cissp 2 1

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

1. Who has the primary responsibility of determining the classification level for information? A. The functional manager B. Senior management C. The owner D. The user

1. C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes into protecting this information is properly classifying it.

1. What is the final step in authorizing a system for use in an environment? A. Certification B. Security evaluation and rating C. Accreditation D. Verification

1. C. Certification is a technical review of a product, and accreditation is management's formal approval of the findings of the certification process. This question asked you which step was the final step in authorizing a system before it is used in an environment, and that is what accreditation is all about.

1. Which of the following statements correctly describes biometric methods? A. They are the least expensive and provide the most protection. B. They are the most expensive and provide the least protection. C. They are the least expensive and provide the least protection. D. They are the most expensive and provide the most protection.

1. D. Compared with the other available authentication mechanisms, biometric methods provide the highest level of protection and are the most expensive.

10. What is the best description of a security kernel from a security point of view? A. Reference monitor B. Resource manager C. Memory mapper D. Security perimeter

10. A. The security kernel is a portion of the operating system's kernel and enforces the rules outlined in the reference monitor. It is the enforcer of the rules and is invoked each time a subject makes a request to access an object.

10. What role does biometrics play in access control? A. Authorization B. Authenticity C. Authentication D. Accountability

10. C. Biometrics is a technology that validates an individual's identity by reading a physical attribute. In some cases, biometrics can be used for identification, but that was not listed as an answer choice.

10. How do you calculate residual risk? A. Threats × risks × asset value B. (Threats × asset value × vulnerability) × risks C. SLE × frequency = ALE D. (Threats × vulnerability × asset value) × controls gap

10. D. The equation is more conceptual than practical. It is hard to assign a number to an individual vulnerability or threat. This equation enables you to look at the potential loss of a specific asset, as well as the controls gap (what the specific countermeasure cannot protect against). What remains is the residual risk, which is what is left over after a countermeasure is implemented.

11. In secure computing systems, why is there a logical form of separation used between processes? A. Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources. B. Processes are contained within their own security perimeter so they can only access protection levels above them. C. Processes are contained within their own security perimeter so they can only access protection levels equal to them. D. The separation is hardware and not logical in nature.

11. A. Processes are assigned their own variables, system resources, and memory segments, which make up their domain. This is done so they do not corrupt each other's data or processing activities.

11. What determines if an organization is going to operate under a discretionary, mandatory, or nondiscretionary access control model? A. Administrator B. Security policy C. Culture D. Security levels

11. B. The security policy sets the tone for the whole security program. It dictates the level of risk that management and the company are willing to accept. This in turn dictates the type of controls and mechanisms to put in place to ensure this level of risk is not exceeded.

6. A guard is commonly used with a classified system. What is the main purpose of implementing and using a guard? A. To ensure that less trusted systems only receive acknowledgments and not messages B. To ensure proper information flow C. To ensure that less trusted and more trusted systems have open architectures and interoperability D. To allow multilevel and dedicated mode systems to communicate

6. B. The guard accepts requests from the less trusted entity, reviews the request to make sure it is allowed, and then submits the request on behalf of the less trusted system. The goal is to ensure that information does not flow from a high security level to a low security level in an unauthorized manner.

5. Which factor is the most important item when it comes to ensuring security is successful in an organization? A. Senior management support B. Effective controls and implementation methods C. Updated and relevant security policies and procedures D. Security awareness by all employees

5. A. Without senior management's support, a security program will not receive the necessary attention, funds, resources, and enforcement capabilities.

5. The Information Technology Security Evaluation Criteria was developed for which of the following? A. International use B. U.S. use C. European use D. Global use

5. C. In ITSEC, the I does not stand for international; it stands for information. This set of criteria was developed to be used by European countries to evaluate and rate their products.

6. If a company has a high turnover rate, which access control structure is best? A. Role-based B. Decentralized C. Rule-based D. Discretionary

6. A. It is easier on the administrator if she only has to create one role, assign all of the necessary rights and permissions to that role, and plug a user into that role when needed. Otherwise, she would need to assign and extract permissions and rights on all systems as each individual came and left the company.

4. Who is ultimately responsible for making sure data is classified and protected? A. Data owners B. Users C. Administrators D. Management

4. D. The key to this question is the use of the word "ultimately." Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected.

5. Which item is not part of a Kerberos authentication implementation? A. Message authentication code B. Ticket granting service C. Authentication service D. Users, programs, and services

5. A. Message authentication code (MAC) is a cryptographic function and is not a key component of Kerberos. Kerberos is made up of a KDC, a realm of principals (users, services, applications, and devices), an authentication service, tickets, and a ticket granting service.

11. Why should the team that will perform and review the risk analysis information be made up of people in different departments? A. To make sure the process is fair and that no one is left out. B. It shouldn't. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable. C. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible. D. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.

11. C. An analysis is only as good as the data that go into it. Data pertaining to risks the company faces should be extracted from the people who understand best the business functions and environment of the company. Each department understands its own threats and resources, and may have possible solutions to specific threats that affect its part of the company.

12. What type of attack is taking place when a higher-level subject writes data to a storage area and a lower-level subject reads it? A. TOC/TOU B. Covert storage attack C. Covert timing attack D. Buffer overflow

12. B. A covert channel is being used when something is using a resource for communication purposes, and that is not the reason this resource was created. A process can write to some type of shared media or storage place that another process will be able to access. The first process writes to this media, and the second process reads it. This action goes against the security policy of the system.

12. Which best describes a quantitative risk analysis? A. A scenario-based analysis to research different security threats B. A method used to apply severity levels to potential loss, probability of loss, and risks C. A method that assigns monetary values to components in the risk assessment D. A method that is based on gut feelings and opinions

12. C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures.

12. Which of the following best describes what role-based access control offers companies in reducing administrative burdens? A. It allows entities closer to the resources to make decisions about who can and cannot access resources. B. It provides a centralized approach for access control, which frees up department managers. C. User membership in roles can be easily revoked and new ones established as job assignments dictate. D. It enforces enterprise-wide security policies, standards, and guidelines.

