Information Security and Assurance - C725 - Practice Tests

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Which of the following statements regarding cloud computing and grid computing are true? Both cloud computing and grid computing are scalable. Grid computing is suited for storing objects as small as 1 byte. Cloud computing may be more environmentally friendly than grid computing. Cloud computing is made up of thin clients, grid computing, and utility computing. A option d B options a and b C options a, b, and c D all of the options E options a, c, and d F option a G option b H option c

Answer E is correct. Both cloud computing and grid computing are scalable. Cloud computing is made up of thin clients, grid computing, and utility computing. Cloud computing may be more environmentally friendly than grid computing. Grid computing is NOT suited for storing objects as small as 1 byte.

Which of the following concepts represent the three fundamental principles of information security? Each correct answer represents a complete solution. Choose all that apply. A Privacy B Integrity C Confidentiality D Availability

Answers B, C, and D are correct. The following concepts represent the three fundamental principles of information security: Confidentiality Integrity Availability Answer A is incorrect. Privacy, authentication, accountability, authorization, and identification are also concepts related to information security, but they do not represent the fundamental principles of information security.

switching technologies

Circuit Switching: Constant traffic Connection oriented Used primarily for voice Packet Switching: Bursty traffic Variable delays Sensitive to data loss

types of denial of service attacks

Fraggle: Spoofed UDP packets are sent to a network's broadcast address Ping of Death: Uses oversized ICMP datagram to crash IP devices SYN flood: A communication between two computers initially established by a three-way handshake Buffer overflow: Occurs when more data is put into a buffer than it can hold

What character should always be treated carefully when encountered as user input on a web form? A * B ' C ! D &

Answer B is correct. The single quote character (') is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.

Transparency

is the characteristic of a service, security control, or access mechanism that ensures that it is unseen by users. It is often a desirable feature for security controls. The more transparent a security mechanism is, the less likely a user will be able to circumvent it or even be aware that it exists.

You have been asked to implement a system that detects network intrusion attempts and controls access to the network for the intruders. Which system should you implement? A firewall B VPN C IPS D IDS

Answer C is correct. An intrusion prevention system (IPS) detects network intrusion attempts and controls access to the network for the intruders. An IPS is an improvement over an intrusion detection system (IDS) because an IPS actually prevents intrusion. A firewall is a device that is configured to allow or prevent certain communication based on preconfigured filters. A firewall can protect a computer or network from unwanted intrusion using these filters. However, any communication not specifically defined in the filters is either allowed or denied. Firewalls are not used to detect network intrusion. However, firewalls do prevent unwanted communication based on pre-defined rules. An IDS only detects the intrusion and logs the intrusion or notifies the appropriate personnel. A virtual private network (VPN) is a private network that users can connect to over a public network.

One of the planned international offices will perform highly sensitive tasks for a governmental entity. For this reason, you must ensure that the company selects a location where a low profile can be maintained. On which of the following criteria do you base your facility selection? A construction B accessibility C visibility D surrounding area

Answer C is correct. You are concerned with visibility. The amount of visibility depends on the organization and the processes carried out in the facility. In the case of this office, you need to ensure that the company selects a location where a low profile can be maintained. Accessibility is the ease with which employees and officers can access the facility. Construction, determines the building materials used to construct the facility. Surrounding area is the environment in which the facility is located, and primarily is concerned with the local crime rate and distance to emergency services. None of these factors is relevant to maintaining a low profile.

A company's security policy comes under which of the following controls? A Technical B Physical C Detective D Administrative

Answer D is correct. Administrative controls are management-driven actions that usually reveal themselves in the form of policies, directives, advisories, and procedures. Security policies, awareness training, and incident response planning are all examples of administrative controls. Answer A is incorrect. Technical controls are the hardware or software mechanisms used to manage access and provide protection for resources and systems. Answer B is incorrect. Physical controls are used to prevent, monitor, or detect direct contact with systems or areas within a facility. Answer C is incorrect. Detective controls search for unwanted or unauthorized activities.

Which of the following are DoS attacks? (Choose three.) A Teardrop B Spoofing C Ping of death D Smurf

Answers A, C, and D are correct. Teardrop, smurf, and ping of death are all types of denial-of-service (DoS) attacks. Attackers use spoofing to hide their identity in a variety of attacks, but spoofing is not an attack by itself. Note that this question is an example that can easily be changed to a negative type of question such as "Which of the following is not a DoS attack?"

gateway firewalls

Here are the gateway firewalls: Static packet-filtering: Filters traffic by examining data from a message header Application-level gateway: Copies packets from one network into another Circuit-level gateway: Establishes communication sessions between trusted partners Stateful inspection: Evaluates the state or the context of network traffic

Permanent Virtual Circuit (PVC)

can be described as a logical circuit that always exists and is waiting for the customer to send data.

The Internet Assigned Numbers Authority (IANA) implemented classful IPv4 addresses

A 1.0.0.0 - 126.0.0.0 The first octet is network ID; the last three octets are Host ID. The default subnet mask is 255.0.0.0. B 128.0.0.0 - 191.255.0.0 The first two octets are network ID; the last three octets are Host ID. The default subnet mask is 255.255.0.0. C 192.0.0.0 - 223.255.255.0 The first three octets are network ID; the last octet is Host ID. The default subnet mask is 255.255.255.0. D 224.0.0.0 - 239.0.0.0 Multicasting addresses E 240.0.0.0 - 255.0.0.0 Experimental use

steps from the right to make the correct sequence in which the IDS (Intrusion Detection System) instructs the TCP (Transmission Control Protocol) to reset all connections.

An active response involves acting appropriately in response to an attack or threat. The goal of an active response is to take the quickest action possible to reduce such an event's potential impact. The correct sequence in which the IDS instructs the TCP to reset all connections is: Network Attack IDS Alert Detected IDS Command (Reset TCP)

What type of chart provides a graphical illustration of a schedule that helps to plan, coordinate, and track project tasks? A Gantt B PERT C Bar D Venn

Answer A is correct. A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project.

A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this? A RBAC model B Rule-based access control model C An access control list (ACL) D DAC model

Answer A is correct. A Role Based Access Control (RBAC) model can group users into roles based on the organization's hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects that subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

Which of the following is the most secure method of deleting data on a DVD? A Destruction B Degaussing C Formatting D Deleting

Answer A is correct. Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux, so degaussing a DVD doesn't destroy data.

Which of the following access controls modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred? A Corrective B Deterrent C Preventive D Detective

Answer A is correct. A corrective access control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems that occurred as a result of a security incident. This control can be simple, such as terminating malicious activity or rebooting a system. It consists of the following security services: Alarm Mantrap Security policy Answer D is incorrect because a detective access control is deployed to discover or detect unwanted or unauthorized activity. Answer C is incorrect because a preventive access control is deployed to thwart or stop an unwanted or unauthorized activity from occurring. Answer B is incorrect because a deterrent access control is deployed to discourage violation of security policies.

You have created a cryptographic key on your organization's domain controller. What should you do next? A Initialize the key. B Activate the key. C Terminate the key. D Distribute the key.

Answer A is correct. After creating a cryptographic key, you should initialize the key by setting all of its core attributes. The four phases in the cryptographic key life cycle are as follows: Pre-operational Operational Post-operational Destroyed

An organization has recently suffered a series of security breaches that have damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks. Management wants to ensure that the consultant has the correct priorities while doing her research. Of the following, what should be provided to the consultant to meet this need? A Asset valuation B Threat modeling results C Vulnerability analysis reports D Audit trails

Answer A is correct. Asset valuation identifies the actual value of assets so that they can be prioritized. For example, it will identify the value of the company's reputation from the loss of customer data compared with the value of the secret data stolen by the malicious employee. None of the other answers is focused on high-value assets. Threat modeling results will identify potential threats. Vulnerability analysis identifies weaknesses. Audit trails are useful to re-create events leading up to an incident.

When correctly implemented, what is the only cryptosystem known to be unbreakable? A One-time pad B Transposition cipher C Substitution cipher D Advanced Encryption Standard

Answer A is correct. Assuming that it is used properly, the onetime pad is the only known cryptosystem that is not vulnerable to attacks.

Which Digital Subscriber Line (DSL) implementation offers speeds up to 8 megabits per second (Mbps) and provides faster download speed than upload speed? A ADSL B HDSL C IDSL D SDSL

Answer A is correct. Asymmetrical Digital Subscriber Line (ADSL) offers speeds up to 8 megabits per second (Mbps) and provides faster download speed than upload speed. High-bit-rate DSL (HDSL) offers speeds up to 1.544 Mbps over regular UTP cable. ISDN DSL (IDSL) offers speeds up to 128 kilobits per second (Kbps). Symmetrical DSL (SDSL) offers speeds up to 1.1 Mbps. Data travels in both directions at the same rate. Another type of DSL is Very high bit-rate Digital Subscriber Line (VDSL). VDSL transmits at super-accelerated rates of 52 Mbps downstream and 12 Mbps upstream.

What database security technology involves creating two or more rows with seemingly identical primary keys that contain different data for users with different security clearances? A Polyinstantiation B Views C Aggregation D Cell suppression

Answer A is correct. Database developers use polyinstantiation, the creation of multiple records that seem to have the same primary key, to protect against inference attacks.

Mark has to research different types of computation technologies in order to meet the requirements of his organization. To carry out singular computation tasks, Mark is required to use loosely coupled and geographically dispersed systems. Which of the following will best fit for the requirement of his company? A Grid computing B Farm computing C Quantum computing D Parallel computing

Answer A is correct. Grid computing is considered a load-balanced parallel means of massive computation. It is similar to clusters, but it is implemented with loosely coupled systems that may join and leave the grid randomly. Cluster computing is a high-performance computing system. In grid computing, grids tend to be more loosely coupled, heterogeneous, and geographically dispersed. This feature of grid computing distinguishes it from cluster computing. Answer D is incorrect. Parallel computing is a computation system designed to perform numerous calculations simultaneously. But parallel data systems often go far beyond basic multiprocessing capabilities. This implementation is based on the idea that some problems can be solved efficiently if broken into smaller tasks that can be worked on concurrently. Answers C and B are incorrect. Quantum computing and farm computing are not required in the given scenario.

What does IPsec define? A A framework for setting up a secure communication channel B All possible security classifications for a specific configuration C TCSEC security categories D The valid transition states in the Biba model

Answer A is correct. IPsec is a security protocol that defines a framework for setting up a secure channel to exchange information between two entities.

Which security control system assigns users roles to dictate access to resources? A RBAC B MAC C DAC D UDP

Answer A is correct. In role-based access control (RBAC), users are assigned roles to accomplish specific tasks. For example, a user might be assigned to a role named standard for typical work on a computer, and the same user might be assigned to a role named admin for work that requires administrative privileges. In an RBAC system, roles are granted or denied access to network resources. The roles are used to identify the users who have permissions to a resource. In mandatory access control (MAC), users and resources are assigned to security levels. In a MAC-based security system, users can write documents at or above their assigned security level, and can read documents at or below their assigned security level. The U.S. military uses MAC for access to documents and network resources. In discretionary access control (DAC), users are assigned to groups, and users and groups are granted or denied access to folders and files. Each folder and file in a DAC security system has an access control list (ACL) that is used to determine which users and groups can gain access to a network resource. User Datagram Protocol (UDP) is a protocol that is used on a TCP/IP network to support connectionless communications; it is not a security control system.

Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy? A To detect fraud B To increase employee productivity C To reduce employee stress levels D To rotate job responsibilities

Answer A is correct. Mandatory vacation policies help detect fraud. They require employees to take an extended time away from their job, requiring someone else to perform their job responsibilities, and this increases the likelihood of discovering fraud. It does not rotate job responsibilities. While mandatory vacations might help employees reduce their overall stress levels, and in turn increase productivity, these are not the primary reasons for mandatory vacation policies.

What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site? A Parallel test B Full-interruption test C Simulation test D Structured walk-through

Answer A is correct. Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center.

