CISSP Security Operations
A CCTV system is an example of a preventive control. A. True B. False
(A) A CCTV system can help prevent problems because individuals may see they are being recorded. A CCTV can also be used as a detective control.
Which RAID configuration has a single point of failure? A. RAID 0 B. RAID 1 C. RAID 5 D. RAID 10
(A) A RAID 0 involves data striping only; there is no redundancy. RAID 1 is mirroring. RAID 5 uses interleaved parity, where the parity is written to all drives. RAID 10 is a combination of RAID 0 and RAID 1 and can recover from multiple drive failures.
Which of the following is the best example of a recovery administrative control? A. Disaster recovery plan B. Rebuilding after a disaster C. Supervision D. IDS
(A) A disaster recovery plan is an example of an administrative recovery control. Answer B is an example of a physical recovery. Answer C is an example of a compensating administrative control. Answer D is an example of a technical detective.
Dot.Com Investment, Inc., has decided that its policies need to ensure that no one person can act alone to make a financial distribution or disbursement of funds. Which of the following has the company implemented? A. Separation of duties B. Job rotation C. Mandatory vacations D. Job classification
(A) Separation of duties is the principle that one person acting alone should not be able to compromise an organization's security in any way. Job rotation and mandatory vacations are two ways in which this principle can be enforced.
A maintenance hook is found during a parallel test of your new product. The programming team is small, and the programmer is available and can quickly take out the maintenance hook so that testing can continue. What action should you take? A. Permit the code change, and then update the change control documentation as soon as possible. B. Delay the modification until the change control documentation can be submitted, processed, and approved. C. Permit the code change. Because the product has not yet been released to production, change control has not been initiated. D. Prevent any changes, because the maintenance hook will be a feature of the new product.
(A) A maintenance hook is a backdoor into an application that is sometimes used during the development process. These hooks need to be removed before a product is released. A parallel test is performed on a product that is deemed ready to release. This hook needs to be removed as soon as possible, and then the change control documentation needs to be completed to record the change in the software's operation.
A smurf attack uses ICMP and forged ping traffic. A. True B. False
(A) A smurf attack works by sending a spoofed ping to all hosts on a network. The reply is spoofed to the victim, and the victim is flooded with ICMP ping traffic.
A team is performing a penetration test for your company. You have concerns as you review the penetration test company's insurance. A coworker tells you that someone was injured when an automated navigation system failed during what turned out to be a test on a system that was not supposed to be part of the security assessment. What document was not defined and understood that could have prevented this problem? A. Rules of engagement B. Insurance requirements C. Work proposal D. Capability reports
(A) Before a penetration test is performed, several things are of great importance. One is that a signed agreement should be in place before any testing begins. Second, this agreement should very clearly lay out the rules of engagement. The rules of engagement should address what tests are to be performed, what systems are to be tested, and what are acceptable test techniques. Anytime a penetration test is performed, there is always the risk that something can go wrong, but controls can be put in place to mitigate such risks. OSSTMM is a good example of a penetration test methodology. See http://www.isecom.org/research/osstmm.html.
Which of the following best describes configuration management? A. The process of controlling modifications to system hardware or software B. Documented actions for items such as emergency response and backup operations C. Maintaining essential information system services after a major outage D. The process of backing up, copying, and storing critical information
(A) Configuration management is the process of controlling modifications to system hardware or software. Its goal is to maintain control of system processes and to protect against improper modification.
Which type of protection control is used to reduce risks associated with attacks? A. Corrective B. Recovery C. Response D. Deterrent
(A) Corrective controls are a type of protection control used to reduce or eliminate risks associated with attacks.
During a penetration test, you discover a vulnerability on dynamically generated web pages that allows attackers to input malicious script into the page by hiding it within legitimate requests. What is the name of this exploit? A. Cross-site scripting B. SQL injection C. LDAP injection D. Buffer overflow
(A) Cross site scripting (XSS) occurs when dynamic websites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests. Common exploitations include search engine boxes, online forums and blogs. Answers B, C, and D do not describe a XSS attack.
A trusted recovery solution requires proactive work. What are the primary components? A. Failure preparation and system recovery B. Failure preparation and system backup C. Backup, recovery, and repair D. Failure preparation and failure detection
(A) Failure preparation and system recovery are the two main components of trusted recovery. Failure preparation means that adequate backups have been created and are also periodically tested. System recovery is the act of restoration.
The big advantage of IMAP over SMTP is that it lets users read messages without automatically downloading them to their systems. A. True B. False
(A) IMAP lets users read their messages without automatically downloading them to their systems. POP does not offer that ability. POP can create real problems for mobile users because all their mail ends up being downloaded onto a single device - a laptop, desktop, or mobile device.
While SMTP is the protocol of choice for sending email, two other popular protocols can be used to receive email. By default, what port numbers are used for POP3 and IMAP? A. 110, 143 B. 110, 25 C. 443, 111 D. 134, 110
(A) POP3 uses TCP port 110, and IMAP uses TCP port 143.