12. C. An administrator does not need to revoke and reassign permissions to individual users as they change jobs. Instead, the administrator assigns permissions and rights to a role, and users are plugged into those roles.

13. Which of the following is the best description of directories that are used in identity management technology? A. Most are hierarchical and follow the X.500 standard. B. Most have a flat architecture and follow the X.400 standard. C. Most have moved away from LDAP. D. Many use LDA.

13. A. Most enterprises have some type of directory that contains information pertaining to the company's network resources and users. Most directories follow a hierarchical database format, based on the X.500 standard, and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows subjects and applications to interact with the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a specific resource by using a similar request.

13. What type of rating is used within the Common Criteria framework? A. PP B. EPL C. EAL D. A-D

13. C. The Common Criteria uses a different assurance rating system than the previously used criteria. It has packages of specifications that must be met for a product to obtain the corresponding rating. These ratings and packages are called Evaluation Assurance Levels (EALs). Once a product achieves any type of rating, customers can view this information on an Evaluated Products List (EPL).

13. Why is a truly quantitative risk analysis not possible to achieve? A. It is possible, which is why it is used. B. It assigns severity levels. Thus, it is hard to translate into monetary values. C. It is dealing with purely quantitative elements. D. Quantitative measures must be applied to qualitative elements.

13. D. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and requires educated guessing. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish.

14. Which best describes the *-integrity axiom? A. No write up in the Biba model B. No read down in the Biba model C. No write down in the Bell-LaPadula model D. No read up in the Bell-LaPadula model

14. A. The *-integrity axiom (or star integrity axiom) indicates that a subject of a lower integrity level cannot write to an object of a higher integrity level. This rule is put into place to protect the integrity of the data that resides at the higher level.

14. Which of the following is not part of user provisioning? A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration

14. B. User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. User provisioning software may include one or more of the following components: change propagation, self-service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers, or other recipients of a service. Services may include electronic mail, access to a database, access to a file server or mainframe, and so on.

14. What is CobiT and where does it fit into the development of information security systems and security programs? A. Lists of standards, procedures, and policies for security program development B. Current version of ISO 17799 C. A framework that was developed to deter organizational internal fraud D. Open standards for control objectives

14. D. The Control Objectives for Information and related Technology (CobiT) is a framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs.

15. What are the four domains that make up CobiT? A. Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate B. Plan and Organize, Maintain and Implement, Deliver and Support, and Monitor and Evaluate C. Plan and Organize, Acquire and Implement, Support and Purchase, and Monitor and Evaluate D. Acquire and Implement, Deliver and Support, and Monitor and Evaluate

15. A. CobiT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories. For example, Acquire and Implement contains the following subcategories: • Acquire and Maintain Application Software • Acquire and Maintain Technology Infrastructure • Develop and Maintain Procedures • Install and Accredit Systems • Manage Changes

15. What is the technology that allows a user to remember just one password? A. Password generation B. Password dictionaries C. Password rainbow tables D. Password synchronization

15. D. Password synchronization technologies can allow a user to maintain just one password across multiple systems. The product will synchronize the password to other systems and applications, which happens transparently to the user.

15. Which best describes the simple security rule? A. No write up in the Biba model B. No read down in the Biba model C. No write down in the Bell-LaPadula model D. No read up in the Bell-LaPadula model

15. D. The simple security rule is implemented to ensure that any subject at a lower security level cannot view data that resides at a higher level. The reason this type of rule is put into place is to protect the confidentiality of the data that resides at the higher level. This rule is used in the Bell-LaPadula model. Remember that if you see "simple" in a rule, it pertains to reading, while * or "star" pertains to writing.

16. What is the ISO/IEC 27799 standard? A. A standard on how to protect personal health information B. The new version of BS 17799 C. Definitions for the new ISO 27000 series D. The new version of NIST 800-60

16. A. It is referred to as the health informatics, and its purpose is to provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.

16. Which of the following was the first mathematical model of a multilevel security policy used to define the concepts of a security state and mode of access, and to outline rules of access? A. Biba B. Bell-LaPadula C. Clark-Wilson D. State machine

16. B. This is a formal definition of the Bell-LaPadula model, which was created and implemented to protect confidential government and military information.

16. Which of the following is not considered an anomaly-based intrusion protection system? A. Statistical anomaly-based B. Protocol anomaly-based C. Temporal anomaly-based D. Traffic anomaly-based

16. C. Behavioral-based system that learns the "normal" activities of an environment. The three types are listed next: • Statistical anomaly-based Creates a profile of "normal" and compares activities to this profile • Protocol anomaly-based Identifies protocols used outside of their common bounds • Traffic anomaly-based Identifies unusual activity in network traffic

17. Which of the following is a true statement pertaining to memory addressing? A. The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value. B. The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value. C. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value. D. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value.

17. A. The physical memory addresses that the CPU uses are called absolute addresses. The indexed memory addresses that software uses are referred to as logical addresses. A relative address is a logical address which incorporates the correct offset value.

17. CobiT was developed from the COSO framework. What are COSO's main objectives and purpose? A. COSO is a risk management approach that pertains to control objectives and IT business processes. B. Prevention of a corporate environment that allows for and promotes financial fraud. C. COSO addresses corporate culture and policy development. D. COSO is risk management system used for the protection of federal systems.

17. B. COSO deals more at the strategic level, while CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. Its main purpose is to help ensure fraudulent financial reporting cannot take place in an organization.

18. Pete is a new security manager at a financial institution that develops its own internal software for specific proprietary functionality. The financial institution has several locations distributed throughout the world and has bought several individual companies over the last ten years, each with its own heterogeneous environment. Since each purchased company had its own unique environment, it has been difficult to develop and deploy internally developed software in an effective manner that meets all the necessary business unit requirements. Which of the following best describes a standard that Pete should ensure the software development team starts to implement so that various business needs can be met? A. ISO/IEC 42010:2007 B. Common Criteria C. ISO/IEC 43010:2007 D. ISO/IEC 15408

18. A. ISO/IEC 42010:2007 is an international standard that outlines specifications for system architecture frameworks and architecture languages. It allows for systems to be developed in a manner that addresses all of the stakeholder's concerns.