Which operation must you undertake to avoid mishandling of tapes, CDs, DVDs, floppies, and printed material? A labeling B degaussing C zeroization D offsite storage

Answer A is correct. Proper labeling is required to avoid mishandling of the information on storage media, such as tapes and floppy disks. Compact discs and floppy disks are used to store small data sets while backup tapes are used to store large numbers of data sets. Storage media containing confidential information must be appropriately marked and labeled to ensure appropriate classification. The storage media should also be stored in a protected area. Each media should be labeled with the following details: classification date of creation retention period volume name and version name of the person who created the backup Degaussing is not a media handling technique but a media sanitization technique. Degaussing is the process of reducing or eliminating an unwanted magnetic field of a storage media by applying strong magnetic forces. Degaussing devices generate powerful opposing magnetic fields that reduce the magnetic flux density of the storage media to zero. Degaussing is the most preferred method for erasing data from magnetic media, such as floppy disks and magnetic tapes. Zeroization is not a media handling technique but a media sanitization technique. Zeroization implies that a storage media is repeatedly overwritten with null values, such as multiple ones and zeros, for sanitization. Zeroization is generally used in a software development environment. Data transfer to an offsite location should take place to create a backup copy of the media if there is a disaster at the primary site. Data transferred to an offsite location acts as a backup copy of the data. The storage media should be labeled appropriately to prevent mishandling.

An organization is implementing a preselected baseline of security controls, but finds that some of the controls aren't relevant to their needs. What should they do? A Tailor the baseline to their needs. B Re-create a baseline. C Identify another baseline. D Implement all the controls anyway.

Answer A is correct. Scoping and tailoring processes allow an organization to tailor security baselines to its needs. There is no need to implement security controls that do not apply, and it is not necessary to identify or re-create a different baseline.

Which Orange Book level is considered mandatory protections and is based on the Bell-LaPadula security model? A B B D C C D A

Answer A is correct. The Trusted Computer System Evaluation Criteria (TCSEC) classifies the systems into four hierarchical divisions of security levels: Level A (verified protection and the highest level of security), Level B (mandatory protection enforced with security labels), Level C (discretionary protection), and Level D (minimal protection). The evaluation criteria are published in a book referred to as the Orange Book. Each level may have numbered sublevels. A higher rating implies a higher degree of trust and assurance. For example, a B2 rating provides more assurance than a C2 rating. A higher rating includes the requirements of a lower rating. For example, a B2 rating includes the features and specifications of a C2 rating. Level A is verified protection, offering the highest level of security. An A1 rating implies that the security assurance, design, development, implementation, evaluation, and documentation of a computer is performed in a very formal and detailed manner. An infrastructure containing A1-rated systems is the most secure environment and is typically used to store highly confidential and sensitive information. This level implements trusted facility management. Level B is mandatory protection based on the Bell-LaPadula security model and enforced by the use of security labels. A B1 rating refers to labeled security, where each object has a classification label, and each subject has a security clearance level. To access the contents of the object, the subject should have an equal or higher level of security clearance than the object. A system compares the security clearance level of a subject with the object's classification to allow or deny access to the object. The B1 category offers process isolation, the use of device labels, the use of design specification and verification, and mandatory access controls. B1 systems are used to handle classified information. A B2 rating refers to structured protection. A stringent authentication procedure should be used in B2-rated systems to enable a subject to access objects by using the trusted path without any backdoors. This level is the lowest level to implement trusted facility management; levels B3 and A1 implement it also. Additional requirements of a B2 rating include the separation of operator and administrator duties, sensitivity labels, and covert storage channel analysis. A B2 system is used in environments that contain highly sensitive information. Therefore, a B2 system should be resistant to penetration attempts. A B3 rating refers to security domains. B3 systems should be able to perform a trusted recovery. A system evaluated against a B3 rating should have the role of the security administrator fully defined. A B3 system should provide the monitoring and auditing functionality. A B3 system is used in environments that contain highly sensitive information and should be resistant to penetration attempts. Another feature of B3 rating is covert timing channel analysis. This category specifies trusted recovery controls. Level C is discretionary protection based on discretionary access of subjects, objects, individuals, and groups. A C1 rating refers to discretionary security protection. To enable the rating process, subjects and objects should be separated from the auditing facility by using a clear identification and authentication process. A C1 rating system is suitable for environments in which users process the information at the same sensitivity level. A C1 rating system is appropriate for environments with low security concerns. A C2 rating refers to controlled access protection. The authentication and auditing functionality in systems should be enabled for the rating process to occur. A system with a C2 rating provides resource protection and does not allow object reuse. Object reuse implies that an object should not have remnant data that can be used by a subject later. A C2 system provides granular access control and establishes a level of accountability when subjects access objects. A system with C2 rating is suitable for a commercial environment. Level D is a minimal protection rating that is offered to systems that fail to meet the evaluation criteria of higher levels.

Which one of the following data roles is most likely to assign permissions to grant users access to data? A Administrator B Custodian C Owner D User

Answer A is correct. The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.

Which of the following processes is often intertwined with the configuration documentation to ensure that changes are documented? A Change management B Incident management C Configuration management D Capacity management

Answer A is correct. The change management process ensures that changes are adequately reviewed, approved, and documented to reduce outages from changes. It is often intertwined with the configuration documentation to ensure that changes are documented. Changes often create unexpected side effects that can result in outages. An administrator can make a change to a system in order to resolve a problem, but this may cause a problem in other systems. Answer B is incorrect. Incident management is the process of restoring normal service operation as fast as possible while reducing unfavorable impact on business operations. Answer C is incorrect. Configuration management helps ensure that systems are configured properly throughout their lifetime. Answer D is incorrect. Capacity management ensures that the service provider has, at all times, sufficient capacity so that the current and the future needs of the customer get fulfilled.

Who establishes the rules for appropriate use and protection of the subject's information? A Data owner B Administrator C Program manager D Custodian

Answer A is correct. The data owner is responsible for establishing the rules for appropriate use and protection of the subject's information. They are responsible for assigning data classification. Answer D is incorrect. A custodian protects the security and integrity of data by ensuring that it is properly stored and protected. Answer B is incorrect. An administrator is responsible for granting appropriate access to personnel. Answer C is incorrect. A program manager owns processes that use systems managed by other entities.

Which of the following is the feature of a mutual assistance agreement (MAA) in an event of a disaster? A No monetary cost B Guaranteed availability C Legally enforceable D Immediate access

Answer A is correct. The feature of an MAA in the event of a disaster is that it has no monetary cost, but it also provides no reliable insurance against downtime due to a disaster. If an organization cannot afford to implement any other type of alternate processing, an MAA might provide a degree of valuable protection in an event of a localized disaster. Answers B, C, and D are incorrect. A mutual assistance agreement does not provide guaranteed availability, immediate access, and are not legally enforceable in an event of a disaster.

All of the following affect the strength of encryption, EXCEPT: A the length of the data being encrypted B the algorithm C the secrecy of the key D the length of the key

Answer A is correct. The length of the data being encrypted does not affect the strength of encryption. The strength of encryption is affected by the algorithm, the secrecy of the key, the length of the key, and the initialization vector.

All of the following are needed for system accountability except for which one? A Identification B Authorization C Auditing D Authentication

Answer B is correct. Authorization is not needed for accountability. However, users must be identified and authenticated and their actions must be logged using some type of auditing to provide accountability.

What is the primary purpose of Kerberos? A Authentication B Accountability C Confidentiality D Integrity

Answer A is correct. The primary purpose of Kerberos is authentication, as it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

Which statement is true of the chief security officer's (CSO's) role in an organization? A The CSO's role should be self-governing and independent of all the other departments in the organization. B The CSO's role should be limited to the IT department. C The CSO's role should include all the other departments for efficient security management. D The CSO should not be the only authority, and the decision-making process should include staff from other departments.

Answer A is correct. The role of the chief security officer (CSO) should be self-governing and independent of all the other departments in the organization. The CSO should report to the chief information officer (CIO), chief technology officer (CTO), or chief executive officer (CEO) only to gain management approval for security implementation and to provide feedback on the security process compliance. In an organization, an Information Technology security function should be led by a Chief Security Officer.

Which of the following best defines "rules of behavior" established by a data owner? A Identifying appropriate use and protection of data B Determining who has access to a system C Ensuring that users are granted access to only what they need D Applying security controls to a system

Answer A is correct. The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures that users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.

Which processes define the supervisor mode? A processes that are executed in the inner protection rings B processes in the outer protection ring that have more privileges C processes that are executed in the outer protection rings D processes with no protection mechanism

Answer A is correct. The supervisor mode refers to processes that are executed in the inner protection rings. The processes in the inner protection rings are granted more privileges than the processes in the outer protection ring. The processes in the inner ring are executed in the privileged or the supervisor mode, while the processes working in the outer protection rings are executed in the user mode. These processes in the inner ring include the operating system kernel process and input/output (I/O) instructions. Processes are placed in a ring structure according to least privilege. Multiplexed Information and Computing Service (MULTICS) is an example of a ring protection system. All other options are incorrect. Each operating system has a protection mechanism, such as memory segments and protection rings, to ensure that the applications do not adversely affect the critical components of the operating system. The protection rings define the security policy for each application by limiting the operations that can be performed by the application. No application in the operating system functions without a protection mechanism. Operating systems are responsible for memory allocation, input and output tasks, and resource allocation. If an operating system allows sequential use of an object without refreshing it, disclosure of residual data can arise.

Which term is used to describe the area that is covered by a satellite? A footprint B amplitude C frequency D line of sight

Answer A is correct. The term footprint is used to describe the area that is covered by a satellite. The large footprint of a satellite can results in the interception of the satellite transmission. A footprint covers an area on Earth for a small amount of time. Amplitude and frequency are analogue communication terms. Amplitude is used to describe the height of the signal. Frequency is used to describe the number of waves that are transmitted during a period of time. Line of sight is the term used to describe the requirement that a receiver must not have any obstruction of the satellite signal. This includes buildings, trees, and weather.

An organization has created an access control policy that grants specific privileges to accountants. What type of access control is this? A Role-based access control B Discretionary access control C Mandatory access control D Rule-based access control

Answer A is correct. The type of access control that is mentioned in the given scenario is role-based access control. This access control policy grants specific privileges based on roles, and roles are frequently job based or task based. Answers B, C, and D are incorrect. Discretionary access controls allow owners to control privileges, mandatory access controls use labels to control privileges, and rule-based access controls use rules.

All but which of the following items requires awareness for all individuals affected? A The backup mechanism used to retain email messages B Restricting personal email C Recording phone conversations D Gathering information about surfing habits

Answer A is correct. Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.

What is the minimum level of static discharge that causes permanent damage to computer electronics? A 17,000 volts B 4,000 volts C 1,000 volts D 2,000 volts

Answer A is correct.17,000 volts is the minimum level of static discharge that causes permanent damage to computer electronics. Answer C is incorrect. 1,000 volts of static discharge that causes scrambling of monitor display. Answer B is incorrect. 4,000 volts of static discharge that causes printer jam or component damage. Answer D is incorrect. 2,000 volts of static discharge that causes abrupt system shutdown.

Which level of fences deter casual trespassers? A 3 to 4 feet high B 6 to 7 feet high C 8 feet high with barbed wire

Answer A is correct.3 to 4 feet high fences deter casual trespassers. Answer C is incorrect. 8 or more feet high fences with three strands of barbed wire deter determined intruders. Answer B is incorrect. 6 to 7 feet high fences are too hard to climb and deter most intruders, except determined ones.

You are servicing a Windows computer that is connected to your company's Ethernet network. You need to determine the manufacturer of the computer's NIC. You issue the ipconfig /all command in the command prompt window and record the NIC's MAC address, which is 00-20-AF-D3-03-1B.Which part of the MAC address will help you to determine the NIC's manufacturer? A 20-AF-D3 B 00-20-AF C D3-03-1B D AF-D3-03

Answer B is correct. A media access control (MAC) address is a unique 48-bit number that is built into a NIC that connects to an Ethernet network. A MAC address is divided into six octets, each of which represents 8 bits of the address as a two-digit hexadecimal number. The first three octets of a MAC address are assigned by the Institute of Electrical and Electronics Engineers (IEEE) to each network interface card (NIC) manufacturer; these three octets uniquely identify each NIC manufacturer. In this scenario, the sequence 00-20-AF identifies the NIC's manufacturer as 3Com. Other popular manufacturers of NICs include Cisco, which has been assigned the sequence 00-00-0C, and Hewlett-Packard, which has been assigned the sequence 08-00-09. The last three octets of a MAC address are used to uniquely identify each NIC that a manufacturer produces. Originally, a MAC address was permanently added to a NIC, but more recent manufacturing processes allow the MAC address to be reconfigured to a different value. The ability to reconfigure a MAC address allows administrators to assign addresses of their choosing. However, changing MAC addresses must be done with care because having two cards with the same MAC address on the same network will always cause communications problems.