Which of the following is an example of a directive control? A. Policies B. Data validation C. Job rotation D. Fault-tolerant systems
(A) Policies, standards, guidelines, procedures, and regulations are all examples of directive controls.
Which RAID level indicates just striping across multiple disks at a byte level? A. 0 B. 1 C. 2 D. 3
(A) RAID (redundant array of independent disks) is a technology that employs two or more drives in combination for fault tolerance and performance. Striping improves performance but does not provide fault tolerance. The more common levels of RAID are as follows: 0: Striping 1: Mirroring 2: Hamming code parity 3: Byte-level parity 4: Block-level parity 5: Interleave parity 7: Single virtual disk 10: Striping and mirroring combined
RAID 1 is the most expensive per megabyte. A. True B. False
(A) RAID 1 is the most expensive per byte of data because data is written to two drives, each an exact copy of the other.
Omar has installed a root kit on a networked Linux computer. What is its purpose? A. To serve as a backdoor B. For administrative control C. For penetration testing D. For vulnerability mapping
(A) Root kits are additional programs that may take the place of legitimate programs (such as ls, cat, and pwd in UNIX and Linux). They can give attackers unauthenticated access. After one of these programs has been installed, the attacker can return to the computer later and access it without providing login credentials or without going through any type of authentication process.
Danny has been investigating the purchase of a new operations security software package. One vendor asked him about clipping levels. What are clipping levels used for? A. To reduce the amount of data to be evaluated B. To set password length and maximum age C. To set local and remote login attempts D. To configure SNMP traps
(A) Setting clipping levels refers to determining the trip point at which activity is logged or flagged. For example, a clipping level of three failed remote login attempts may be set before the failed login attempt is recorded as a violation. This also prevents brute-force attacks. This reduces the amount of data to be evaluated and makes it easier to search for true anomalies.
Troy is concerned about an existing connection being taken over. He has been reading about a person or process pretending to be another person or process. What is this called? A. Spoofing B. Sniffing C. Hijacking D. Trojan
(A) Spoofing is the act of one person or process pretending to be another person or process. Sniffing is to passively intercept data. Hijacking is taking over an existing connection. In a hijacking attack, the attacker is waiting for the victim to connect to a service, and then the attacker takes control. A Trojan is a piece of software that appears to be legitimate, but is not, and it contains malicious code.
Alice is concerned about keeping the network free of computer viruses. Without implementing new technical controls, which of the following is one of the most effective means to prevent the spread of viruses? A. Employee training B. Network design C. Advise users to respond to spam, requesting that their addresses no longer be used or solicited D. Egress filtering
(A) The most effective nontechnical control of computer viruses is through employee education. Advising users to respond to spam not only will increase the amount of mail received, but also could increase their risk of infection from computer viruses.
An access-control matrix can be used to associate permissions of a subject to an object. Permissions can be tied to a lattice of control. If the lattice of control for Cindy and Bob is read and read/write, which of the following is true? Subject Procedure A File X File Y Cindy No access Execute No access Bob No access Read No access Alice Read Read/write No access A. Bob will be able to read File X. B. Bob has full control of File X. C. Bob cannot access File X. D. Alice has full access on File Y.
(A) Under the rules of the lattice of control, the subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object. A lattice is an upper and lower bound of access. Answers B and C is incorrect, because full control and no access falls outs the levels of control. Answer D is incorrect, because Alice has no access to File Y.
The authentication control module has just been reset to trigger an alert to the administrator after only three failed login attempts. What is this an example of? A. A physical control B. A clipping level C. An IDS sensor D. A security control
(B) A clipping level is a threshold of activity and as such must be exceeded before an alarm or alert is set. It is designed to separate events from incidents. Someone attempting to log in and failing one time is an event. Someone trying to log in 50 times at midnight and failing is an incident. A clipping level is an example of a technical control, not a physical control. An IDS sensor is used to capture events for an IDS. Capturing failed logins is a security control, but this is not the most complete answer.
Job rotation is performed primarily to prevent burnout in employees. A. True B. False
(B) Although keeping employees happy is always important, job rotation is primarily performed to ensure that more than one person can perform a job and uncover fraudulent activities.
James works for a software development company. He is worried about the reassignment of magnetic media that may contain sensitive information. Which of the following is the best solution for media reassignment? A. Formatting B. Degaussing C. Delete *.* D. Security guidelines
(B) Although setting up guidelines, deleting, and formatting data are good starting points for ensuring the removal of sensitive data, the best solution is degaussing the media.
Organizations should allow mail relaying so that mail can be forwarded to the proper end user. A. True B. False
(B) Although the name may sound like something that the company would want to allow, this is not the case. Mail relaying allows someone from outside the organization to send mail through the company's email system. Spammers use this technique to hide their true address and cause the mail relay agent to suffer the blocks that result from being the spam agent.
Your organization has set up an email relay agent that does not require authentication. What is the result of this action? A. Your company is more secure against email spam and spoofing. B. Third parties can relay email through your email server. C. Users at home can read their work email. D. Email can be used in the organization's VPN.