18. OCTAVE, NIST 800-30, and AS/NZS 4360 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods? A. NIST 800-30 and OCTAVE are corporate based, while AS/NZS is international. B. NIST 800-30 is IT based, while OCTAVE and AS/NZS 4360 are corporate based. C. AS/NZS is IT based, and OCTAVE and NIST 800-30 are assurance based. D. NIST 800-30 and AS/NZS are corporate based, while OCTAVE is international.

18. B. NIST 800-30 Risk Management Guide for Information Technology Systems is a U.S. federal standard that is focused on IT risks. OCTAVE is a methodology to set up a risk management program within an organizational structure. AS/NZS 4360 takes a much broader approach to risk management. This methodology can be used to understand a company's financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose.

19. Which of the following is an incorrect description pertaining to the common components that make up computer systems? i. General registers are commonly used to hold temporary processing data, while special registers are used to hold process characteristic data as in condition bits. ii. A processer sends a memory address and a "read" request down an address bus and a memory address and "write" request down an I/O bus. iii. Process-to-process communication commonly takes place through memory stacks, which are made up of individually addressed buffer locations. iv. A CPU uses a stack return pointer to keep track of the next instruction sets it needs to process. A. i B. i, ii C. ii, iii D. ii, iv

19. D. A processer sends a memory address and a "read" request down an address bus. The system reads data from that memory address and puts the requested data on the data bus. A CPU uses a program counter to keep track of the memory addresses containing the instruction sets it needs to process in sequence. A stack pointer is a component used within memory stack communication processes. An I/O bus is used by a peripheral device.

A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. They have also hardened the server's configuration and employed strict operating system access controls. 19. The fact that the server has been in an unlocked room marked "Room 1" for the last few years means the company was practicing which of the following? A. Logical security B. Risk management C. Risk transference D. Security through obscurity

19. D. Security through obscurity is not implementing true security controls, but rather attempting to hide the fact that an asset is vulnerable in the hope that an attacker will not notice. Security through obscurity is an approach to try and fool a potential attacker, which is a poor way of practicing security. Vulnerabilities should be identified and fixed, not hidden.

2. What feature enables code to be executed without the usual security checks? A. Temporal isolation B. Maintenance hook C. Race conditions D. Process multiplexing

2. B. Maintenance hooks get around the system's or application's security and access control checks by allowing whomever knows the key sequence to access the application and most likely its code. Maintenance hooks should be removed from any code before it gets into production.

2. If different user groups with different security access levels need to access the same information, which of the following actions should management take? A. Decrease the security level on the information to ensure accessibility and usability of the information. B. Require specific written approval each time an individual needs to access the information. C. Increase the security controls on the information. D. Decrease the classification label on the information.

2. C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.

2. Which of the following statements correctly describes passwords? A. They are the least expensive and most secure. B. They are the most expensive and least secure. C. They are the least expensive and least secure. D. They are the most expensive and most secure.

2. C. Passwords provide the least amount of protection, but are the cheapest because they do not require extra readers (as with smart cards and memory cards), do not require devices (as do biometrics), and do not require a lot of overhead in processing (as in cryptography). Passwords are the most common type of authentication method used today.

A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. They have also hardened the server's configuration and employed strict operating system access controls. 20. The new reinforced lock and cage serve as which of the following? A. Logical controls B. Physical controls C. Administrative controls D. Compensating controls

20. B. Physical controls are security mechanisms in the physical world, as in locks, fences, doors, computer cages, etc. There are three main control types, which are administrative, technical, and physical.

20. Mark is a security administrator who is responsible for purchasing new computer systems for a co-location facility his company is starting up. The company has several time-sensitive applications that require extensive processing capabilities. The co-location facility is not as large as the main facility, so it can only fit a smaller number of computers, which still must carry the same processing load as the systems in the main building. Which of the following best describes the most important aspects of the products Mark needs to purchase for these purposes? A. Systems must provide symmetric multiprocessing capabilities and virtualized environments. B. Systems must provide asymmetric multiprocessing capabilities and virtualized environments. C. Systems must provide multiprogramming multiprocessing capabilities and virtualized environments. D. Systems must provide multiprogramming multiprocessing capabilities and symmetric multiprocessing environments.

20. B. When systems provide asymmetric multiprocessing, this means multiple CPUs can be used for processing. Asymmetric indicates the capability of assigning specific applications to one CPU so that they do not have to share computing capabilities with other competing processes, which increases performance. Since a smaller number of computers can fit in the new location, virtualization should be deployed to allow for several different systems to share the same physical computer platforms.

20. Which of the following has the correct definition mapping? i. Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password. ii. Dictionary attacks Files of thousands of words are compared to the user's password until a match is found. iii. Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources. iv. Rainbow table An attacker uses a table that contains all possible passwords already in a hash format. A. i, ii B. i, ii, iv C. i, ii, iii, iv D. i, ii, iii

20. C. The list has all the correct terms to definition mappings.

Tom is a new security manager who is responsible for reviewing the current software that the company has developed internally. He finds that some of the software is outdated, which causes performance and functionality issues. During his testing procedures he sees that when one program stops functioning, it negatively affects other programs on the same system. He also finds out that as systems run over a period of a month, they start to perform more slowly, but by rebooting the systems this issue goes away. He also notices that the identification, authentication, and authorization steps built into one software package are carried out by individual and distinct software procedures. 21. Which of the following best describes a characteristic of the software that may be causing issues? A. Cooperative multitasking B. Preemptive multitasking C. Maskable interrupt use D. Nonmaskable interrupt use

21. A. Cooperative multitasking means that a developer of an application has to properly code his software to release system resources when the application is finished using them, or the other software running on the system could be negatively affected. In this type of situation an application could be poorly coded and not release system resources, which would negatively affect other software running on the system. In a preemptive multitasking environment, the operating system would have more control of system resource allocation and provide more protection for these types of situations.