Which job is NOT provided by a network protocol analyzer? A provide network activity statistics B detect active viruses or malware on the network C identify the types of traffic on the network D identify the sources and destinations of communications

Answer B is correct. A network protocol analyzer does not detect active viruses or malware on the network. A network protocol analyzer can determine if passwords are being transmitted over the network in clear text. It can also be used to read the contents of any File Transfer Protocol (FTP) packet, including an FTP GET request. WireShark is a commercial network protocol analyzer.

Which of the following is a type of connection that can be described as a logical circuit that always exists and is waiting for the customer to send data? A ISDN B PVC C VPN D SVC

Answer B is correct. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data.

What process does a system use to officially permit access to a file or a program? A Validation B Authorization C Identification D Authentication

Answer B is correct. A system can use an authorization process to officially permit access to a file or a program. This process is used for granting permission and specifying access rights to resources. Answer A is incorrect. Validation confirms the data values being entered by a user are valid or not. Answer D is incorrect. Authentication is an act of establishing or confirming something (or someone) as authentic, such as, the claims made by or about the subject are true. Answer C is incorrect. Identification is the process by which a subject professes an identity and accountability is initiated.

What occurs during the reconstitution phase of a recovery? A an organization ensures that its facility is fully restored at the alternate site B an organization transitions back to its original site C an organization implements the recovery strategy D an organization transitions to a temporary alternate site

Answer B is correct. During the reconstitution phase of disaster recovery, an organization transitions back to its original site or to a new site that was constructed to replace the original site. An organization is not considered fully restored until it is operating from its original or replacement location. None of the other options defines what occurs during the reconstitution phase.

Which of the following modes of 3DES takes place in the sequence encrypt-decrypt-encrypt by using two different keys? A DES-EEE2 B DES-EDE2 C DES-EEE3 D DES-EDE3

Answer B is correct. In DES-EDE2, three DES operations take place in the sequence encrypt-decrypt-encrypt by using two different keys. 3DES uses a 112-bit key. The following function is used to represent this mode: C = E K1 (D K2 (E K1 (P ))) Answer C is incorrect. In DES-EEE3, three different keys are used in the three stages of encryption. 3DES uses a 168 bit key. The following function is used to represent this mode: C = E K1 (E K2 (E K3 (P ))) Answer D is incorrect. In DES-EDE3, three DES operations take place in the sequence encrypt-decrypt-encrypt by using three different keys. 3DES uses a 168 bit key. The following function is used to represent this mode: C = E K1 (D K2 (E K3 (P ))) Answer A is incorrect. In DES-EEE2, two keys are used for the 3DES encryptions. 3DES uses a 112 bit key. The following function is used to represent this mode: C = E K1 (E K2 (E K1 (P )))

Mark, Sam, and Pete are IT managers. They all report to Jim. Mark's group is responsible to manage firewall administration tasks. Sam's group manages user accounts. Pete's group is responsible to manage the section of customer support. Members from any of the group cannot share or exchange their tasks. What security control is Jim enforcing? A Data remanence B Separation of duties C Principle of least privilege D Job rotation

Answer B is correct. In this question, more than one person is required to complete a task. Mark's group is responsible to manage firewall administration tasks. Sam's group manages user accounts. Pete's group is responsible to manage the section of customer support. Separation of duties (SoD) is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of duties. Separation of duties helps reduce the potential damage from the actions of one person. Answer C is incorrect. The principle of least privilege states that an individual should have just enough permissions and rights to fulfill his/her role. Answer D is incorrect. Job rotation is an approach to management development where an individual is moved through a schedule of assignments designed to give him or her breadth of exposure to the entire operation. Answer A is incorrect. Data remanence refers to the data that remains even after the efforts have been made for removing or erasing the data.

Which of the following access controls provides upper and lower bounds of access for every relationship between a subject and an object? A Attribute-based B Lattice-based C Discretionary D Role-based

Answer B is correct. Lattice-based access controls define upper and lower bounds of access for every relationship between a subject and an object. These boundaries usually follow military or corporate security levels (although they can also be arbitrary). As a subject may be able to Read, but not Write to that object, Write is outside of its lattice bounds. Answer C is incorrect. DAC (discretionary access control) allows the owner or creator of an object to control and define subject access to that object. Answer D is incorrect. In RBAC (role-based access control), a user can access resources according to his role in the organization. Answer A is incorrect. In ABAC (attribute-based access control), access is granted not based on the rights of the subject associated with a user after authentication, but based on the attributes of the user.

What is the term for providing fault tolerance by copying the contents of one hard drive to another? A RAID B mirroring C clustering D hot swapping

Answer B is correct. Mirroring occurs when you provide fault tolerance by copying the contents of one hard drive to another. Clustering occurs when you combine two or more servers that provide the same service into a cluster. Clustering balances the load between the servers, or ensures that if one server fails another one takes over. Hot swapping is when you can replace a piece of hardware in a computer while the computer is still operating. Redundant Array of Independent Disks (RAID) is a hard drive technology that provides fault tolerance and performance improvement. While some RAID levels implement mirroring, not all of them do.

Paul would like to test his application against slightly modified versions of previously used input. What type of test does Paul intend to perform? A Application vulnerability review B Mutation fuzzing C Generational fuzzing D Code review

Answer B is correct. Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.

Which of the following acts as the interface between a local area network and the Internet using one public IP address? A firewall B NAT C VPN D router

Answer B is correct. Network Address Translation (NAT) acts as the interface between a local area network and the Internet using one public IP address. A VPN is a private network that is implemented over a public network, such as the Internet. A router is a network device that divides a local area network into smaller subnetworks. Routers operate at the Network layer of the OSI model (Layer 3). While a firewall can also be a router, it is referred to as a firewall when it functions to create a DMZ.

Which of the following is the method of hiding data within another media type such as graphic or document? A Spoofing B Steganography C Cryptanalysis D Packet sniffing

Answer B is correct. Steganography is the method of hiding data within another media type such as graphic or document. The advantage of steganography, over cryptography alone, is that messages do not attract attention to malicious users. Answer A is incorrect. Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, and so on. In IP spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging the source IP address causes the responses to be misdirected. Answer C is incorrect. Cryptanalysis is the process of analyzing cipher text and finding weaknesses in cryptographic algorithms. These weaknesses can be used to decipher the cipher text without knowing the secret key. Answer D is incorrect. Packet sniffing is a process of monitoring data packets that travel across a network. The software used for packet sniffing is known as sniffers. There are many packet-sniffing programs that are available on the Internet. Some of these are unauthorized, which can be harmful for a network's security.

Which access control model ensures integrity through the implementation of integrity-monitoring rules and integrity-preserving rules? A Biba model B Clark-Wilson model C Chinese Wall model D Bell-LaPadula model

Answer B is correct. The Clark-Wilson access control model ensures integrity by implementing integrity-monitoring rules and integrity-preserving rules. The integrity-monitoring rules are known as certification rules, and the integrity-preserving rules are known as enforcement rules. This model defines a constrained data item, an integrity verification procedure, and a transformation procedure. None of the other models ensures integrity through the use of these types of rules. The main emphasis of the Clark-Wilson model is integrity. It is best known for its use in commercial applications. The Clark-Wilson security model provides integrity of data by preventing unauthorized modifications by unauthorized users and improper modifications by authorized users. The Clark-Wilson model maintains internal and external consistency. It focuses on integrity, separation of duties, constrained data items, transformational procedures, and well-formed transactions. Auditing is required in the Clark-Wilson model. This model should be audited and monitored to track the information flow for a given transaction. The Clark-Wilson model uses a subject-program-object three-part relationship known as a triple. The subjects in the Clark-Wilson model access data through a program, which acts as an intermediary between a subject and an object. This process is also referred to as an access triple. The subject is only able to access an object through an application program that forms the interface between the subject and the object. Triples ensure separation of duties because subjects are not given direct access to objects. Objects can only be accessed using programs. Separation of duties is vital in the Clark-Wilson model. The Clark-Wilson model enforces the separation of duties for a given task and ensures that separate subjects perform subtasks. The Clark-Wilson model does NOT address data confidentiality.

Which key size is not used by the Rijndael cipher? A 128 B 300 C 256 D 192

Answer B is correct. The Rijndael cipher does not use the 300-bit key. It uses the 128-bit key, 192-bit key, or 256-bit key. In this cipher, the number of encryption rounds depends on the key length. If a 128-bit key is used, then 9 rounds of encryption take place. If a 192-bit key is used, then 11 rounds of encryption take place, and similarly, if a 256-bit key is used, then 13 rounds of encryption take place. The following layers of transformations are used by the Rijndael algorithm in order to encrypt or decrypt blocks of message text: Linear Mix Transform Nonlinear Transform Key Addition Transform

Which model allows for the output of one system to be used as the input of another system? A State machine model B Cascade composition model C Take-Grant model D Noninterference model

Answer B is correct. The cascade composition model allows for the output of one system to be used as the input of another system. Answer C is incorrect. The Take-Grant model uses a directed graph to show how rights can be passed from one subject to another or from a subject to an object. Answer D is incorrect. Noninterference model is loosely based on information flow model and is concerned with how the actions of the subject affect the system state or the action of another subject. Answer A is incorrect. State machine model is based on FSM (finite state machine). It is designed in such a way that whatever action is performed the system is always in a secure state.

Collecting and identifying digital evidence in a court of law is challenging. Why is it so? A The evidence is mostly corrupted. B The evidence is mostly intangible. C The evidence is mostly tangible. D The evidence is mostly encrypted.

Answer B is correct. The evidence within computer crimes usually comes straight from computers themselves. This implies that the data is held as electronic voltages, which are represented as binary bits. Some data can be held on hard drives and peripheral devices and some data may be held in the memory of the system itself. This type of evidence is intangible in that it is not made up of objects one can hold, see, and manipulate. Other types of crimes usually have evidence that is more tangible in nature, which is easier to handle and control.

What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment? A Time B Monetary C Utility D Importance

Answer B is correct. The quantitative portion of the priority identification should assign asset values in monetary units. Answers C, D, and A are incorrect. These are invalid options.

Servers within your organization were recently attacked causing an excessive outage. You are asked to check systems for known issues that attackers may use to exploit other systems in your network. Which of the following is the best choice to meet this need? A Security audit B Vulnerability scanner C Versioning tracker D Security review

Answer B is correct. Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn't directly check systems for vulnerabilities.

A file server has unexpectedly rebooted into single-user mode. You are not sure what caused the reboot. What should you do next? A Reboot the file server. B Recover damaged file system files. C Validate critical configuration and system files. D Identify the cause of the unexpected reboot.

Answer B is correct. You should recover damaged file system files next. None of the other options is correct. When a system crashes, you should perform the following steps in this order: Enter into single-user mode. (The computer may already be in this mode.) Recover damaged file system files. Identify the cause of the unexpected reboot, and repair the system as necessary. Validate critical configuration and system files and system operations. Reboot the system as normal.

Which of the following is the best protection against data loss caused by power failure? A Transformer B Standby generator C UPS D Surge suppressor

Answer C is correct. A UPS is the best protection against data loss caused by power failure. It is an electrical apparatus that provides emergency power to a load when the input power source, typically the utility mains, fails. It differs from a standby generator in that it will provide instantaneous or near instantaneous protection from input power interruptions by means of one or more attached batteries and associated electronic circuitry for low power users, and or by means of diesel generators and flywheels for high power users. Answer D is incorrect. A surge suppressor is an appliance designed to protect electrical devices from voltage spikes. A surge suppressor attempts to regulate the voltage supplied to an electric device by either blocking or by shorting to ground voltages above a safe threshold. Answer A is incorrect. A transformer is a device that transfers electrical energy from one circuit to another through inductively coupled conductors - the transformer's coils. A varying current in the first or primary winding creates a varying magnetic flux in the transformer's core, and thus a varying magnetic field through the secondary winding. Answer B is incorrect. A standby generator will not provide instantaneous protection. It is a back-up electrical system that operates automatically. Within seconds of a utility outage, an automatic transfer switch senses the power loss, commands the generator to start, and then transfers the electrical load to the generator.

Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers. What characteristic of this problem are they relying on? A It contains diffusion. B It contains confusion. C It is a one-way function. D It complies with Kerchoff's principle.

Answer C is correct. A one-way function is a mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values.

Which technologies are considered remote-sensing technologies? unmanned aircraft manned aircraft satellites land-based cameras A option c B option d C all of the options D options b, c, and d E options a, b, and c F option a G option b

Answer C is correct. All of the options are considered remote-sensing technologies. Remote sensing is the acquisition of information using photographic, radar, infrared or multi-spectral imagery via remote sensors, including manned and unmanned aircraft, ships, satellites, and remote land-based cameras. The most critical category of information to capture immediately following a disaster is accurate and timely intelligence about the scope, extent, and impact of the event. Remote-sensing technologies provide security surveillance to distant geographic regions as well. Remote sensing systems can provide a highly effective alternative means of gathering intelligence about the event. Remote sensing (RS) intelligence may be integrated into geographic information systems (GIS) to produce map-based products.

Which one of the following tests provides the most accurate and detailed information about the security state of a server? A Port scan B Half-open scan C Authenticated scan D Unauthenticated scan

Answer C is correct. Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.

Which technology requires Trusted Platform Module (TPM) hardware? A NTFS B EFS C BitLocker D IPSec

Answer C is correct. BitLocker drive encryption requires TPM hardware. The BitLocker technology encrypts drive contents so that data cannot be stolen. BitLocker can encrypt both user and system files. BitLocker is enabled or disabled by an administrator for all computer users. None of the other options requires TPM hardware. Encrypting File System (EFS) encrypts the contents of a disk. However, EFS is enabled on a per-user basis and can only encrypt files belonging to the user that enables EFS. EFS does not require any special hardware or administrative configuration. New Technology File System (NTFS) is the 32-bit file system used by Windows operating systems. Internet Protocol Security (IPSec) is a protocol that protects communication over a network.

You are designing the user management policies for your organization. What is typically part of these policies? A authentication B information classification C employee termination D acceptable use

Answer C is correct. Employee termination procedures are typically part of a company's user management policies, which also include procedures for dealing with new employees and transferred employees. Classification of information is typically covered by an information policy. A company usually has a minimum of two classifications for information: public and private. Most companies define public information as information that can be revealed to anyone, and proprietary information as information that can only be shared with employees who have signed a non-disclosure agreement. A company's security policy typically contains standard authentication procedures. Acceptable use policies, which indicate the manner in which employees are allowed to use company resources, are part of a company's computer use policy.

Evidence must be legally permissible in a court of law and must provide a foundation for a case. All of the following characteristics of evidence are important, EXCEPT: A reliability B sufficiency C confidentiality D relevancy

Answer C is correct. Evidence should not be confidential to ensure that it is legally permissible in a court of law. Most evidence is not confidential. Evidence must be sufficient, reliable, and relevant to ensure that it is legally permissible in a court of law. To be sufficient, the evidence must convince a reasonable person of its validity. To be reliable, the evidence must be consistent with the facts of the case. To be relevant, the evidence must have a relationship to the findings.

In which of the following modes does the IPSec VPN connection encrypt the original IP packet header and add a new link specific header? A Transport B Static C Tunnel D Dynamic

Answer C is correct. In IPSec VPN tunnel mode, the original IP packet header is encrypted and a new VPN-specific header is added. Answer D is incorrect. Dynamic is a NAT mode which allows multiple internal clients access to a few leased public IP addresses. Answer A is incorrect. In Transport mode, IP packet data is encrypted but the header of the packet is not. Answer B is incorrect. Static is a NAT mode used when a specific internal client's IP address is assigned a permanent mapping to a specific external public IP address.

Which of the following statements best defines spear phishing? A Replacing a valid source IP address with a false one to hide their identity B Attempting to gain the trust of someone by using deceit C Targeting specific individual or small group of people D Attempting to redirect Web traffic to an imposter site through DNS software flaws, host file alterations, or other techniques

Answer C is correct. In spear phishing, an attacker uses phishing techniques against a specific individual or small group of people with a high net worth. Answer D is incorrect because attempting to redirect Web traffic to an imposter site through DNS software flaws, host file alterations, or other techniques is a pharming attack. It can be prevented by carefully monitoring DNS configurations and hosts files. Answer A is incorrect because replacing a valid source IP address with a false one to either hide their identity or to impersonate a trusted system is an IP spoofing attack. Answer B is incorrect attempting to gain the trust of someone by using deceit, such as false flattery or impersonation, or by using conniving behavior is a social engineering attack.

You are considering the sensitivity and criticality of your organization's data. Which of the following statements is NOT true? A Criticality measures the importance of the data. B Once data sensitivity and criticality is documented; the organization should work to create a data classification system. C Data that is sensitive should also be considered critical. D Sensitivity determines how freely the data can be handled.

Answer C is correct. It is not true that sensitive data should also be considered critical data. Data considered sensitive may not necessarily be considered critical. Sensitivity and criticality are not related. Sensitivity determines how freely the data can be handled. Criticality measures the importance of the data. Once data sensitivity and criticality is documented, the organization should work to create a data classification system.

Which one of the following cannot be achieved by a secret key cryptosystem? A Availability B Key distribution C Nonrepudiation D Confidentiality

Answer C is correct. Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message. Answers D, A, and B are incorrect. All these can be achieved by a secret key cryptosystem.

Which of the following protocols is used to verify the status of a certificate? A CEP B HTTP C OCSP D OSPF

Answer C is correct. Online Certificate Status Protocol (OCSP) is used for obtaining the revocation status of an X.509 digital certificate. It is used to verify the status of a certificate. It was created as an alternative to certificate revocation lists (CRL). It provides more timely information about the revocation status of a certificate. It also eliminates the need for clients to retrieve the CRLs themselves. Therefore, it generates to less network traffic and provides better bandwidth management. It is described in RFC 2560 and is on the Internet standards track. Answer D is incorrect because OSPF (Open Shortest Path First) is defined as a routing protocol that is used in large networks. Answer B is incorrect because HTTP (Hypertext Transfer Protocol) defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. Answer A is incorrect because CEP (Certificate Enrollment Protocol) allows Cisco devices to acquire and utilize digital certificates from Certification Authorities (CAs). This protocol is primarily used for deployment of IPSec VPNs while using digital certificate authentication with Cisco devices.

Spamming is often possible because hackers are able to locate and take advantage of which of the following? A Bots B Botnets C Open relay agents D E-mail clients

Answer C is correct. Open relay agents (specifically, SMTP relay agents) are often exploited into distributing spam. Relay agents are prime targets for spammers because they allow them to send out traffic of emails by piggybacking on an insecure email infrastructure. Answer D is incorrect. E-mail clients retrieve e-mail from their server-based inboxes using POP3 (Post Office Protocol version 3) or IMAP (Internet Message Access Protocol). Answer B is incorrect. Botnets refer to the deployment of numerous bots or zombies across various unsuspecting secondary victims. Answer A is incorrect. Bots are autonomous programs on the Internet which interact with systems or users.

Which of the following types of virus alters its appearance to avoid detection? A Encrypted B Multipartite C Polymorphic D Stealth

Answer C is correct. Polymorphic virus alters its appearance to avoid detection. The virus propagates from system to system changing its signature each time it infects a new system. Answer B is incorrect. The multipartite virus uses propagation techniques to penetrate systems that defend against only one method or the other. Answer A is incorrect. The encrypted virus uses cryptographic techniques to avoid detection and employs a very short segment of code known as the virus decryption routine to load and decrypt the main virus code stored elsewhere on the disk. Answer D is incorrect. Stealth virus tampers the operating system to hide themselves, bluffing the antivirus packages into thinking that everything is functioning normally.

hat is the primary goal of change management? A Keeping users informed of changes B Maintaining documentation C Preventing security compromises D Allowing rollback of failed changes

Answer C is correct. The prevention of security compromises is the primary goal of change management.

Which of the following access controls is a set of restrictions or filters that determines what can and cannot occur on the system? A Detective B Discretionary C Rule-based D Preventive

Answer C is correct. Rule-based access controls are used in a rule-based system. A set of rules, restrictions, or filters determines what can and cannot occur on the system, such as granting a subject access to an object or granting the ability to perform an action. Answer D is incorrect because a preventive access control prevents unwanted or unauthorized activities from happening. Answer A is incorrect because a detective access control searches for unwanted or unauthorized activities. Answer B is incorrect because a discretionary access control allows the owner or creator of an object to control and define subject access to that object.

Which technology is used to create an encrypted remote terminal connection with a Unix computer? A SCP B FTP C SSH D Telnet

Answer C is correct. Secure Shell (SSH) is used to create an encrypted remote terminal connection with a Unix computer. File Transfer Protocol (FTP) is used to transfer files on a TCP/IP network. FTP transmits data in clear text. Secure Copy (SCP) enables users to transfer files over a secure connection. Telnet is a protocol that enables a user to establish terminal connections with Unix computers. Telnet transmits data in clear text.

Which security principle mandates that only a minimum number of operating system processes should run in supervisory mode? A Layering B Data hiding C Least privilege D Abstraction

Answer C is correct. The principle of least privilege states that only processes that absolutely need kernel-level access should run in supervisory mode. The remaining processes should run in user mode to reduce the number of potential security vulnerabilities.

Which one of the following types of attacks relies on the difference between the timing of two events? A Fraggle B Land C TOCTOU D Smurf

Answer C is correct. The time of check to time of use (TOCTOU) attack relies on the timing of the execution of two events.

An organization is planning the layout of a new building that will house a datacenter. Where is the most appropriate place to locate the datacenter? A Closest to the outside wall where heating, ventilation, and air conditioning systems are located B Closest to the outside wall where power enters the building C In the center of the building D At the back of the building

Answer C is correct. Valuable assets require multiple layers of physical security, and placing a datacenter in the center of the building helps provide these additional layers. Placing valuable assets next to an outside wall (including at the back of the building) eliminates some layers of security.

You are responsible for managing a Windows Server 2012 computer that hosts several virtual computers. You need to install the latest patches for the operating system. Where should you install the patches? A on each Windows Server 2012 virtual computer only B on the host computer only C on both the host computer and all Window Server 2012 virtual computers D on the physical computer only

Answer C is correct. You should install the patches on both the host computer and all Windows Server 2008 virtual computers. Virtual machines can be compromised just like a physical computer. You should not install the patches on the host computer only, on each Windows Server 2008 virtual computer only, or on the physical computer only. Because virtual machines can be compromised just like a physical computer, you should ensure that the patches are installed on both the host computer and each Windows Server 2008 virtual computer.

You are responsible for managing your company's virtualization environment. Which feature should NOT be allowed on a virtualization host? A implementing a firewall B monitoring the event logs C browsing the Internet D implementing IPsec

Answer C is correct. You should not allow browsing the Internet on a virtualization host. This can present a possible security breach through the introduction of spyware or malware. Anything that affects a virtualization host also affect all virtual computers on the host. You should implement IPsec, implement a firewall, and monitor the event logs of a virtualization host. IPsec helps by encrypting data as it transmits across the network. Firewalls prevent unauthorized access to a physical or virtual computer. Event logs help administrators to detect when security breaches have occurred or are being attempted.

Your company implements a honeypot as intrusion prevention. Management is concerned that this honeypot would be considered entrapment and has asked you to ensure that entrapment does not occur. Which situation should you prevent? A open services on a honeypot B open ports on a honeypot C allowing downloads on a honeypot D allowing Web browsing on a honeypot

Answer C is correct. You should prevent allowing downloads on a honeypot. Allowing downloads on a honeypot is a possible example of entrapment if it is used to make formal trespassing charges. Entrapment occurs when a hacker is tricked into performing an illegal activity. Entrapment is illegal. Opening port and services and allowing Web browsing on a honeypot are not examples of entrapments. They are enticements. Enticement allows the administrator to monitor activity to increase security and perhaps trace the attack. Enticement is legal.