(B) An email relay means that third parties can relay email through your email server. This is considered an undesirable situation because malicious individuals may attempt to use your company to forward their spam. Answer A is incorrect because the company is now less secure, not more secure. Answer C is incorrect because this has nothing to do with users reading their work email at home. Answer D is incorrect because a mail relay is not related to a VPN.
Which new method of clearing a hard drive provides the greatest level of assurance that previously stored data is irretrievable? A. Zeroing method B. Gutmann method C. Wiping method D. All of the above provide the same level of assurance
(B) Answers A, B, and C are all techniques for clearing a drive. The correct answer is the Gutmann Method. Neither zeroing (writing all 0s to the drive) nor wiping suggests a number of repeat passes. Although the Gutmann method (35 wipes) is considered excessive with today's technology even by Peter Gutmann ("Data Remanence in Semiconductor Devices"), it would provide greater assurance than a single pass with 0s or a wipe. The Department of Defense discusses different requirements for secure wiping of media in DoD 5220.22.
Modern organizations need the ability to track assets, control change, and manage risk. Which of the following is least likely to have to go through the change-management process? A. An update to the disaster recovery plan B. Antivirus update C. An upgrade of the PBX to a VoIP system D. Production code update
(B) Antivirus would be the least likely to require a review by change management. Answers A. C, and D are incorrect because changes to the recovery plan, upgrading a PBX, and changes to production code are all normally items that would require an update.
Which of the following will system auditing most likely cause? A. Available bandwidth will increase, because all processing is taking place internally. B. Depending on what and how much auditing is being performed, system performance may degrade. C. System performance may actually increase as logged items are processed in parallel with normal activities. D. Available bandwidth will decrease because all logged items are being processed over the network.
(B) Auditing can cause a decrease in system performance because of the amount of system resources being used. Logged items may or may not be logged remotely. If so, additional bandwidth would be used, but system performance would still be affected.
Widget, Inc., is preparing to implement auditing. To meet this goal, Elaine has been asked to review all company security policies and examine the types of normal activity on the network. What has she been asked to do? A. Look for vulnerabilities B. Develop a baseline C. Determine network utilization D. Search for security violations
(B) Before you can determine what inappropriate activity is, you must determine what is appropriate. This process is known as baselining, and it involves the following two tasks: Analysis of company policy: This helps determine what constitutes a potential security incident or event within your organization. Examination of current network and system activity: Reviewing audit logs gives you a better understanding of normal usage patterns and what should and should not be happening.
Your consulting firm has been asked to help a medium-sized firm secure its servers and domain controllers. Which of the following is not a requirement for a secure computing room? A. Controlled access B. Dropped ceilings C. Raised floors D. Log files or CCTV to verify who enters or leaves the room
(B) Controlled access, log files, and raised floors are just a few of the items that should be built into a secure computing room. It should not have dropped ceilings or hollow-core doors, because these items make it easier for attackers to bypass operations security.
Data center doors should not have which characteristic? A. Solid-core construction B. Hinges on the outside C. Keypad locks D. Hinges on the inside
(B) Data center doors should not be hinged to the outside, because anyone could remove the hinge pins and gain easy access.
What term describes information that may remain on computer media after it has been erased? A. Shadowing B. Data remanence C. Mirroring D. Ghosting
(B) Data remanence is information that may remain on computer media after it has been erased. Mirroring refers to RAID, ghosting relates to the duplication of drives, and shadowing is a distracter.
Which method of data erasure magnetically scrambles the patterns on a hard drive so that it is unrecoverable? A. Zeroization B. Degaussing C. Shredding D. Drive wiping
(B) Degaussing is a method of magnetically scrambling the patterns on a hard drive so that they are unrecoverable. Degaussing, which can be performed by either AC or DC current, creates a large magnetic field. The result is that the information is practically unrecoverable. Zeroization works by zeroing all data on the drive. The pattern of 1s and 0s used makes it very difficult to recover the data. Shredding is a form of physical destruction. As such, it is impossible to recover the information. High-security information stored on disk drives usually is destroyed using this method. Drive wiping is similar to zeroization in that a pattern of 1s and 0s is written to the drive. These passes of 1s and 0s may be done three times, seven times, or more.
Brad uses Telnet to connect to several open ports on a victim computer and capture the banner information. What is the purpose of his activity? A. Scanning B. Fingerprinting C. Attempting a DoS D. Privilege escalation
(B) Fingerprinting is the act of service and OS identification. Fingerprinting allows an attacker to formulate a plan of system attack. Scanning is the act of identifying open ports. DoS is a denial of service. Privilege escalation requires an active connection or system access.
Which of the following best describes changes to hacking tools over the last few years? A. Hacking tools require less technical skill to use. B. Hacking tools are more advanced and require less skill. C. Hacking tools are more advanced but require that the user understand computer languages and how to compile code. D. Hacking tools are becoming more advanced.
(B) Hacking tools are changing. Although the last several years have seen a great increase in hacking tools, the tools themselves have become much more sophisticated and capable. Most of these, such as Metasploit, are easy to use and require very limited technical skills.
