of the following information system component inventory is difficult to monitor? a. Hardware specifications b. Software license information c. Virtual machines d. Network devices

c. Virtual machines can be difficult to monitor because they are not visible to the network when not in use. The other three choices are easy to monitor.

In redundant array of independent disks (RAID) technology, which of the following RAID level does not require a hot spare drive or disk? a. RAID3 b. RAID4 c. RAID5 d. RAID6

d. A hot spare drive is a physical drive resident on the disk array which is active and connected but inactive until an active drive fails. Then the system automatically replaces the failed drive with the spare drive and rebuilds the disk array. A hot spare is a hot standby providing a failover mechanism. The RAID levels from 3 to 5 have only one disk of redundancy and because of this a second failure would cause complete failure of the disk array. On the other hand, the RAID6 level has two disks of redundancy, providing a greater protection against simultaneous failures. Hence, RAID6 level does not need a hot spare drive whereas the RAID 3 to 5 levels need a shot spare drive. The RAID6 level without a spare uses the same number of drives (i.e., 4 + 0 spare) as RAID3 to RAID 5 levels with a hot spare (i.e., 3 + 1 spare) thus protecting data against simultaneous failures. Note that a hot spare can be shared by multiple RAID sets. On the other hand, a cold spare drive or disk is not resident on the disk array and not connected with the system. A cold spare requires a hot swap, which is a physical (manual) replacement of the failed disk with a new disk done by the computer operator.

Effective configuration change controls for hardware, software, and firmware include: 1. Auditing the enforcement actions 2. Preventing the installation of software without a signed certificate 3. Enforcing the two-person rule for changes to systems 4. Limiting the system developer/integrator privileges a. 1 only b. 3 only c. 2 and 4 d. 1, 2, 3, and 4

d. All four items are effective in managing configuration changes to hardware, software, and firmware components of a system.

Which of the following is not a part of implementation of incident response support resources in an organization? a. Help desk b. Assistance group c. Forensics services d. Simulated events

d. An organization incorporates simulated events into incident response training to facilitate effective response by individuals in crisis situations. The other three choices are possible implementations of incident response support resources in an organization.

Regarding incident handling, which of the following deceptive measures is used during incidents to represent a honeypot? a. False data flows b. False status measures c. False state indicators d. False production systems

d. Honeypot is a fake (false) production system and acts as a decoy to study how attackers do their work. The other three choices are also acceptable deceptive measures, but they do not use honeypots. False data flows include made up (fake) data, not real data. System-status measures include active or inactive parameters. System-state indicators include startup, restart, shutdown, and abort.

Which of the following is the most common type of redundancy? a. Cable backup b. Server backup c. Router backup d. Data backup

d. In general, redundancy means having extra, duplicate elements to compensate for any malfunctions or emergencies that could occur during normal, day-to-day operations. The most common type of redundancy is the data backup, although the concept is often applied to cabling, server hardware, and network connectivity devices such as routers and switches.

Countermeasures applied when inappropriate and/or unauthorized modifications have occurred to security functions include: 1. Reversing the change 2. Halting the system 3. Triggering an audit alert 4. Reviewing the records of change a. 1 only b. 2 only c. 3 only d. 1, 2, 3, and 4

d. Safeguards and countermeasures (controls) applied when inappropriate and/or unauthorized modifications have occurred to security functions and mechanisms include reversing the change, halting the system, triggering an audit alert, and reviewing the records of change. These countermeasures would reduce the risk to an information system.

Regarding incident handling, dynamic reconfiguration does not include changes to which of the following? a. Router rules b. Access control lists c. Filter rules d. Software libraries

d. Software libraries are part of access restrictions for change so changes are controlled. Dynamic reconfiguration (i.e., changes on-the-fly) can include changes to router rules, access control lists, intrusion detection and prevention systems (IDPS) parameters, and filter rules for firewalls and gateways.

The IT operations management of KPT Corporation is concerned about the reliability and availability data for its four major, mission-critical information systems that are used by business end-users. The KPT corporate management's goal is to improve the reliability and availability of these four systems in order to increase customer satisfaction both internally and externally. The IT operations management collected the following data on percent reliability. Assume 365 operating days per year and 24 hours per day for all these systems. The IT operations management thinks that system reliability is important in providing quality of service to end-users. System Reliability 1 99.50 2 97.50 3 98.25 4 95.25 Which of the following systems has the highest downtime in a year expressed in hours and rounded up? a. System 1 b. System 2 c. System 3 d. System 4

d. The system 4 has the highest downtime in hours. Theoretically speaking, the higher the reliability of a system, the lower its downtime (including scheduled maintenance), and higher the availability of that system, and vice versa. In fact, this question does not require any calculations to perform because one can find out the correct answer just by looking at the reliability data given in that the lower the reliability, the higher the downtime, and vice versa. Calculations for System 1 are shown below and calculations for other systems follow the System 1 calculations. Downtime = (Total hours) × [(100 - Reliability%)/100] = 8,760 × 0.005 = 44 hours Availability for System 1 = [(Total time - Downtime)/Total time] × 100 = [(8,760 - 44)/8,760] × 100 = 99.50% Check: Availability for System 1 = [Uptime/(Uptime + Downtime)] × 100 = (8,716/8,760) ×

Regarding software installation, "All software is checked against a list approved by the organization" refers to which of the following? a. Blacklisting b. Black-box testing c. White-box testing d. Whitelisting

d. Whitelisting is a method to control the installation of software to ensure that all software is checked against a list approved by the organization. It is a quality control check and is a part of software configuration activity. An example of blacklisting is creating a list of electronicmail senders who have previously sent spam to a user. Black-box testing is a functional analysis of a system, whereas white-box testing is a structural analysis of a system.