A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads "Room 1." This sign was placed on the door with the hope that people would not look for important servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. They have also hardened the server's configuration and employed strict operating system access controls. 21. The operating system access controls comprise which of the following? A. Logical controls B. Physical controls C. Administrative controls D. Compensating controls

21. A. Logical (or technical) controls are security mechanisms, as in firewalls, encryption, software permissions, and authentication devices. They are commonly used in tandem with physical and administrative controls to provide a defense-in-depth approach to security.

21. George is responsible for setting and tuning the thresholds for his company's behavior-based IDS. Which of the following outlines the possibilities of not doing this activity properly? A. If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not identified (false negatives). B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives). C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not identified (false negatives). D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

21. C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not identified (false negatives).

A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain. 22. How much does the firewall save the company in loss expenses? A. $62,000 B. $3,000 C. $65,000 D. $30,000

22. A. $62,000 is the correct answer. The firewall reduced the annualized loss expectancy (ALE) from $92,000 to $30,000 for a savings of $62,000. The formula for ALE is single loss expectancy × annualized rate of occurrence = ALE. Subtracting the ALE value after the firewall is implemented from the value before it was implemented results in the potential loss savings this type of control provides.

Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees. 22. Which of the following changes would be best for Tom's team to implement? A. Move from namespaces to distinguished names. B. Move from meta-directories to virtual directories. C. Move from RADIUS to TACACS+. D. Move from a centralized to a decentralized control model.

22. B. A meta-directory within an IDM physically contains the identity information within an identity store. It allows identity information to be pulled from various locations and be stored in one local system (identity store). The data within the identity store are updated through a replication process, which may take place weekly, daily, or hourly depending upon configuration. Virtual directories use pointers to where the identity data reside on the original system; thus, no replication processes are necessary. Virtual directories usually provide the most up-to-date identity information since they point to the original source of the data.

22. Which of the following best describes why rebooting helps with system performance in the situation described in this scenario? A. Software is not using cache memory properly. B. Software is carrying out too many mode transitions. C. Software is working in ring 0. D. Software is not releasing unused memory.

22. D. When software is poorly written, it could be allocating memory and not properly releasing it. This can affect the performance of the whole system, since all software processes have to share a limited supply of memory. When a system is rebooted, the memory allocation constructs are reset.

23. What security issue is Tom most likely concerned with in this situation? A. Time of check\time of use B. Maintenance hooks C. Input validation errors D. Unauthorized loaded kernel modules

23. A. A time-of-check\time-of-use attack takes place when an attacker is able to change an important parameter while the software is carrying out a sequence of steps. If an attacker could manipulate the authentication steps, she could potentially gain access to resources in an unauthorized manner before being properly identified and authenticated.

Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees. 23. Which of the following components should Tom make sure his team puts into place? A. Single sign-on module B. LDAP directory service synchronization C. Web access management D. X.500 database

23. C. Web access management (WAM) is a component of most IDM products that allows for identity management of web-based activities to be integrated and managed centrally.

A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain. 23. What is the value of the firewall to the company? A. $62,000 B. $3,000 C. -$62,000 D. -$3,000

23. D. -$3,000 is the correct answer. The firewall saves $62,000, but costs $65,000 per year. 62,000 - 65,000 = -3,000. The firewall actually costs the company more than the original expected loss, and thus the value to the company is a negative number. The formula for this calculation is (ALE before the control is implemented) - (ALE after the control is implemented) - (annual cost of control) = value of control.

3. If a component fails, a system should be designed to do which of the following? A. Change to a protected execution domain B. Change to a problem state C. Change to a more secure state D. Release all data held in volatile memory

3. C. The state machine model dictates that a system should start up securely, carry out secure state transitions, and even fail securely. This means that if the system encounters something it deems unsafe, it should change to a more secure state for self-preservation and protection.

Sarah's team must build a new operating system for her company's internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. 24. Which of the following is a required characteristic of the system Sarah's team must build? A. Multilevel security B. Dedicated mode capability C. Simple security rule D. Clark-Wilson constructs

24. A. A multilevel security system allows for data at different classification levels to be processed and allows users with different clearance levels to interact with the system securely.

Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company's partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees. 24. Tom has been told that he has to reduce staff from the help-desk team. Which of the following technologies can help with the company's help-desk budgetary issues? A. Self-service password support B. RADIUS implementation C. Reduction of authoritative IdM sources D. Implement a role-based access control model

24. A. If help-desk staff is spending too much time with password resetting, then a technology should be implemented to reduce the amount of time paid staff is spending on this task. The more tasks that can be automated through technology, the less of the budget that has to be spent on staff. The following are password management functionalities that are included in most IDM products: • Password Synchronization Reduces the complexity of keeping up with different passwords for different systems. • Self-Service Password Reset Reduces help-desk call volumes by allowing users to reset their own passwords. • Assisted Password Reset Reduces the resolution process for password issues for the help desk. This may include authentication with other types of authentication mechanisms (biometrics, tokens).

A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain. 24. Which of the following describes the company's approach to risk management? A. Risk transference B. Risk avoidance C. Risk acceptance D. Risk mitigation

24. D. Risk mitigation involves employing controls in an attempt to reduce the either the likelihood or damage associated with an incident, or both. The four ways of dealing with risk are accept, avoid, transfer, and mitigate (reduce). A firewall is a countermeasure installed to reduce the risk of a threat.

A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place. 25. What is the Single Loss Expectancy (SLE) for the facility suffering from a fire? A. $80,000 B. $480,000 C. $320,000 D. 60%

25. B. $480,000 is the correct answer. The formula for single loss expectancy (SLE) is asset value × exposure factor (EF) = SLE. In this situation the formula would work out as asset value ($800,000) × exposure factor (60%) = $480,000. This means that the company has a potential loss value of $480,000 pertaining to this one asset (facility) and this one threat type (fire).