Albert's new position includes responsibility for the day-to-day security of the network. The previous employee who held this job configured the network to be default open. Now, Albert has decided that he should go through critical systems, reload the OS, and verify that unneeded programs and services are not installed. What is Albert doing? A. Vulnerability scanning B. Hardening C. Bastioning D. Configuring the devices to the principle of full privilege
(B) Hardening is the process of identifying what a specific machine will be used for and removing or disabling all system components, programs, and services that are not necessary for that function. This vastly increases the system's security.
Your CISSP study group has asked you to research IPL vulnerabilities. What does IPL stand for, and how is it used? A. Internet protocol loss, DoS B. Initial program load, startup C. Internet post lag, web-based vulnerability D. Initial process location, buffer overflows
(B) IPL (initial program load) signifies the start of a system. It is important because an operator may boot the device into a nonnetworked configuration or from a CD, a USB, or even a floppy disk to hijack or bypass normal security measures.
You are asked to work on a contract with a new client. Your company is concerned about security and wants to select a stronger encryption algorithm. What document needs to be modified to define the specifications for this new algorithm? A. Policies B. Standards C. Procedures D. Baselines
(B) In real life, it is potentially likely that several of these documents may need to be modified. Standards are the document that requires immediate action. Policies are tied to basic requirements. Procedures are step-by-step instructions. Baselines define the acceptable risk levels.
Background checks are an important part of operations security. Which of the following groups should be carefully inspected? A. External vendors B. Cleaning crews C. Operators D. Temporary staff
(B) Individuals working on cleaning crews should be carefully inspected, because they typically have access to all areas of an organization's facility.
Which storage technology offers no increase in speed or fault tolerance but does allow someone to make use of older hard drives by combining them into one massive array? A. Redundant array of independent tapes (RAIT) B. Just a bunch of disks (JBOD) C. Massive array of inactive disks (MAID) D. Redundant array of inexpensive disks (RAID 1)
(B) JBOD offers little except the ability to reuse older disks by combining them into one massive drive. JBOD offers no speed improvements and no fault tolerance. Its only advantage is that if one drive dies, you lose only the data on that drive. RAIT can be compared to RAID, but it uses tape drives. MAID is kept inactive until it is used; it can be used for backup or other operations. RAID 1 is disk mirroring and offers fault tolerance.
Which type of operations security control gives the IS department enough time to audit an individual's activities and may deter him or her from performing prohibited acts? A. Terminations B. Mandatory vacations C. Background checks D. Change control management
(B) Mandatory vacations give the IS department enough time to audit an individual's activities and may deter that person from performing prohibited acts. The idea is that the employee will not be allowed to work or access the network while on vacation. Terminations usually are reserved as a last resort. Background checks help validate potential employees. Change control management is used to control hardware and software processes that are used in the production environment.
Jane is researching the distribution and spread of computer viruses. Which of the following is the most common means of transmitting computer viruses? A. Hacker programs B. Email C. Illegal software D. Peer-to-peer networks
(B) Most computer viruses are transmitted through email. According to experts at Panda Software, nearly 80% of computer virus infections come through email venues.
What do you call the activity of looking at responses to active probes to services such as ICMP and TCP to examine subtle changes in how the protocol stack has been implemented? A. OS fingerprinting B. Active OS fingerprinting C. Passive OS fingerprinting D. Scanning
(B) OS fingerprinting involves looking at responses to active probes to services such as ICMP and TCP to examine subtle changes in the ways in which the protocol stack has been implemented. Two types of fingerprinting exist. The most accurate answer is active, because traffic is being injected into the network and directed toward specific hosts. Passive fingerprinting simply listens to traffic, whereas port scanning looks for specific services running on a host.
You are hired by a small software firm to test its security systems and to look for potential ways to bypass authentication controls on Linux servers. You are asked to see whether it is possible to get root access on the Apache web server. What type of testing have you been hired to do? A. Vulnerability B. Penetration C. Scanning D. Mapping
(B) Penetration testing is the process of testing a network's defenses and attempting to bypass its security controls. The goal is to understand the organization's vulnerability to attack. These types of tests are performed with written consent of the network's owner and may be attempted by internal employees or external consultants. One good source for learning more about penetration testing is http://www.isecom.org/research/osstmm.html.
Your company decides to implement BYOD and allow individuals on your team to bring their own devices to work. Which of the following would be a top security concern? A. Connectivity B. Policy C. Antivirus requirement D. Network storage
(B) Policy is the most important item as there needs to be a specific policy that governs personal devices connected to the corporate network. Answers A, C, and D are incorrect because the policy would specify connectivity, antivirus protection, and shared network storage.
Which of the following best defines privileged functions? A. Activities performed by individuals in the security management group B. Activities that require an elevated level of access C. Activities that are performed in a secure setting D. Activities assigned to all security personnel
(B) Privileged functions are activities and duties that require special access or elevated levels of control within a trusted environment. Answer A is incorrect because not all activities performed by the security management group are privileged functions. Answer C is incorrect because privileged activities may not always be performed in a secure setting. Answer D is incorrect because just because someone is in the security management group does not mean he or she will perform privileged functions.