Your organization is working with an international partner on a new and innovative product. All communication regarding this must be encrypted using a public domain symmetric algorithm. Which algorithm should you use? A 3DES B DES C Blowfish D IDEA

Answer C is correct. You should use Blowfish. Blowfish is a symmetric algorithm that is considered public domain. It can be used freely by anyone. Digital Encryption Standard (DES), Triple DES (3DES), and International Data Encryption Algorithm (IDEA) are not considered public domain. Symmetric algorithms include DES, 3DES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, Advanced Encryption Standard (AES), SAFER, and Serpent. Asymmetric algorithms include Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), LUC, Knapsack, and Zero Knowledge Proof.

Which of the following is not a denial-of-service attack? A Sending malformed packets to a system, causing it to freeze B Exploiting a flaw in a program to consume 100 percent of the CPU C Sending thousands of emails to a single address D Performing a brute-force attack against a known user account when account lockout is not present

Answer D is correct. A brute-force attack is not considered a DoS.

As a network administrator of a corporate network, you want to monitor all network traffic on your local network for suspicious activities and receive a notification when a possible attack is in process. What will you do? A Install a DMZ firewall. B Install a host-based IDS. C Enable verbose logging on the firewall. D Install a network-based IDS.

Answer D is correct. A network-based IDS monitors all traffic on your entire network. This would give you coverage for all network traffic. It can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. Answer B is incorrect because a host-based IDS simply monitors attempted attacks on an individual host. Answer C is incorrect because verbose logging on the firewall will only give you clues regarding attacks on the firewall. Answer A is incorrect because a DMZ firewall, although a good suggestion and usually more secure, wouldn't give you any monitoring of the traffic on the LAN.

What is system certification? A Formal acceptance of a certified configuration from a designated authority B A manufacturer's certificate stating that all components were installed and configured correctly C A functional evaluation of the manufacturer's goals for each hardware and software component to meet integration standards D A technical evaluation of each part of a computer system to assess its compliance with security standards

Answer D is correct. A system certification is a technical evaluation of each part of a computer system to assess its compliance with security standards. Option A describes system accreditation. Options C and B refer to manufacturer standards, not implementation standards.

What is another term for two-factor authentication? A user name/password authentication B smart card authentication C biometric authentication D strong authentication

Answer D is correct. Another term for two-factor authentication is strong authentication. Strong authentication uses two methods to authenticate a user. This type of authentication can be implemented in many ways. Sometimes a user must provide a user name and password, and must also use biometric authentication to verify identity. Other times a user must provide a user name and password, and use a smart card to verify identity. Strong authentication authenticates using something a person knows, has, or is. Any two of these can be included as part of the authentication process. Biometric authentication authenticates a user based on something the person is and conducts a one-to-one search to verify an individual's claim of an identity. This includes fingerprints, iris scans, retinal scans, palm scans, and voice prints. Smart card authentication authenticates a user based on something the user has. The smart card is inserted into or placed within the reading range of a smart card reader. Once the card is read, the user sometimes inputs a personal identification number (PIN). User name/password authentication authenticates a user based on something the user knows. The user name and password must be provided by the user.

When working around electrical equipment, including computers, what type of fire extinguisher should you have on hand? A Class A B Class B C Class D D Class C

Answer D is correct. Electrical equipment are involved in Class C fires; therefore, when working around electrical equipment including computers, you should keep a Class C fire extinguisher on hand. Answer A is incorrect. Class A fires involve organic solids such as paper and wood; therefore, a Class A extinguisher will be used to put off fire of paper or wood. Answer B is incorrect. Class B fires involve flammable or combustible liquids. Gasoline, grease, and oil fires are included in this class; therefore, a Class B fire extinguisher will be used to put off fire of gasoline, grease, and oil. Answer C is incorrect. Class D fires involve combustible metals; therefore, a Class D fire extinguisher is used to put off fires of combustible metals.

Which of the following protocols is an IPSec protocol that provides confidentiality? A CHAP B MD5 C AH D ESP

Answer D is correct. Encapsulating Security Payload (ESP) is an IPSec protocol that provides confidentiality, in addition to authentication, integrity, and anti-replay. ESP can be used alone or in combination with Authentication Header (AH). It can also be nested with the Layer Two Tunneling Protocol (L2TP). ESP does not sign the entire packet unless it is being tunneled. Usually, only the data payload is protected, not the IP header. Answer C is incorrect. AH provides authentication, integrity, and replay protection of the sender. Answers B and A are incorrect. These two are not IPSec protocols.

In which attack is an attacker able to position themselves within the pathway between a client and a server? A Spamming B Spoofing C Brute force D Man-in-the-middle

Answer D is correct. In a man-in-the-middle attack, an attacker is able to position themselves within the pathway between a client and a server so that when the client initiates communication with the server, it is done across the attacker's system without either party being aware of the attacker's presence. Answer C is incorrect. A brute force attack attempts every possible valid combination of letters and numbers for a key or password. Answer B is incorrect. In a spoofing attack, a program masquerades as another by falsifying data, thereby gaining unauthorized advantages. Answer A is incorrect. The spamming attack sends significant amounts of spam to a system in order to consume bandwidth, or consume storage spaces and processing capabilities.

Which one of the following controls provides fault tolerance for storage devices? A Clustering B HA pairs C Load balancing D RAID

Answer D is correct. Redundant arrays of inexpensive disks (RAID) are fault tolerance controls that allow an organization's storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and HA pairs are all fault tolerance services designed for servers, not storage.

Which of the following models involves the concept of subject/program binding? A Bell-LaPadula B Biba C Chinese Wall D Clark-Wilson

Answer D is correct. In the Clark-Wilson model, subjects cannot access objects directly. They are accessed through specified programs. This layer of protection enforces integrity. It involves the concept of subject/object binding. It provides a foundation for specifying and analyzing an integrity policy for a computing system. The core of the model is based on the notion of a transaction. Answers C, B, and A are incorrect. These models do not involve the concept of subject/program binding.

Which programs are tools used to obtain user passwords? L0phtCrack John the Ripper Tripwire Crack A option d B options a and b only C options a, b, and c only D options a, b and d only E option a F option b G option c

Answer D is correct. L0phtCrack, John the Ripper, and Crack are tools used to obtain user passwords. Tripwire is NOT used to obtain user passwords.

Which protocol uses encryption to protect transmitted traffic and supports the transmission of multiple protocols? A FTP B HTTPS C HTTP D L2TP over IPSec

Answer D is correct. Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol that is used to transmit traffic on virtual private network (VPN) connections. L2TP supports multiple protocols, such as Transmission Control Protocol (TCP), Internet Protocol (IP), Internetwork Packet Exchange (IPX), and Systems Network Architecture (SNA). L2TP is based on two older tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). When L2TP is implemented with Internet Protocol Security (IPSec), it also provides encryption. Hypertext Transfer Protocol (HTTP) transmits information in clear text. Hypertext Transfer Protocol Secure (HTTPS) uses Secure Sockets Layer (SSL) to encrypt HTTP traffic. HTTPS only supports the encryption of HTTP traffic. File Transfer Protocol (FTP) transmits data in clear text.

John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message? A Confidentiality B Availability C Integrity D Nonrepudiation

Answer D is correct. Nonrepudiation prevents the sender of a message from later denying that they sent it.

Which of the following offers facilities for the secure generation of cryptographic keys and limitation of their use, in addition to a hardware pseudo-random number generator? A CDN B SDN C MPLS D TPM

Answer D is correct. The Trusted Platform Module (TPM) offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a hardware pseudo-random number generator. It also includes capabilities such as remote attestation and sealed storage. It provides identity information for authentication purposes in mobile computing. It assures secure startup and integrity and generates values used with whole-disk encryption. Answer B is incorrect. Software-defined networking (SDN) is a unique approach to network operation, design, and management. The concept is based on the theory that the complexities of a traditional network with on-device configuration often force an organization to stick with a single device vendor, such as Cisco, and limit the flexibility of the network to respond to changing physical and business conditions. Answer A is incorrect. A content distribution network (CDN), or content delivery network, is a collection of resource services deployed in numerous data centers across the internet in order to provide low latency, high performance, and high availability of the hosted content. Answer C is incorrect. Multiprotocol Label Switching (MPLS) is a high throughput high-performance network technology that directs data across a network based on short path labels rather than longer network addresses. This technique saves significant time over traditional IP-based routing processes, which can be quite complex.

What encryption technique does WPA use to protect wireless communications? A AES B 3DES C DES D TKIP

Answer D is correct. WiFi Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to protect wireless communications. WPA2 uses AES encryption.

As a member of your organization's security team, you are examining all aspects of operations security for your network. You must determine the countermeasures that can be used in operations security. You have already examined the resources and information that must be protected. What is the third asset type that must be examined? A network media B personnel C network servers D hardware

Answer D is correct. You should also examine the hardware on which the resources and information reside. Operations security examines the countermeasures used to protect resources, information, and the hardware on which the resources and information reside. None of the other options is correct. Personnel are not assets that must be examined in operations security. Operations security is concerned with protecting resources, information, and the hardware on which the resources and information reside. Management is responsible for personnel. Network media and network servers may be part of the hardware that you examine during operations security. However, either of those options is not the sole asset type that must be examined.

Which safeguards should you employ to protect cell phones owned by an organization? Enable wireless interfaces. Maintain physical control. Enable user authentication. Disable unneeded features. A option c B option b C option a D options b, c, and d E options a, b, and c F option d

Answer D is correct. You should employ many safeguards to protect cell phones owned by an organization. The safeguards include: Maintain physical control. Enable user authentication. Back up data. Minimize data exposure and encrypt data. Disable unneeded features, including wireless interfaces. Deactivate compromised devices. Any handheld devices should have these safeguards in place. Cell phones, satellite cards, handheld computers, and PDAs all use Smart Card Technology, meaning data cards can be stolen. You should not enable wireless interfaces. Wireless interfaces should only be enabled when you need to use them and only for the time they are needed.

As part of your organization's security policy, you must monitor access control violations. Which method(s) should you use? ACLs IDSs backups audit logs A option d B option c C option b D option a E options b, c, and d only F options b and d only G all of the options

Answer F is correct. Intrusion detection systems (IDSs) and audit logs are used to monitor access control violations. Access control lists (ACLs) are al method of access control. They cannot be used to monitor violations. Backups are a method used to compensate for access violations because they allow you to recover your data. Other compensating measures include business continuity planning and insurance.

You must ensure that a complete inventory of your organization's assets is maintained. Which components are necessary in the asset management inventory? firmware versions operating system versions application versions hardware devices installed A point a B point b C point c D point d E points a and b F points c and d G al

Answer G is correct. All of the points are correct. Asset management must include a complete inventory of hardware and software. This includes firmware version, operating system versions, and application versions. All network hardware and software should be inventoried, including servers, clients, and network devices. Having a comprehensive asset management inventory will ensure that needed security updates will be managed in a controlled manner. Without a comprehensive inventory, security updates may not be deployed to assets that require them, resulting in possible security breaches. Assets are considered the physical and financial assets that are owned by the company. Examples of business assets that could be lost or damaged during a disaster are: Revenues lost during the incident On-going recovery costs Fines and penalties incurred by the event. Competitive advantage, credibility, or good will damaged by the incident

As part of your organization's security policy, you must monitor access control violations. Which method(s) should you use? ACLs IDSs backups audit logs A all of the options B option d C option c D option b E option a F options b, c, and d only G options b and d only

Answer G is correct. Intrusion detection systems (IDSs) and audit logs are used to monitor access control violations. Access control lists (ACLs) are al method of access control. They cannot be used to monitor violations. Backups are a method used to compensate for access violations because they allow you to recover your data. Other compensating measures include business continuity planning and insurance.