Sarah's team must build a new operating system for her company's internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. 25. Which of the following reasons best describes her boss's suggestion on the kernel design of the new system? A. Hardware layer abstraction for portability capability B. Layered functionality structure C. Reduced mode transition requirements D. Central location of all critical operating system processes

25. C. A hybrid microkernel architecture means that all kernel processes work within kernel mode, which reduces the amount of mode transitions. The reduction of mode transitions reduces performance issues because the CPU does not have to change from user mode to kernel mode as many times during its operation.

Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks. 25. Which of the following is the best identity management technology that Lenny should consider implementing to accomplish some of the company's needs? A. LDAP directories for authoritative sources B. Digital identity provisioning C. Active Directory D. Federated identity

25. D. Federation identification allows for the company and its partners to share customer authentication information. When a customer authenticates to a partner web site, that authentication information can be passed to the retail company, so when the customer visits the retail company's web site, the user has less amount of user profile information she has to submit and the authentication steps she has to go through during the purchase process could potentially be reduced. If the companies have a set trust model and share the same or similar federated identity management software and settings, this type of structure and functionality is possible.

Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks. 26. Lenny has a meeting with the internal software developers who are responsible for implementing the necessary functionality within the web-based system. Which of the following best describes the two items that Lenny needs to be prepared to discuss with this team? A. Service Provisioning Markup Language and the eXtensible Access Control Markup Language B. Standard Generalized Markup Language and the Generalized Markup Language C. Extensible Markup Language and the HyperText Markup Language D. Service Provisioning Markup Language and the Generalized Markup Language

26. A. The Service Provisioning Markup Language (SPML) allows company interfaces to pass service requests, and the receiving company provisions (allows) access to these services. Both the sending and receiving companies need to be following XML standard, which will allow this type of interoperability to take place. When using the eXtensible Access Control Markup Language (XACML), application security policies can be shared with other applications to ensure that both are following the same security rules. The developers need to integrate both of these language types to allow for their partner employees to interact with their inventory systems without having to conduct a second authentication step. The use of the languages can reduce the complexity of inventory control between the different companies.

Sarah's team must build a new operating system for her company's internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. 26. Which of the following is a characteristic that this new system will need to implement? A. Multiprogramming B. Simple integrity axiom C. Mandatory access control D. Formal verification

26. C. Since the new system must achieve a rating of EAL 6, it must implement mandatory access control capabilities. This is an access control model that allows users with different clearances to be able to interact with a system that processes data of different classification levels in a secure manner. The rating of EAL 6 requires semiformally verified design and testing, whereas EAL 7 requires verified design and testing.

A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place. 26. What is the Annualized Rate of Occurrence (ARO)? A. 1 B. 10 C. .1 D. .01

26. C. The annualized rate occurrence (ARO) is the frequency that a threat will most likely occur within a 12-month period. It is a value used in the ALE formula, which is SLE × ARO = ALE.

Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company's CEO wants to allow its partners' customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company's partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks. 27. Pertaining to the CEO's security concerns, what should Lenny suggest the company put into place? A. Security event management software, intrusion prevention system, and behavior-based intrusion detection B. Security information and event management software, intrusion detection system, and signature-based protection C. Intrusion prevention system, security event management software, and malware protection D. Intrusion prevention system, security event management software, and war dialing protection

27. A. Security event management software allows for network traffic to be viewed holistically by gathering log data centrally and analyzing them. The intrusion prevention system allows for proactive measures to be put into place to help in stopping malicious traffic from entering the network. Behavior-based intrusion detection can identify new types of attack (zero day) compared to signature-based intrusion detection.

Sarah's team must build a new operating system for her company's internal functionality requirements. The system must be able to process data at different classifications levels and allow users of different clearances to be able to interact with only the data that maps to their profile. She is told that the system must provide data hiding, and her boss suggests that her team implement a hybrid microkernel design. Sarah knows that the resulting system must be able to achieve a rating of EAL 6 once it goes through the Common Criteria evaluation process. 27. Which of the following best describes one of the system requirements outlined in this scenario and how it should be implemented? A. Data hiding should be implemented through memory deallocation. B. Data hiding should be implemented through properly developed interfaces. C. Data hiding should be implemented through a monolithic architecture. D. Data hiding should be implemented through multiprogramming.

27. B. Data hiding means that certain functionality and/or data is "hidden," or not available to specific processes. For processes to be able to interact with other processes and system services, they need to be developed with the necessary interfaces that restrict communication flows between processes. Data hiding is a protection mechanism that segregates trusted and untrusted processes from each other through the use of strict software interface design.

A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place. 27. What is the Annualized Loss Expectancy (ALE)? A. $480,000 B. $32,000 C. $48,000 D. .6

27. C. $48,000 is the correct answer. The annualized loss expectancy formula (SLE × ARO = ALE) is used to calculate the loss potential for one asset experiencing one threat in a 12-month period. The resulting ALE value helps to determine the amount that can be reasonably be spent in the protection of that asset. In this situation, the company should not spend over $48,000 on protecting this asset from the threat of fire. ALE values help organizations rank the severity level of the risks they face so they know which ones to deal with first and how much to spend on each.

Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. 28. Which of the following best describes Steve's confusion? A. Certification must happen first before the evaluation process can begin. B. Accreditation is the acceptance from management, which must take place before the evaluation process. C. Evaluation, certification, and accreditation are carried out by different groups with different purposes. D. Evaluation requirements include certification and accreditation components.

28. C. Evaluation, certification, and accreditation are carried out by different groups with different purposes. Evaluations are carried out by qualified third parties who use specific evaluation criteria (Orange Book, ITSEC, Common Criteria) to assign an assurance rating to a tested product. A certification process is a technical review commonly carried out internally to an organization, and accreditation is management's formal acceptance that is carried out after the certification process. A system can be certified internally by a company and not pass an evaluation testing process because they are completely different things.

Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets as in databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some specious e-mails that the CIO's secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes. 28. Which of the following is the best remote access technology for this situation? A. RADIUS B. TACAS+ C. Diameter D. Kerberos

28. C. The Diameter protocol extends the RADIUS protocol to allow for various types of authentication to take place with a variety of different technologies (PPP, VoIP, Ethernet, etc.). It has extensive flexibility and allows for the centralized administration of access control.

28. The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect mappings pertaining to the individual standards that make up the ISO/IEC 27000 series? i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC 27003 outlines the ISMS program's requirements. ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC 27002 outlines the metrics framework. iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/IEC 27005 outlines risk management guidelines. iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines the implementation framework. A. i, iii B. i, ii C. ii, iii, iv D. i, ii, iii, iv

28. D. Unfortunately, you will run into questions on the CISSP exam that will be this confusing, so you need to be ready for them. The proper mapping for the ISO/IEC standards are as follows: • ISO/IEC 27001 ISMS requirements • ISO/IEC 27002 Code of practice for information security management • ISO/IEC 27003 Guideline for ISMS implementation • ISO/IEC 27004 Guideline for information security management measurement and metrics framework • ISO/IEC 27005 Guideline for information security risk management • ISO/IEC 27006 Guidance for bodies providing audit and certification of information security management systems

Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. 29. Which of the following best describes an item the software development team needs to address to ensure that drivers cannot be loaded in an unauthorized manner? A. Improved security kernel processes B. Improved security perimeter processes C. Improved application programming interface processes D. Improved garbage collection processes

29. A. If device drivers can be loaded improperly, then either the access control rules outlined within the reference monitor need to be improved upon or the current rules need to be better enforced through the security kernel processes. Only authorized subjects should be able to install sensitive software components that run within ring 0 of a system.

Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets as in databases, servers, and network-based devices. Also, while the company has had a VoIP telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some specious e-mails that the CIO's secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes. 29. What are the two main security concerns Robbie is most likely being asked to identify and mitigate? A. Social engineering and spear-phishing B. War dialing and pharming C. Spear-phishing and war dialing D. Pharming and spear-phishing

29. C. Spear-phishing is a targeted social engineering attack, which is what the CIO's secretary is most likely experiencing. War dialing is a brute force attack against devices that use phone numbers, as in modems. If the modems can be removed, the risk of war dialing attacks decreases.

29. The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time? i. Information Technology Infrastructure Library should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement. ii. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon. iii. Capability Maturity Model should be integrated because it provides distinct maturity levels. iv. The Open Group Architecture Framework should be integrated because it provides a structure for process improvement. A. i, iii B. ii, iii, iv C. ii, iii D. ii, iv

29. C. The best process improvement approaches provided in this list are Six Sigma and the Capability Maturity Model. The following outlines the definitions for all items in this question: • TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group • ITIL Processes to allow for IT service management developed by the United Kingdom's Office of Government Commerce • Six Sigma Business management strategy that can be used to carry out process improvement • Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon

3. How is a challenge/response protocol utilized with token device implementations? A. This protocol is not used; cryptography is used. B. An authentication service generates a challenge, and the smart token generates a response based on the challenge. C. The token challenges the user for a username and password. D. The token challenges the user's password against a database of stored credentials.

3. B. An asynchronous token device is based on challenge/response mechanisms. The authentication service sends the user a challenge value, which the user enters into the token. The token encrypts or hashes this value, and the user uses this as her one-time password.

3. What should management consider the most when classifying data? A. The type of employees, contractors, and customers who will be accessing the data B. Availability, integrity, and confidentiality C. Assessing the risk level and disabling countermeasures D. The access controls that will be protecting the data

3. B. The best answer to this question is B, because to properly classify data, the data owner must evaluate the availability, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate which employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place.

4. Which is the first level of the Orange Book that requires classification labeling of data? A. B3 B. B2 C. B1 D. C2

4. C. These assurance ratings are from the Orange Book. B levels on up require security labels be used, but the question asks which is the first level to require this. B1 comes before B2 and B3, so it is the correct answer.

Tanya is working with the company's internal software development team. Before a user of an application can access files located on the company's centralized server, the user must present a valid one-time password, which is generated through a challenge-response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that have been classified and deemed critical to the company's missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure. 30. Which of the following best describes what is currently in place? A. Capability-based access system B. Synchronous tokens that generate one-time passwords C. RADIUS D. Kerberos

30. A. A capability-based access control system means that the subject (user) has to present something, which outlines what it can access. The item can be a ticket, token, or key. A capability is tied to the subject for access control purposes. A synchronous token is not being used, because the scenario specifically states that a challenge\response mechanism is being used, which indicates an asynchronous token.

Steve has found out that the software product that his team submitted for evaluation did not achieve the actual rating they were hoping for. He was confused about this issue since the software passed the necessary certification and accreditation processes before being deployed. Steve was told that the system allows for unauthorized device drivers to be loaded and that there was a key sequence that could be used to bypass the software access control protection mechanisms. Some feedback Steve received from the product testers is that it should implement address space layout randomization and data execution protection. 30. Which of the following best describes some of the issues that the evaluation testers most likely ran into while testing the submitted product? A. Non-protected ROM sections B. Vulnerabilities that allowed malicious code to execute in protected memory sections C. Lack of a predefined and implemented trusted computing base D. Lack of a predefined and implemented security kernel

30. B. If testers suggested to the team that address space layout randomization and data execution protection should be integrated, this is most likely because the system allows for malicious code to easily execute in memory sections that would be dangerous to the system. These are both memory protection approaches.