Purging is the term used to describe a system's RAM being cleared. A. True B. False
(B) Purging describes clearing hard drives, CDs, DVDs, and other media so that it is next to impossible to recover the information. Common methods used include drive wiping, degaussing, and physical destruction.
The server crashed overnight and rebooted itself. What is this type of recovery called? A. System cold start B. Emergency system restart C. System reboot D. System hard boot
(B) Rebooting after the system has failed is called an emergency system restart. A system cold start occurs when the computer is powered on (not a reboot). A system reboot occurs when the system is shut down gracefully and allowed to reboot. The phrase "system hard boot" is a distracter.
When discussing operation controls, which control is the best example of providing confidentiality protection? A. Rotation of duties B. Separation of duties C. Dual control D. Quality assurance
(B) Separation of duties requires two separate individuals to perform a task. Consider the last time you were at the grocery store and a cost override was needed at the cash register. Most likely the store manager was required to complete this activity; it could not be performed by the cashier. Answers A, C, and D are good controls, but they do not address confidentiality.
As network defenses become more robust, what attack methodology can best be used to supersede these barriers? A. Session hijacking B. Social engineering C. Web exploits D. Vulnerability tools
(B) Social engineering is an attacker's manipulation of individuals and the natural human tendency to trust. This art of deception is used to obtain information that will allow unauthorized access to networks, systems, or privileged information.
Attackers are always looking for ways to identify systems. One such method is to send a TCP SYN to a targeted port. What would an attacker expect to receive in response to indicate an open port? A. SYN B. SYN ACK C. ACK D. ACK FIN
(B) TCP is a connection-oriented protocol. As such, it attempts to complete a three-step handshake at the beginning of a communication session. The three steps are as follows: SYN SYN ACK ACK
Which of the following best describes a contingency plan? A. The process of controlling modifications to system hardware or software B. Documented actions for items such as emergency response and backup operations C. Maintaining essential information system services after a major outage D. The process of backing up, copying, and storing critical information
(B) The goal of contingency planning is to document the required actions for items such as emergency response or backup operations. Its goal is to mitigate business risks due to a mission-critical functional failure caused by any internal or external means. None of the other items describes a contingency plan.
Which of the following represents an auditing best practice? A. Audit all successful events. B. Write the audit logs to a sequential access device. C. To prevent the loss of data, overwrite existing audit logs if they become full. D. Configure systems to shut down if the audit logs become full.
(B) The primary purpose of auditing is to hold individuals accountable for their actions. Hackers and other wrongdoers often attempt to cover their tracks by removing evidence of their activities from the audit log. This is why it is important to write the audit logs to a sequential access device. This could be a CD-ROM, DVD, tape drive, or even a line printer. This ensures that the evidence will be available for later review. Although auditing all successful events is possible, it would place an increased load on the system. Overwriting existing audit logs as they become full could erase valuable information. Configuring systems to shut down if the audit logs become full would allow the hacker or wrongdoer to stage a DoS attack. Loggable items should be chosen carefully.
In applications where data is regularly active, massive array of inactive disks (MAID) would be a good storage option. A. True B. False
(B) The real advantage of MAID is that it reduces power requirements and increases drive life in applications where the data is not accessed frequently.
Because your boss has been pleased with the progress you have made on the design on the new data center, he has given you additional responsibility for the fire-suppression system. Which of the following fire suppression systems does not leave water standing in a pipe and activates only when a fire is detected? A. Deluge B. Dry pipe C. Controlled D. Post-action
(B) There are four main types of fire suppression systems: A wet pipe system, which is always full of water. A dry pipe, which contains compressed air. When a fire is sensed, the air escapes and the pipes fill with water, which is subsequently discharged into the area. A deluge system, which uses large pipes and can significantly soak an area with a large volume of water. A preaction system, which is a combination of a dry pipe and a wet pipe system. There is no post-action type of fire suppression system.
Which of the following is a valid defense against Van Eck phreaking? A. Secure fax systems B. TEMPEST C. Performing social engineering training D. Securing PBX systems
(B) Van Eck phreaking is the practice of detecting EMI and wireless signals from CRTs and other electronic equipment with the objective of decoding and revealing the information. TEMPEST was the original technology used to try to deter this type of attack.
Clair tries to log in to her account three times. On the third attempt, she receives a message that the account has been suspended. Which of the following best describes what has occurred? A. Clair has been reported for a security violation. B. Clair passed the clipping level. C. Clair attempted to access a privileged control. D. Clair is forgetful.
(B) When Clair attempted to log in to her account three times and failed, she reached the clipping level. This caused her account to be suspended. A clipping level is just one of the operation controls an organization can use. Others include mandatory vacations, rotation of duties, and dual controls.
When a double-blind penetration test is performed, the assessment team members know all the details of the network, and the organization does not know the security assessment is being performed. A. True B. False
(B) When a double-blind assessment is performed, the insiders do not know the time or place of the penetration test. The team performing the assessment has only basic knowledge of the network, such as an IP address range.