During a software development project, you need to ensure that the period progress of the project is monitored appropriately. Which technique(s) can be used? Gantt charts Unit testing Delphi technique Program Evaluation Review Technique charts Prototype Evaluation Review Technique charts A options a and b only B option e C option d D option c E option b F option a G options a and d only H options c and e only I options c and d only

Answer G is correct. Periodical progress of a project can be monitored by using Gantt charts and the Program Evaluation Review Technique (PERT) charts. Gantt charts are bar charts that represent the progress of tasks and activities over a period of time. Gantt charts depict the timing and the interdependencies between the tasks. Gantt charts are considered a project management tool to represent the scheduling of tasks and activities of a project, the different phases of the project, and their respective progress. Gantt charts serve as an industry standard. A PERT chart is a project management model invented by the United States Department of Defense. PERT is a method used for analyzing the tasks involved in completing a given project and the time required to complete each task. PERT can also be used to determine the minimum time required to complete the total project. Unit testing refers to the process in which the software code is debugged by a developer before it is submitted to the quality assurance team for further testing. The Delphi technique is used to ensure that each member in a group decision-making process provides an honest opinion on the subject matter in question. Group members are asked to provide their opinion on a piece of paper in confidence. All these papers are collected, and a final decision is taken based on the majority. Delphi technique is generally used either during the risk assessment process or to estimate the cost of a software development project. A prototype is a model or a blueprint of the product and is developed according to the requirements of customers. There is no process known as the Prototype Evaluation Review Technique charts. Cost-estimating techniques include the Delphi technique, expert judgment, and function points.

Which of the following statements reflect the 'Code of Ethics Preamble' in the '(ISC)2 Code of Ethics'? Each correct answer represents a complete solution. Choose two. A Provide diligent and competent service to principals. B Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. C Strict adherence to this Code is a condition of certification. D Advance and protect the profession.

Answers B and C are correct. The Code of Ethics Preamble are: Safety of the commonwealth, duty to the principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Strict adherence to this Code is a condition of certification. Answers D and A are incorrect. These come under the Code of Ethics Canons.

Which of the following security models deal only with integrity? Each correct answer represents a complete solution. Choose all that apply. A Bell-LaPadula B Biba C Clark-Wilson D Biba-Wilson

Answers B and C are correct. The following security models deal only with integrity: Biba Clark-Wilson The Biba model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject. Although the Biba model works in commercial applications, another model was designed in 1987 specifically for the commercial environment. The Clark-Wilson model uses a multifaceted approach to enforcing data integrity. Instead of defining a formal state machine, the Clark-Wilson model defines each data item and allows modifications through only a small set of programs. Answer A is incorrect. The Bell-LaPadula security model deals only with confidentiality. Answer D is incorrect. There is no such security model as Biba-Wilson.

Which type of fire are extinguished by CO2? Each correct answer represents a complete solution. Choose two. A Metal B Electrical C Common combustible D Liquid

Answers B and D are correct. Liquid and electrical fire are extinguished by CO2. Answer C is incorrect. Common combustibles are extinguished by water, soda acid (a dry powder or liquid chemical). Answer A is incorrect. Metal fire is extinguished by dry powder.

What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.) A Retaliation against a person or organization B Pride of conquering a secure system C Money from the sale of stolen documents D Bragging rights

Answers B and D are correct. Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

OSI Model

Application, Presentation, Session, Transport, Network, Data Link, Physical

Click to select the steps that Carrier-Sense Multiple Access (CSMA) technology follows while communicating, and then drag them into the correct order. The host listens to the LAN media to determine whether it is in use. If the LAN media is not being used, the host transmits its communication. The host waits for an acknowledgment. If no acknowledgment is received after a time-out period, the host starts over again.

Here are the steps that Carrier-Sense Multiple Access (CSMA) technology follows while communicating: The host listens to the LAN media to determine whether it is in use. If the LAN media is not being used, the host transmits its communication. The host waits for an acknowledgment. If no acknowledgment is received after a time-out period, the host starts over again.

authentication services

LDAP (Lightweight Directory Access Protocol): A standardized directory access protocol that enables directory queries Kerberos: A protocol that provides strong authentication through secret-key cryptography Single Sign-On Initiatives: Provide user access to all applications upon login

types of computer crime

Military and Intelligence attacks: Launched to obtain secret and restricted information from technological research sources Business attacks: Focus on illegally obtaining an organization's confidential information Financial attacks: Carried out to unlawfully obtain services Grudge attacks: Carried out to damage an organization or a person

Email security solutions

S/MIME (Secure Multipurpose Internet Mail Extensions): Offers authentication and confidentiality to email through public key encryption and digital signatures MOSS (MIME Object Security Services): Provides authentication, confidentiality, integrity, and nonrepudiation for email messages PGP (Pretty Good Privacy): Uses a variety of encryption algorithms to encrypt files and email messages

TCP/IP architecture into their correct sequence (OSI Model)

The Application layer- Provides access to network resources HTTP (Hypertext Transfer Protocol Secure)FTP (File Transfer Protocol) Telnet SMTP (Simple Mail Transfer Protocol) POP3 (Post Office Protocol3) IMAP4 (Internet Message Access Protocol4) The Transport layer - Responsible for preparing data to be transported across the network TCP (Transmission Control Protocol) UDP (User Datagram Protocol) The Internet layer - Responsible for logical addressing (such as IP Addresses) and routing RIP (Routing Information Protocol) OSPF (Open Shortest Path First) IGMP (Internet Group Management Protocol) ICMP (Internet Control Message Protocol) The Network Access layer - Translates logical network address into physical machine address Consists of the network card driver and the circuitry on the network card itself. It makes use of only the ARP protocol.

NAT (Network Address Translation)

was developed to allow private networks to use any IP address set without causing collisions or conflicts with public Internet hosts with the same IP addresses. In effect, NAT translates the IP addresses of your internal clients to leased addresses outside your environment.

Which would an administrator do to classified media before reusing it in a less secure environment? A Clearing B Purging C Overwriting D Erasing

Answer B is correct. Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.

Your company suspects an employee for sending unauthorized emails to competitors. These emails are alleged to contain confidential company data. Which of the following is the most important step for you to take in preserving the chain of custody? A Place spyware on the employee's PC to confirm these activities. B Preserve the email server including all logs. C Make copies of that employee's email. D Seize the employee's PC.

Answer B is correct. To preserve chain of custody, you should immediately create a mirror image of the hard drive on the email server, and then preserve the original hard drive and use the mirrored image for your server. This is the best way to guarantee that all email records are not only preserved, but are not tampered with. Answer D is incorrect. The employee may have already erased offending emails; there may or may not be evidence on that PC. Answer C is incorrect. In this case, the employee may have already deleted the emails you are seeking. Furthermore, copies can present problems at any potential trial. Experts for the other side might argue that the copies were (intentionally or not) altered in the copy process. Answer A is incorrect. Not only might the spyware not catch the employee's offending action, but the presence of spyware could be construed to alter the computer and might make it difficult to establish chain of custody on any evidence gathered.

During a recent incident investigation, you extracted hidden data from the data image that was created. In which step of the incident investigation process were you involved? A identification B examination C collection D preservation

Answer B is correct. You were involved in the examination step of the incident investigation process. This step includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction. You were not involved in the identification step of the incident investigation process. This step can include event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis. You were not involved in the preservation step of the incident investigation process. This step can include imaging technologies, chain of custody standards, and time synchronization. You were not involved in the collection step of the incident investigation process. This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques. The proper steps in a forensic investigation are as follows: Identification Preservation Collection Examination Analysis Presentation Decision

Which network device provides a transparent firewall solution between an internal network and outside networks? A router B proxy server C NAT router D hub

Answer C is correct. A Network Address Translation (NAT) router provides a transparent firewall solution between an internal network and outside networks. Using NAT, multiple internal computers can share a single Internet interface and IP address. The primary purpose of NAT is to hide internal hosts from the public network. NAT can use static or dynamic translation. Static translation has static mappings for the NAT communication; dynamic translation has a dynamic table that is configured as hosts attempt to use NAT. NAT can cause problems with a IPSec virtual private network (VPN) tunnel because of changes made to the IP header. NAT is only supported with IPSec when running in NAT traversal mode. A proxy server is often mistaken as a NAT server. However, a proxy server is not a transparent solution. A proxy server operates at Layer 4 or higher of the OSI model (the Transport layer or above). NAT operates at the Network layer (Layer 3) of the OSI model. A router is a network device that divides a local area network into smaller subnetworks. Routers operate at the Network layer (Layer 3) of the OSI model. While a firewall can also be a router, it is referred to as a firewall when it functions to create a DMZ.A hub is a network device that connects multiple networks together.

Which type of incident is NOT usually addressed in a contingency plan? A a T1 connection failure B a power outage C a hurricane D a server crash

Answer C is correct. A hurricane is not usually addressed in a contingency plan. All natural disasters are part of the business continuity plan, not the contingency plan. The contingency plan addresses how to deal with small incidents, such as power outages, connection failures, server crashes, and software corruption.

Which of the following is the best choice for a role within an organization using a RBAC model? A Application B Web server C Programmer D Database

Answer C is correct. A programmer is a valid role in a Role Based Access Control (RBAC) model. Administrators would place programmers' user accounts into the Programmer role and assign privileges to this role. Roles are typically used to organize users, and the other answers are not users.

On which of the following principles does the Trusted Computer Security Evaluation Criteria (TCSEC) depend? A Assurance, provisioning, and functionality B Assurance, auditing, and availability C Functionality, effectiveness, and assurance D Auditing, activating, and effectiveness

Answer C is correct. Depending upon the functionality, effectiveness, and assurance security principles, TCSEC determines if a product meets security goals. Answers D, A, and B are incorrect. These are invalid answers.

During a recent security conference, you attended training that explained the difference between active and passive security monitoring. What is a passive measure that can be used to detect hacker attacks? A connection termination B process termination C event logging D firewall reconfiguration

Answer C is correct. Event logging is a passive measure that can be used to detect hacker attacks. Event logging is considered a passive measure because it does not create obstacles to attacks. Administrators can, however, review log files after an attack to determine the source and the means of the attack. The information obtained from log files can be used to implement active prevention measures. Log files can also be used as legal evidence when prosecuting attackers, so log files should be protected and measures should be taken to ensure their integrity. Connection termination, firewall reconfiguration, and process termination are active measures for the prevention of hacker attacks; these methods establish obstacles intended to foreclose, or at least limit, the possibility of attack.

What advanced virus technique modifies the malicious code of a virus on each system it infects? A Encryption B Multipartitism C Polymorphism D Stealth

Answer C is correct. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.

In what type of addressing scheme is the data actually supplied to the CPU as an argument to the instruction? A Indirect addressing B Direct addressing C Immediate addressing D Base+offset addressing

Answer C is correct. In immediate addressing, the CPU does not need to actually retrieve any data from memory. The data is contained in the instruction itself and can be immediately processed. Answer B is incorrect. In direct addressing, the CPU is provided with an actual address of the memory location to access. The address must be located on the same memory page as the instruction being executed. Answer D is incorrect. Base+offset addressing uses a value stored in one of the CPU's registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to that base address and retrieves the operand from that computed memory location. Answer A is incorrect. Indirect addressing uses a scheme similar to direct addressing. However, the memory address supplied to the CPU as part of the instruction doesn't contain the actual value that the CPU is to use as an operand.

Which of the following is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity? A RCO B RTA C RTO D RPO

Answer C is correct. Recovery time objective (RTO) is defined as the maximum acceptable time period needed to bring one or more applications and associated data back from an outage to a correct operational state. It is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity. Answer B is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on recovery methodology that the technology support team develops. This is the time frame the technology support takes to deliver the recovered infrastructure to the business. Answer A is incorrect. The Recovery Consistency Objective (RCO) is used in business continuity planning in addition to Recovery Point Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to continuous data protection services. Answer D is incorrect. The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must be recovered as defined by the organization. It is generally a definition of what an organization determines is an acceptable loss in a disaster situation.

Management has expressed an interest in implementing deterrents to discourage security violations. Which control is an example of this strategy? A a smart card B an audit log C a router D a fence

Answer D is correct. A fence is an example of a deterrent physical control because it attempts to deter or discourage security breaches. A fence is also considered a compensative control. Routers and smart cards are examples of preventative technical controls because they are used to prevent security breaches. They are also examples of compensative technical controls. Audit logs are detective technical controls and compensative technical controls.

In the wake of the September 11, 2001, terrorist attacks, what industry made drastic changes that directly impact DRP/BCP activities? A Banking B Tourism C Airline D Insurance

Answer D is correct. All the industries listed in the options made changes to their practices after September 11, 2001, but the insurance industry's change toward noncoverage of acts of terrorism most directly impacts the BCP/DRP process.