30. Todd documents several fraud opportunities that the employees have at the financial institution so that management understands these risks and allocates the funds and resources for his suggested solutions. Which of the following best describes the control Todd should put into place to be able to carry out fraudulent investigation activity? A. Separation of duties B. Rotation of duties C. Mandatory vacations D. Split knowledge !A30. C. Mandatory vacation is an administrative detective control that allows for an organization to investigate an employee's daily business activities to uncover any potential fraud that may be taking place. The employee should be forced to be away from the organization for a two-week period and another person put into that role. The idea is that the person who was rotated into that position may be able to detect suspicious activities.

31. A. Separation of duties is an administrative control that is put into place to ensure that one person cannot carry out a critical task by himself. If a person were able to carry out a critical task alone, this could put the organization at risk. Collusion is when two or more people come together to carry out fraud. So if a task was split between two people, they would have to carry out collusion (working together) to complete that one task and carry out fraud.

31. Which of the following is one of the easiest and best items Tanya can look into for proper data protection? A. Implementation of mandatory access control B. Implementation of access control lists C. Implementation of digital signatures D. Implementation of multilevel security

31. B. Systems that provide mandatory access control (MAC) and multilevel security are very specialized, require extensive administration, are expensive, and reduce user functionality. Implementing these types of systems is not the easiest approach out of the list. Since there is no budget for a PKI, digital signatures cannot be used because they require a PKI. In most environments access control lists (ACLs) are in place and can be modified to provide tighter access control. ACLs are bound to objects and outline what operations specific subjects can carry out on them.

32. Which of the following is the best single sign-on technology for this situation? A. SESAME B. Kerberos C. RADIUS D. TACACS+

32. B. SESAME is a single sign-on technology that is based upon public key cryptography; thus, it requires a PKI. Kerberos is based upon symmetric cryptography; thus, it does not need a PKI. RADIUS and TACACS+ are remote centralized access control protocols.

4. Which access control method is considered user-directed? A. Nondiscretionary B. Mandatory C. Identity-based D. Discretionary

4. D. The DAC model allows users, or data owners, the discretion of letting other users access their resources. DAC is implemented by ACLs, which the data owner can configure.

Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank's personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault. 32. Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide? A. Separation of duties by ensuring that a supervisor must approve the cashing of a check over $3,500. This is an administrative control that provides preventative protection for Todd's organization. B. Rotation of duties by ensuring that one employee only stays in one position for up to three months of a time. This is an administrative control that provides detective capabilities. C. Security awareness training, which is a preventive administrative control that can also emphasize enforcement. D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.

32. D. Dual control is an administrative preventative control. It ensures that two people must carry out a task at the same time, as in two people having separate keys when opening the vault. It is not a detective control. Notice that the question asks what Todd is not doing. Remember that on the exam you need to choose the best answer. In many situations you will not like the question or the corresponding answers on the CISSP exam, so prepare yourself. The questions can be tricky, which is one reason why the exam itself is so difficult.

33. B. A service oriented architecture will allow Harry's team to create a centralized web portal and offer the various services needed by internal and external entities.

Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with ensuring that the company is better protected. The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he finds out that only half of them even know where the company's policies are located and none of them know their responsibilities pertaining to classifying data. 33. Which of the following best describes what Sam should address first in this situation? A. Integrate data protection roles and responsibilities within the security awareness training and require everyone to attend it within the next 15 days. B. Review the current classification policies to ensure that they properly address the company's risks. C. Meet with senior management and get permission to enforce data owner tasks for each business unit manager. D. Audit all of the current data protection controls in place to get a firm understanding of what vulnerabilities reside in the environment.

33. B. While each answer is a good thing for Sam to carry out, the first thing that needs to be done is to ensure that the policies properly address data classification and protection requirements for the company. Policies provide direction, and all other documents (standards, procedures, guidelines) and security controls are derived from the policies and support them.

Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with ensuring that the company is better protected. The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he finds out that only half of them even know where the company's policies are located and none of them know their responsibilities pertaining to classifying data. 34. Sam needs to get senior management to assign the responsibility of protecting specific data sets to the individual business unit managers, thus making them data owners. Which of the following would be the most important in the criteria the managers would follow in the process of actually classifying data once this responsibility has been assigned to them? A. Usefulness of the data B. Age of the data C. Value of the data D. Compliance requirements of the data

34. C. Data is one of the most critical assets to any organization. The value of the asset must be understood so that the organization knows which assets require the most protection. There are many components that go into calculating the value of an asset: cost of replacement, revenue generated from asset, amount adversaries would pay for the asset, cost that went into the development of the asset, productivity costs if asset was absent or destroyed, and liability costs of not properly protecting the asset. So the data owners need to be able to determine the value of the data to the organization for proper classification purposes.

Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner. 34. Which of the following best describes the types of languages and/or protocols that Harry needs to ensure are implemented? A. Security Assertion Markup Language, Extensible Access Control Markup Language, Service Provisioning Markup Language B. Service Provisioning Markup Language, Simple Object Access Protocol, Extensible Access Control Markup Language C. Extensible Access Control Markup Language, Security Assertion Markup Language, Simple Object Access Protocol D. Service Provisioning Markup Language, Security Association Markup Language

34. C. The most appropriate languages and protocols for the purpose laid out in the scenario are Extensible Access Control Markup Language, Security Assertion Markup Language, and Simple Object Access Protocol. Harry's group is not necessarily overseeing account provisioning, so the Service Provisioning Markup Language is not necessary, and there is no language called "Security Association Markup Language."

Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with ensuring that the company is better protected. The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he finds out that only half of them even know where the company's policies are located and none of them know their responsibilities pertaining to classifying data. 35. From this scenario, what has the company accomplished so far? A. Implementation of administrative controls B. Implementation of operational controls C. Implementation of physical controls D. Implementation of logical controls

35. A. The company has developed a data classification policy, which is an administrative control.

Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner. 35. The company's partners need to integrate compatible authentication functionality into their web portals to allow for interoperability across the different company boundaries. Which of the following will deal with this issue? A. Service Provisioning Markup Language B. Simple Object Access Protocol C. Extensible Access Control Markup Language D. Security Assertion Markup Language

35. D. Security Assertion Markup Language allows the exchange of authentication and authorization data to be shared between security domains. It is one of the most used approaches to allow for single sign-on capabilities within a web-based environment.

Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation. 36. Which of the following best describes what Susan needs to ensure the operations staff creates for proper configuration standardization? A. Dual control B. Redundancy C. Training D. Baselines

36. D. The operations staff needs to know what minimum level of security is required per system within the network. This minimum level of security is referred to as a baseline. Once a baseline is set per system, then the staff has something to compare the system against to know if changes have not taken place properly, which could make the system vulnerable.

Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation. 37. Which of the following is the best way to illustrate to her boss the dangers of the current configuration issues? A. Map the configurations to the compliancy requirements. B. Compromise a system to illustrate its vulnerability. C. Audit the systems. D. Carry out a risk assessment.

37. D. Susan needs to illustrate these vulnerabilities (misconfigured systems) in the context of risk to her boss. This means she needs to identify the specific vulnerabilities, associate threats to those vulnerabilities, and calculate their risks. This will allow her boss to understand how critical these issues are and what type of action needs to take place.

Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation. 38. Which of the following is one of the most likely solutions that Susan will come up with and present to her boss? A. Development of standards B. Development of training C. Development of monitoring D. Development of testing

38. A. Standards need to be developed that outline proper configuration management processes and approved baseline configuration settings. Once these standards are developed and put into place, then employees can be trained on these issues and how to implement and maintain what is outlined in the standards. Systems can be tested against what is laid out in the standards, and systems can be monitored to detect if there are configurations that do not meet the requirements outlined in the standards. You will find that some CISSP questions seem subjective and their answers hard to pin down. Questions that ask what is "best" or "more likely" are common.

6. When is it acceptable to not take action on an identified risk? A. Never. Good security addresses and reduces all risks. B. When political issues prevent this type of risk from being addressed. C. When the necessary countermeasure is complex. D. When the cost of the countermeasure outweighs the value of the asset and potential loss.

6. D. Companies may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss if the threat were to become real. Countermeasures are usually complex to a degree, and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure.

7. The process of mutual authentication involves_______________. A. A user authenticating to a system and the system authenticating to the user B. A user authenticating to two systems at the same time C. A user authenticating to a server and then to a process D. A user authenticating, receiving a ticket, and then authenticating to a service

7. A. Mutual authentication means it is happening in both directions. Instead of just the user having to authenticate to the server, the server also must authenticate to the user.

7. Which is the most valuable technique when determining if a specific security control should be implemented? A. Risk analysis B. Cost/benefit analysis C. ALE results D. Identifying the vulnerabilities and threats causing the risk

7. B. Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answers A, C, and D are inserted into a cost/benefit analysis.

7. The trusted computing base (TCB) contains which of the following? A. All trusted processes and software components B. All trusted security policies and implementation mechanisms C. All trusted software and design mechanisms D. All trusted software and hardware components

7. D. The TCB contains and controls all protection mechanisms within the system, whether they are software, hardware, or firmware.

8. What is the imaginary boundary that separates components that maintain security from components that are not security related? A. Reference monitor B. Security kernel C. Security perimeter D. Security policy

8. C. The security perimeter is a boundary between items that are within the TCB and items that are outside the TCB. It is just a mark of delineation between these two groups of items.

8. Which best describes the purpose of the ALE calculation? A. Quantifies the security level of the environment B. Estimates the loss possible for a countermeasure C. Quantifies the cost/benefit result D. Estimates the loss potential of a threat in a span of a year

8. D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.

8. In discretionary access control security, who has delegation authority to grant access to data? A. User B. Security officer C. Security policy D. Owner

8. D. This question may seem a little confusing if you were stuck between user and owner. Only the data owner can decide who can access the resources she owns. She may be a user and she may not. A user is not necessarily the owner of the resource. Only the actual owner of the resource can dictate what subjects can actually access the resource.

9. Which could be considered a single point of failure within a single sign-on implementation? A. Authentication server B. User's workstation C. Logon credentials D. RADIUS

9. A. In a single sign-on technology, all users are authenticating to one source. If that source goes down, authentication requests cannot be processed.

9. Which model deals only with confidentiality? A. Bell-LaPadula B. Clark-Wilson C. Biba D. Reference monitor

9. A. The Bell-LaPadula model was developed for the U.S. government with the main goal of keeping sensitive data unreachable to those who were not authorized to access and view it. This was the first mathematical model of a multilevel security policy used to define the concepts of a security state and mode of access and to outline rules of access. The Biba and Clark-Wilson models do not deal with confidentiality, but with integrity instead.

9. The security functionality defines the expected activities of a security mechanism, and assurance defines which of the following? A. The controls the security mechanism will enforce B. The data classification after the security mechanism has been implemented C. The confidence of the security the mechanism is providing D. The cost/benefit relationship

9. C. The functionality describes how a mechanism will work and behave. This may have nothing to do with the actual protection it provides. Assurance is the level of confidence in the protection level a mechanism will provide. When systems and mechanisms are evaluated, their functionality and assurance should be examined and tested individually.

Voir tous les ensembles d'études

cissp 2 1

Ensembles d'études connexes

Accounting Info Systems WileyPlus CH 12

MAN$&@)

Chapter 7b Champaigns

Chapter 20 Section 3

ch 6

Debate Final 2017-2018 sem 1

AP World History Chapter 5 study guide part 2

Exam 9-12

W3Schools - HTML (HTML Comments, HTML Colors, HTML CSS)

CoursePoint Chapter 1, 3, & 24 Questions

Chapter 45 NCLEX style questions

sec+ domain 3

CFA Level I: Portfolio Management

The Cold War and American Culture

Cell Structure and Function

CRITICAL THINKING FINAL

Small Business Management Chapter 6

Person Chapter 4 (Sentence Fragment and Sentence Combination Errors)

Psyc 360 Intro to Personality Final Exam

Chapter 1, 2, 3 - Exam 1 Review