What type of attack uses a number of computers with different network addresses to target and exhaust all the available ports of an organization's web servers? A. Spoofing B. Denial of service C. Distributed denial of service D. Mail bombing
(C) A distributed denial of service uses two or more compromised computers to target and disable a victim's availability. Spoofing is the act of pretending to be a person or process. A denial of service originates from one computer. A mail bomb is used to fill up a victim's email account.
The attacker waits until his victim establishes a connection to the organization's FTP server. Then, he executes a program that allows him to take over the established session. What type of attack has taken place? A. Password attack B. Spoofing C. Session hijack D. ARP redirection
(C) A session hijack is the process of taking over an established legitimate session. This type of attack gives an attacker an authenticated connection into a network.
Contingency management does not include which of the following? A. Maintaining continuity of operations B. Establishing actions to be taken after an incident C. Performing verification of IDSs D. Ensuring the availability of critical systems
(C) Although IDSs can help you detect security breaches, they are not part of contingency management. Contingency management includes establishing actions to be taken before, during, and after an incident; verifying documentation and test procedures; and ensuring the availability of critical systems.
Potential employees typically should not have which of the following performed? A. Background checks B. Reference checks C. Credit status checks D. Education claim checks
(C) Background checks, reference checks, and education claim checks are three items that should be verified. Depending on the job, verifying credit status could be considered out of bounds.
Albert is continuing his process of OS hardening. Because he usually does not work with Linux, he comes to you with a question: On Windows machines you find network "services" running. What are such network applications called in Linux? What do you tell him? A. Services B. Applets C. Daemons D. PIDs
(C) Daemons are processes or applications that run on UNIX or Linux computer systems that provide network services. A network application in the Windows world is called a service. An applet is a program designed to be executed from within another application. A PID is a process ID. Even though these concepts might not be covered on the exam, they still are important for you to understand.
You are asked to develop the air-conditioning system for the new data center. Which of the following is the optimum design? A. Negative ventilation B. Ionized ventilation C. Positive ventilation D. Neutral ventilation
(C) Data centers should be positively ventilated by design. This means that the positive pressure acts as an effective means of ensuring that contaminants do not enter the room through small cracks or openings. This design pushes air outward toward doorways and other access points within the room. The idea is to keep harmful contaminants away from sensitive equipment. When more than one server room is used, the most critical should be the most highly pressurized.
Who would you recommend to your company as someone who can perform penetration testing? A. Script kiddie B. Cracker C. Hacker D. Pharmer
(C) Ethical hackers are trained security professionals who can look for weaknesses in your IT structure. Script kiddies are people who play with downloadable free tools. They often can cause more damage than benefit from their testing. A cracker is a malicious hacker. Pharmer is a distracter.
Which of the following best describes grid computing? A. Grid computers have a high level of trust. B. It is a fault-tolerant technology similar to redundant servers that features central control. C. It features a distributed control mechanism. D. It is well suited for applications that require secrecy.
(C) Grid computing is similar to clustering but is not the same. Clustering offers a high level of trust, centralized control, and a fault-tolerant technology. Grid computing does not have centralized control; systems can come and go as they please. They can be added on an as-needed basis and could be systems that are used for other purposes. SETI at home is an example. Because of this, grid computing should not be used for highly sensitive projects, because the information may be exposed.
Which of the following does JBOD not provide? A. Reuse of existing drives B. Large logical drives C. Fault tolerance D. Loss of only the data on a failed drive
(C) JBOD (Just a Bunch of Disks) does not provide redundancy or fault tolerance. It does allow for reuse of existing drives and larger logical drives. If a failure of one drive occurs, only data on that drive is lost.
During orientation training at your new company, you ask if you are allowed to sell your vacation time back to the company. You are informed that not only must you take your vacation, but you also must take it in one block, and that other employees are already trained to rotate in and assume your job during your absence. Why would the company refuse to buy back your vacation? A. To ensure survival. A company is weakened if it relies too heavily on one employee. B. To receive industry certification. When employees have multiple skill sets, a company can be certified under ISO 27001:2005. C. To minimize fraud. Fraudulent activities can more easily be detected when employees are rotated periodically. D. To lower healthcare costs. Health-insurance providers are rewarding companies that encourage preventive healthcare, such as mandatory vacations.
(C) Mandatory vacations and job rotation help identify fraud. ISO 27001:2005 certification is awarded for quality information security management systems and requires more checks than just demonstrated fraud controls.
What is the most important security concern when reviewing the use of USB memory sticks? A. They might not be compatible with all systems. B. They might lose information or become corrupted. C. Memory sticks can copy a large amount of data. D. Memory sticks' contents cannot be backed up.
(C) Memory sticks can copy and hold large amounts of information. This presents a security risk, because someone can easily place one of these devices in his pocket and carry the information out of the company. Although answers A, B, and D are important, they are not the most important security concern.
Which of the following is not one of the three protection control types? A. Corrective B. Recovery C. Response D. Deterrent
(C) No category of protection control type is known as response.