What is a retrovirus? A a virus which is based on an old virus but has been modified to prevent detection B a virus that modifies other programs and databases C a virus that includes protective code that prevents outside examination of critical elements D a virus that attacks or bypasses anti-virus software

Answer D is correct. A retrovirus virus attacks or bypasses anti-virus software. Retroviruses even attack the anti-virus program to destroy the virus definitions or to create bypasses for itself. As of the writing of this exam, there is no name for a virus based on an old virus that has been modified to prevent detection. A phage virus modifies other programs and databases. The only way to remove the virus is to reinstall the infected applications. An armored virus includes protective code that prevents examination of critical elements. The armor attempts to protect the virus from destruction.

Which of the following best describes a rule-based access control model? A It uses local rules applied to all users equally. B It uses global rules applied to users individually. C It uses local rules applied to users individually. D It uses global rules applied to all users equally.

Answer D is correct. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.

What is a trapdoor function? A an attack where messages between two entities are intercepted so that an attacker can masquerade as one of the entities B an attack that repeatedly tries different values to determine the key used C a mechanism built into an algorithm that allows an individual to bypass or subvert the security in some fashion D a mechanism that enables the implementation of the reverse function in a one-way function

Answer D is correct. A trapdoor function is a mechanism that enables the implementation of the reverse function in a one-way function. A backdoor is a mechanism built into an algorithm that allows an individual to bypass or subvert the security in some fashion. A brute force attack is an attack that repeatedly tries different values to determine the key used. A man-in-the-middle attack is an attack where messages between two entities are intercepted so that an attacker can discover the legitimate entities' keys. The end result is that the attacker can read all the messages transmitted between the two legitimate entities.

Which statement best describes an access control list (ACL)? A a list of all subjects that have been granted access to a particular object B a list of all access levels that can be granted to a particular object C a list of all objects to which a subject has been granted access D a list of subjects that have been granted access to a specific object, including the level of access granted

Answer D is correct. An access control list (ACL) is a list of subjects that have been granted access to a specific object, including the level of access granted. An ACL must include the subjects, the objects, and the level of access. Access control allows you to control the behavior, use, and content of any system, for example, an IS system. It is primarily used by the system administrator to control system usage by explicitly enabling or restricting access. The primary purpose of access controls is to mitigate risks and reduce loss potential. An ACL coordinates access to system resources (objects) based on some user or computer entity (subject) identifier. This identifier can be a user name, personal identifier, or even an IP address. An ACL usually either explicitly allows or explicitly denies certain rights or permissions. Typically, the types of access are read, write, execute, append, modify, delete, and create. Access controls can be actual physical controls that control access to physical objects, such as buildings or rooms, or actual system controls that control access to objects within a particular system once physical access has been granted, such as the use of user names and passwords for logging in.

What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem? A 128 bits B 192 bits C 256 bits D 56 bits

Answer D is correct. DES uses a 56-bit key. This is considered one of the major weaknesses of this cryptosystem.

Which of the following does not erase data? A Overwriting B Purging C Clearing D Remanence

Answer D is correct. Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data

What type of electrical component serves as the primary building block for dynamic RAM chips? A Transistor B Flip-flop C Resistor D Capacitor

Answer D is correct. Dynamic RAM chips are built from a large number of capacitors, each of which holds a single electrical charge. These capacitors must be continually refreshed by the CPU in order to retain their contents. The data stored in the chip is lost when power is removed.

You are reviewing the Common Criteria security standards. Which Common Criteria Evaluation Assurance Level (EAL) is the common benchmark for operating systems and products? A EAL 5 B EAL 6 C EAL 7 D EAL 4 E EAL 3

Answer D is correct. EAL 4 is the common benchmark for operating systems and products. Common Criteria has designed the evaluation criteria into seven EALs: EAL 1 - A user wants the system to operate but ignores security threats. EAL 2 - Developers use good design practices but security is not a high priority. EAL 3 - Developers provide moderate levels of security. EAL 4 - Security configuration is based on good commercial development. This level is the common benchmark for commercial systems, including operating systems and products. EAL 5 - Security is implemented starting in early design. It provides high levels of security assurance. EAL 6 - Specialized security engineering provides high levels of assurance. This level will be highly secured from penetration attackers. EAL 7 - Extremely high levels of security are provided. This level requires extensive testing, measurement, and independent testing.

Which method is NOT recommended for removing data from a storage media that is used to store confidential information? A zeroization B degaussing C destruction D formatting

Answer D is correct. Formatting is not recommended for removing data from a storage media that is used to store confidential information. Formatting or deleting the data from a storage media, such as a hard drive, does not ensure the actual removal of the data, but instead removes the pointers to the location where the data resides on the storage media. The residual data on the storage media is referred to as data remanence. The main issue with media reuse is remanence. The residual data can be recovered by using data recovery procedures. This can pose a serious security threat if the erased information is confidential in nature. Sanitization is the process of wiping the storage media to ensure that its data cannot be recovered or reused. Sanitization includes several methods, such as zeroization, degaussing, and media destruction. All of these methods can be used to remove data from storage media, depending on the type of media used. Most storage media having a magnetic base can be sanitized. However, CDs and DVDs often cannot be degaussed. If this is the case, the only option is physical destruction of the CD or DVD. Zeroization implies that a storage media is repeatedly overwritten with null values, such as multiple ones and zeros, for sanitization. Zeroization is generally used in a software development environment. Degaussing is the process of reducing or eliminating an unwanted magnetic field of a storage media. Degaussing refers to a method of sanitizing storage media by using magnetic forces. Degaussing devices produce powerful opposing magnetic fields that reduce the magnetic flux density of the storage media to zero. Degaussing is the preferred method for erasing data from magnetic media, such as floppy disks, hard drives, and magnetic tapes. Media destruction implies physically destroying the media to make it unusable. Security of the storage media can be crucial if the data stored is of confidential nature. Some storage media, such as CD-ROMs, cannot be sanitized due to the lack of a magnetic base. Therefore, it is recommended that you physically destroy them to prevent disclosure of confidential information. Media viability controls are used to protect the viability of data storage media. Media viability control measures include proper labeling or marking, secure handling and storage, and storage media disposal.

In which of the following attacks does an attacker somehow pick up the information to be encrypted and take a copy of it with the encrypted data? A Man-in-the-middle attack B Replay attack C Ciphertext only attack D Chosen plaintext attack

Answer D is correct. In a chosen plaintext attack, an attacker somehow picks up the information to be encrypted and takes a copy of it with the encrypted data. This is used to find patterns in the cryptographic output that might uncover vulnerability or reveal a cryptographic key. Answer A is incorrect because in a man-in-the-middle attack, the attacker places himself in the middle of the communications flow between two parties. Answer B is incorrect because in the replay attack, the attacker tries to repeat or delay a cryptographic transmission. Answer C is incorrect because in a ciphertext only attack, the attacker obtains encrypted messages that have been encrypted using the same encryption algorithm.

What would be a valid argument for not immediately removing power from a machine when an incident is discovered? A Too many users are logged in and using the system. B There is no other system that can replace this one if it is turned off. C All of the damage has been done. Turning the machine off would not stop additional damage. D Valuable evidence in memory will be lost.

Answer D is correct. The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.

You have been asked to work with a team to design your company's business continuity plan. The team has defined the scope of the business continuity plan. What is the next step? A Determine the acceptable downtime. B Identify dependencies between the business areas and critical functions. C Identify critical functions. D Identify the key business areas.

Answer D is correct. The next step in designing the business continuity plan is to identify the key business areas. The steps in designing the business continuity plan are as follows: Identify the plan's scope. Identify key business areas. Identify critical functions. Identify dependencies between business areas and critical functions. Determine acceptable downtime for each critical function. Create a plan to maintain operations.

Your organization has decided to use one-time pads to ensure that certain confidential data is protected. All of the following statements are true regarding this type of cryptosystem, EXCEPT: A The pad must be distributed and stored in a secure manner. B The pad must be as long as the message. C Each one-time pad can be used only once. D The pad must be made up of sequential values.

Answer D is correct. The pad must NOT be made up of sequential values. It should be made up of random values. The following statements regarding one-time pads are true: Each pad can be used only once. The pad must be made up of random values. The pad must be as long as the message. The pad must be distributed and stored in a secure manner.

You are defining and implementing an information security continuous monitoring (ISCM) program for your organization according to NIST SP 800-137. You are currently collecting the security-related information required for metrics, assessments, and reporting. Which step of NIST SP 800-137 are you completing? A Define an ISCM strategy. B Establish an ISCM program. C Analyze the data collected, and report findings. D Implement an ISCM program.

Answer D is correct. You are completing the Implement an ISCM program step of NIST SP 800-137. NIST SP 800-137 guides the development of and provides information about information security continuous monitoring (ISCM) for federal information systems and organizations. It defines the following steps to establish, implement, and maintain ISCM: Define an ISCM strategy. Establish an ISCM program. Implement an ISCM program. Analyze data, and report findings. Respond to findings. Review and update the ISCM strategy and program. Defining an ISCM strategy involves determining your organization's official ISCM strategy. Establishing an ISCM program determines the metrics, monitoring, and assessment frequencies in addition to the ISCM architecture. Analyzing the data collected and reporting findings determines any issues and implements the appropriate response. Responding to the findings involves implementing new controls that address any findings you have. Reviewing and updating the monitoring program involves ensuring that the program is still relevant and allows you to make any necessary changes to the program.

During the recent development of a new application, the customer requested a change. You must implement this change according to the change control process. What is the first step you should implement? A Record the change request. B Acquire management approval. C Submit the change results to the management. D Analyze the change request.

Answer D is correct. You should analyze the change request. The change control procedures ensure that all modifications are authorized, tested, and recorded. Therefore, these procedures serve the primary aim of auditing and review by the management. The necessary steps in a change control process are as follows: Make a formal request. Analyze the request. This step includes developing the implementation strategy, calculating the costs of the implementation, and reviewing the security implication of implementing the change. Record the change request. Submit the change request for approval. This step involves getting approval of the actual change once all the work necessary to complete the change has been analyzed. Make changes. The changes are implemented and the version is updated in this step. Submit results to management: In this step, the change results are reported to management for review. A stringent change management process ensures that all the changes are implemented and recorded related to production systems, and enforces separation of duties. For instance, in a software development environment, changes made to production software programs are performed by operational staff rather than the software programmers, who are responsible for coding software applications for clients. Such a process ensures that the changes are implemented in the proper manner and the process is documented. Change management is about the decision to make the change. Configuration management is not the same as change management. Configuration management is about tracking the actual change. It is the discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle. Configuration management controls the changes that take place in hardware, software, and operating systems by assuring that only the proposed and approved system changes are implemented. In configuration management, a configuration item is a component whose state is to be recorded and against which changes are to be progressed. In configuration management, a software library is a controlled area accessible only to approved users who are restricted to the use of an approved procedure. Configuration control is controlling changes to the configuration items and issuing versions of configuration items from the software library. Configuration management includes configuration control, configuration status accounting, and configuration auditing.

You are responsible for managing the virtual computers on your network. Which guideline is important when managing virtual computers? A Install and update the antivirus program only on the host computer. B Implement a firewall only on the host computer. C Update the operating system and applications only on the host computer. D Isolate the host computer and each virtual computer from each other.

Answer D is correct. You should isolate the host computer and each virtual computer from each other. None of the other statements is correct when managing virtual computers. You should update the operating system and application on the host computer and all virtual computers. You should implement a firewall on the host computer and all virtual computers. You should install and update the antivirus program on the host computer and all virtual computers.

An organization requires that a research facility is protected by the highest form of access control system. The organization decides to implement biometrics. You have been consulted regarding which biometric system to implement. Management wants to minimize privacy intrusion issues for users. Which biometric method should you suggest based on management's concern? A retinal scan B fingerprint C iris scan D voice print

Answer D is correct. You should suggest a voice print biometric system based on management's concern. A voice print is considered less intrusive than the other options given. Both an iris scan and retinal scan are considered more intrusive because of the nature in which the scan is completed. Most people are reluctant to have a scanner read any eye geometrics. A fingerprint is more intrusive than a voice print. Most people are reluctant to give their fingerprint because fingerprints can be used for law enforcement. A voice print is very easy to obtain. Its primary purpose is to distinguish a person's manner of speaking and voice patterns. Voice print systems are easy to implement as compared to some other biometric methods. Voice prints are usually reliable and flexible.