Which RAID level indicates byte-level parity? A. 1 B. 2 C. 3 D. 4
(C) RAID (redundant array of independent disks) is a technology that employs two or more drives in combination for fault tolerance and performance. Byte-level parity reserves one dedicated disk for error correction data. This provides good performance and some level of fault tolerance. Other levels of RAID are as follows: 0: Striping 1: Mirroring 2: Hamming code parity 3: Byte-level parity 4: Block-level parity 5: Interleave parity 7: Single virtual disk 10: Striping and mirroring combined
Which of the following offers the best approach to making sure that an organization has uninterrupted access to data? A. Electronic vaulting B. Hot-swappable drives C. RAID D. Backup
(C) RAID (redundant array of independent disks) provides fault tolerance against hard drive crashes. Electronic vaulting enables you to restore vital business data from anywhere across your enterprise, anytime you need it. Hot-swappable drives allow you to replace defective drives without rebooting but may not prevent downtime. Backups let you restore lost or damaged data.
Which of the following is the best example of a compensating administrative control? A. Disaster recovery plan B. Warning banner C. Supervision D. IDS
(C) Supervision is the best example of a compensating administrative control. Answer A is an example of an administrative recovery control. Answer B is an example of a technical deterrent. Answer D is an example of a technical detective.
From a security perspective, which of the following is the most important portion of media control labeling? A. The date of creation B. The volume name and version C. The classification D. The individual who created it
(C) The classification of the data is the most important aspect, because it can tell people how the data should be handled. Media control labeling includes the date of creation, the volume name and version, the classification, the individual who created it, and the retention period.
Trusted recovery is defined in Common Criteria. Which is not one of the trusted recovery mechanisms listed in Common Criteria? A. Manual recovery B. Automated recovery C. Automated recovery with due loss D. Automated recovery without undue loss
(C) The concept behind trusted recovery is that a trusted system should be able to recover from a failure. Trusted recovery is defined in Common Criteria. The three specified types are manual recovery, automated recovery, and automated recovery without undue loss.
You are contacted by a rather large ISP. The ISP has accused you of sending its customers large amounts of spam. What is the most likely explanation for this occurrence? A. SMTP has been left enabled. B. POP3 has been left enabled. C. Relaying has been left enabled. D. Your IMAP server has been hacked.
(C) The most likely explanation of this occurrence is that a mail relay has been left enabled. Spammers find open relays by port scanning wide ranges of IP addresses. After spammers find a mail server, they attempt to use it to send mail to a third party. If successful, they use this system to spew their junk email. This widely used technique allows spammers to hide their true IP address and victimize an innocent third party.
You ask your new intern to harden a system that will be used as a web server. Which of the following is the best way to perform this process? A. Install the OS and software, configure IP routing, connect the system to the Internet and download patches and fixes, configure packet filtering, test the system, and phase the system into operation. B. Install the OS and software, configure IP routing, configure packet filtering, connect the system to the Internet and download patches and fixes, test the system, and phase the system into operation. C. Install the OS and software, download patches and fixes, configure IP routing, configure packet filtering, test the system, and connect the system to the Internet. D. Install the OS and software, configure IP routing, configure packet filtering, connect the system to the Internet, and test the system.
(C) This is the proper order: install the OS and software, download patches and fixes, configure IP routing, configure packet filtering, test the system, and connect the system to the Internet. Not until the system is fully hardened and configured should it be connected to the Internet.
Company A is asked to implement a backup plan that can be used to restore data after a disaster or incident that results in a loss of data. Company B is asked to examine what methods of data destruction are acceptable when old hard drives are retired and no longer needed. If you were asked to assist company B, which of the following methods would you recommend as being the best choice of data destruction regardless of if the data was kept onsite or off site? A. Manual erase of all files B. Formatting C. Zeroization D. Seven pass drive wipe
(D) A seven pass drive wipe is the best choice of all the options shown. Answers A, B, and C would not sufficiently remove sensitive information.
Which form of information gathering is considered very low tech but can enable attackers to gather usernames, passwords, account information, customer information, and more? A. Fingerprinting B. Scavenging C. Port scanning D. Dumpster diving
(D) Although dumpster diving is considered very low-tech, it can be a very successful way to gather information about an organization and its customers. The best defense against dumpster diving is to make sure that all sensitive information is cross-shredded and properly destroyed before being disposed of.
Trusted facility management is a TCSEC assurance requirement for secure systems. As such, which class must support separation of operator and system administrator roles? A. A1 B. A2 C. B1 D. B2
(D) B2 systems must support separate operator and system administrator roles. TCSEC requirements for separation of operator and system administrator roles are closely tied to the concept of least privilege, because TCSEC sets controls on what various individuals can do.
Which type of protection control is used to discourage violations? A. Security B. Recovery C. Response D. Deterrent
(D) Deterrent controls are used to discourage security violations.
Mingo is asked to get a quote for a new security fence and lights to be placed around the perimeter of a remote manufacturing site. He comes to you and asks why the company is spending funds for this project. How should you answer? A. To deter intruders B. To protect the assets and the organization's facility C. To monitor employee ingress and egress on the organization's property D. To protect employee safety and welfare
(D) Employee safety and welfare should always be the driving force of any security measure. Well-lit, secured areas provide an additional level of protection for employees entering and leaving the area. Secondary benefits are protecting company assets and deterring intrusion or hostile acts.
Your organization is concerned about emanation security. Therefore, security management has installed copper mesh in the facility's outer walls and ceiling. What is the primary purpose of this activity? A. To increase the range of the company's wireless system B. To decrease interference from neighboring wireless systems C. To design a white-noise enclosure D. To implement a control zone
(D) Installing copper mesh in the facility's outer walls and ceiling is a control against emanation signal leakage. This is a follow-up to an earlier technology known as TEMPEST. Whereas TEMPEST hardened the device, control zones harden the facility.
Because of an unfilled position in the quality-assurance department, management decides to allow programmers to review and update their own code. One of the programmers is upset because of a poor performance review, and he has altered the payroll program so that should he be fired, the application will print random numbers on all employees' paychecks. Setting aside the operational security issues, which of the following is the most correct match? A. Salami attack B. Incremental attack C. Buffer overflow D. Logic bomb
(D) Logic bomb. Answers A, B, and C are incorrect because only a logic bomb can be described as a modification of code designed to launch at a specific event.
What is the most common cause of loss of intellectual property? A. Virus B. Espionage C. Pirating D. Negligence
(D) Negligence is the number-one cause of data loss.
Which protocol do clients use to download emails to their local computer from server-based inboxes? A. SMTP B. SNMP C. IMAP D. POP3
(D) POP3 (Post Office Protocol Version 3) is a widely used protocol that allows clients to retrieve their emails from server-based inboxes. SMTP is an email transport protocol. SNMP is used for network management. IMAP typically leaves messages on the server.
Black Hat Bob has placed a sniffer on the network and is attempting to perform traffic analysis. Which of the following is not an effective countermeasure against traffic analysis? A. Packet padding B. Noise transmission C. Covert channel analysis D. ARP redirection
(D) Packet padding, noise transmission, and covert channels are considered effective countermeasures against traffic analysis. Attackers use ARP redirection to redirect traffic on switched networks.
What are two current email attacks that a security professional needs to be aware of? A. Phishing and pharming B. Spear phishing and phreaking C. Phishing and Pwn 2 Own D. Spear phishing and whaling
(D) Phishing, spear phishing, and whaling refer to email hacks that seek to get a victim to click a link that leads to loss of information. Spear phishing is when a group or person has been specifically targeted. Whaling is when the person is highly visible and/or important to society. Pharming does not involve email; it involves redirecting traffic to a malicious site. Pwn 2 Own is a competition at CANSECWEST that challenges participants to find weaknesses in popular PC operating systems.
Which RAID level indicates block-level parity? A. 1 B. 2 C. 3 D. 4
(D) RAID (redundant array of independent disks) is a technology that employs two or more drives in combination for fault tolerance and performance. Block-level parity RAID requires a minimum of three drives to implement. Other levels of RAID are as follows: 0: Striping 1: Mirroring 2: Hamming code parity 3: Byte-level parity 4: Block-level parity 5: Interleave parity 7: Single virtual disk 10: Striping and mirroring combined
Which RAID level combines striping and mirroring? A. 7 B. 8 C. 9 D. 10
(D) RAID (redundant array of independent disks) is a technology that employs two or more drives in combination for fault tolerance and performance. RAID Level 10 combines mirroring and striping. It requires a minimum of four drives to implement but has higher fault tolerance than RAID 0. Other levels of RAID are as follows: 0: Striping 1: Mirroring 2: Hamming code parity 3: Byte-level parity 4: Block-level parity 5: Interleave parity 7: Single virtual disk 10: Striping and mirroring combined
The TCSEC defines several levels of assurance requirements for secure computer operations. Which of the following is not one of those levels of assurance? A. Trusted recovery B. System integrity C. Trusted facility management D. Confidential operations
(D) The TCSEC (Trusted Computer System Evaluation Criteria), also known as the Orange Book, defines several levels of assurance requirements for secure computer operations. Confidential operations is not a valid level. The valid levels of operational assurance specified in TCSEC are System architecture System integrity Covert channel analysis Trusted facility management Trusted recovery
Several coworkers are installing an IDS, and you are asked to make an initial review. One of the installers asks you which of the following is the worst condition for an IDS. What is your response? A. Positive B. Negative C. False positive D. False negative
(D) The worst state for an IDS is a false negative. A false negative means that an event occurred but no alarm was triggered.
Jeff has discovered some strange chalk markings outside the front door of his business. He has also noticed that people with laptops have been hanging around since the markings were made. What has Jeff discovered? A. Graffiti B. War driving C. Vulnerability marking D. War chalking
(D) War chalking is the process of identifying a wireless network. It originated from hobo code of the 1930s and 1940s. Sometime around 2002, it began being applied to wireless networks. Common war chalking symbols include a closed circle to indicate a closed network, two back-to-back half circles to identify an open network, and a circle with a W in it to indicate a network with WEP encryption.