Recently, an employee of your organization made illegal copies of your organization's intellectual property. This is a direct violation of your organization's employment policies. You need to create an incident response team to investigate the crime.Who should NOT be a part of an incident response team? HR department a Public Relations department senior management Federal government Information Technology department A options a and b B option e C option d D option c E options b and d F option a G option b H options c and e

Answer E is correct. The Public Relations department and the federal government should not be part of the incident response team that investigates a crime involving an internal employee. The incident response team should include the following members: Human Resources (HR) department representative, because the representative is aware of the rules that protect and prosecute an employee. HR should always be involved if an employee is suspected of wrongdoing. Senior management representative, because the final action against the suspected employee will be taken by the management. An IT department representative to provide evidence against the suspected employee if required.

Which of the following represents security concerns in cloud computing? access of privileged users location of data segregation of data recovery of data A option b B option c C option d D options a and b E options c and d F all of the options G option a

Answer F is correct. The following are security concerns in cloud computing: Access of privileged users Location of data Segregation of data Recovery of data Other security concerns in cloud computing include the following: Support of investigations Long-term viability Compliance with governmental and industry regulations

Which of the following encryption algorithms are based on block ciphers? Each correct answer represents a complete solution. Choose all that apply. A RC5 B Twofish C Rijndael D RC4

Answers A, B, and C are correct. The following encryption algorithms are based on block ciphers: RC5 Rijndael Twofish In cryptography, a block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed as 'blocks', with an unvarying transformation. When encrypting, a block cipher might take (for example) a 128-bit block of plain text as input, and output a corresponding 128-bit block of cipher text. Answer D is incorrect. Rivest Cipher 4 (RC4) is a stream-based cipher. Stream ciphers treat the data as a stream of bits.

Which of the following statements relate to a stream cipher? Each correct answer represents a complete solution. Choose all that apply. A Its examples are the Caesar cipher and one-time pad. B It encrypts one character per bit at a time. C It provides 80 bits of protection against collision attacks. D It is a symmetric key cipher that operates on blocks of messages.

Answers A and B are correct. A stream cipher is a symmetric key cipher that operates on each character, or bit of a message. It encrypts one character per bit at a time. Caesar cipher and one-time pad are the examples of a stream cipher. One-time pad is a stream cipher since it independently operates on each letter of the plaintext message. Significant computational resources are required by the stream ciphers. Answer D is incorrect because a block cipher is a symmetric key cipher that operates on blocks of messages. Answer C is incorrect because SHA-1 provides 80 bits of protection against collision attacks.

Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose all that apply. A Biba model B Clark-Wilson model C Clark-Biba model D Bell-LaPadula model

Answers A and B are correct. The Biba and Clark-Wilson access control models are used in the commercial sector. The Biba model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject. The Clark-Wilson security model provides a foundation for specifying and analyzing an integrity policy for a computing system. Answer D is incorrect. The Bell-LaPadula access control model is mainly used in military systems. Answer C is incorrect. There is no such access control model as Clark-Biba.

Which of the following techniques are used for sanitization of data media? A Destruction B Data remanence C Overwriting D Degaussing

Answers A, C, and D are correct. Sanitization is a process of removing information from used data media. The following techniques are used for sanitization: Overwriting Degaussing Destruction Answer B is incorrect. Data remanence refers to the data that remains even after the efforts have been made for removing or erasing the data. This event occurs because of data being left intact by an insignificant file deletion operation, by storage media reformatting, or through physical properties of the storage medium. Data remanence can make unintentional disclosure of sensitive information possible. So, it is required that the storage media be released into an uncontrolled environment.

Which of the following are the properties of data mining? Each correct answer represents a complete solution. Choose all that apply. A Patterns are automatically discovered. B Only small data sets and databases are focused. C Actionable information is created. D Likely outcomes are predicted.

Answers A, C, and D are correct. The properties of data mining: Patterns are automatically discovered Likely outcomes are predicted Actionable information is created Large data sets and databases are focused Answer B is incorrect. Data mining focuses on large data sets and databases.

Which of the following codes are defined under 'Advance and protect the profession' of the Code of Ethics Canons described by the (ISC)2 code of ethics? Each correct answer represents a complete solution. Choose all that apply. A Promote and preserve public trust and confidence in information and systems. B Sponsor for professional advancement those best qualified. C Take care not to injure the reputation of other professionals through malice or indifference. D Maintain your competence.

Answers B, C, and D are correct. The codes defined under 'Advance and protect the profession' of the Code of Ethics Canons described by the (ISC)2 Code of Ethics are as follows: Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. Take care not to injure the reputation of other professionals through malice or indifference. Maintain your competence; keep your skills and knowledge current. Give generously your time and knowledge in training others.

Mandatory Access Control (MAC)

model is prohibitive, and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules. Security labels are the most important entity and are required.

malware types

Backdoor - a developer hook in a system or application that allows developers to circumvent normal authentication Logic bomb - a program that executes when a certain predefined event occurs Spyware - a program that monitors and tracks user activities Trojan horse - a program that infects a system under the guise of another legitimate program

What is the primary objective of data classification schemes? A To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity B To establish a transaction trail for auditing accountability C To manipulate access controls to provide for the most efficient means to grant or restrict functionality D To control access to objects for authorized subjects

The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.

security boundary

A security boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs. A security boundary exists between a high-security area and a low-security one, such as between a LAN and the Internet.

cryptographic attacks

A cryptographic attack is a method for circumventing the security of a cryptographic system by exploiting a weakness in the code, the cryptographic protocol, or the key management scheme. Here are the types of a cryptographic attack: Birthday: Depends on the higher likelihood of collisions Weak key: Exploits flaws in the password-encryption algorithm Mathematical: Employs mathematical methods to break an algorithm and decrypt messages

What is needed to allow an external client to initiate a communication session with an internal system if the network uses a NAT proxy? A Reverse DNS B Static private IP address C Static mode NAT D IPsec tunnel

Answer C is correct. Static mode NAT is needed to allow an outside entity to initiate communications with an internal system behind a NAT proxy.

Which of the following IP addresses is not a private IP address as defined by RFC 1918? A 172.31.8.204 B 192.168.6.43 C 10.0.0.18 D 169.254.1.119

Answer D is correct. The 169.254.x.x subnet is in the APIPA range, which is not part of RFC 1918. The addresses in RFC 1918 are 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255.

Which security models are built on a state machine model? A Bell-LaPadula and Take-Grant B Biba and Clark-Wilson C Clark-Wilson and Bell-LaPadula D Bell-LaPadula and Biba

Answer D is correct. The Bell-LaPadula and Biba models are built on the state machine model.

What type of attack can detect passwords sent across a network in cleartext? A Sniffing B Side-channel C Spoofing D Spamming

Answer A is correct. A sniffing attack uses a sniffer (also called a packet analyzer or protocol analyzer) to capture data and can be used to read passwords sent across a network in cleartext. Answers C, D, and B are incorrect. A spoofing attack attempts to hide the identity of the attacker. A spamming attack involves sending massive amounts of email. A side-channel attack is a passive, noninvasive attack used against smart cards.

How does a SYN flood attack work? A Disrupts the three-way handshake used by TCP B Sends oversized ping packets to a victim C Exploits a packet processing glitch in Windows systems D Uses an amplification network to flood a victim with packets

Answer A is correct. A SYN flood attack disrupts the TCP three-way handshake process by never sending the third packet. It is not unique to any specific operating system such as Windows. Smurf attacks use amplification networks to flood a victim with packets. A ping-of-death attack uses oversized ping packets.

You are the security administrator for an organization. Management decides that all communication on the network should be encrypted using the data encryption standard (DES) algorithm. Which statement is true of this algorithm? A A Triple DES (3DES) algorithm uses 48 rounds of computation. B The effective key size of DES is 64 bits. C A DES algorithm uses 32 rounds of computation. D A 56-bit DES encryption is 256 times more secure than a 40-bit DES encryption.

Answer A is correct. A Triple DES (3DES) algorithm uses 48 rounds of computation. It offers high resistance to differential cryptanalysis because it uses so many rounds. The encryption and decryption process performed by 3DES takes longer due to the higher processing power required. The actual key size of the Data Encryption Standard (DES) is 64 bits. A key size of 8 bits is used for a parity check. Therefore, the effective key size of DES is 56 bits. The DES algorithm uses 16 rounds of computation. The order and the type of computations performed depends upon the value supplied to the algorithm through the cipher blocks. According to the following calculation, a 56-bit DES encryption is 65,536 times more secure than a 40-bit DES encryption: 240 = 1099511627776 and 256 = 72057594037927936Therefore, 72057594037927936 divided by 1099511627776 = 65,536.

Which one of the following tasks would a custodian most likely perform? A Back up data B Access the data C Classify the data D Assign permissions to the data

Answer A is correct. A data custodian performs day to day tasks to protect the integrity and security of data, and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.

In which of the following are the results of data mining stored? A Data mart B Cache RAM C Data warehouse D Data dictionary

Answer A is correct. A data mart is a highly secure storage system where the results of data mining, metadata, are securely stored. Answer D is incorrect. A data dictionary is used to store critical information about data, including type, sources, usage, relationships, and formats. Answer B is incorrect. A cache RAM takes data from slower devices and temporarily stores it in higher performance devices when its repeated use is expected. Answer C is incorrect. A data warehouse stores a large amount of information from various databases to be used with specialized analysis techniques.

Tunnel connections can be established over all except for which of the following? A Stand-alone systems B Dial-up connections C LAN pathways D WAN links

Answer A is correct. A stand-alone system has no need for tunneling because no communications between systems are occurring and no intermediary network is present.

Which of the following types of attack is only intended to make a computer resource unavailable to its users? A Denial of service attack B Teardrop attack C Replay attack D Land attack

Answer A is correct. A denial of service attack is only intended to make a computer resource unavailable to its users. It is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as network saturation attack or bandwidth consumption attack. Attackers make denial of service attacks by sending a large number of protocol packets to a network. Answer D is incorrect. In a land attack, the attacker sends the spoofed TCP SYN packet in which the IP address of the target host is filled in both the source and destination fields. On receiving the spoofed packet, the target system becomes confused and goes into a frozen state. Now-a-days, antivirus can easily detect such attacks. Answer C is incorrect. A replay attack is a type of attack in which attackers capture packets containing passwords or digital signatures whenever packets pass between two hosts on a network. In an attempt to obtain an authenticated connection, the attackers then resend the captured packet to the system. In this type of attack, the attacker does not know the actual password, but can simply replay the captured packet. Answer B is incorrect. In a teardrop attack, a series of data packets are sent to the target system with overlapping offset field values. As a result, the target system is unable to reassemble these packets and is forced to crash, hang, or reboot.

Which of the following devices is a network interconnectivity device that translates different communication protocols and is used to connect dissimilar network technologies? A Gateway B Switch C Repeater D Router

Answer A is correct. A gateway is a network interconnectivity device that translates different communication protocols and is used to connect dissimilar network technologies. It provides greater functionality than a router or bridge because a gateway functions as a translator and a router. It is an application layer device. Answer B is incorrect. A switch is a network connectivity device that brings media segments together in a central location. It reads the destination's MAC address or hardware address from each incoming data packet and forwards the data packet to its destination. Answer D is incorrect. A router is a device that routes data packets between computers in different networks. It is used to connect multiple networks, and it determines the path to be taken by each data packet to its destination computer. Answer C is incorrect. A repeater is a basic LAN connection device. It allows a network cabling system to extend beyond its maximum allowed length and reduces distortion by amplifying or regenerating network signals.

When should you install a software patch on a production server? A after the patch has been tested B before the patch has been tested C when the patch is in beta format D immediately after the patch is released

Answer A is correct. A patch should be installed on a server after the patch has been tested on a non-production server and by the computing community. A security patch is a major, crucial update for an OS or product for which it is intended and consists of a collection of patches released to date since the OS or product was shipped. A security patch is mandatory for all users, addresses a new vulnerability, and should be deployed as soon as possible. Security patches are usually small in size. A patch should not be installed immediately after it is released or when it is in beta format because a patch that is not thoroughly tested might contain bugs that could be detrimental to server operation. A patch should typically not be deployed before it has been tested on a test server; patches should not be tested on production servers. A hot fix is a not fully tested software fix that addresses a specific issue being experienced by certain customers.

Which of the following is a type of connection that can be described as a logical circuit that always exists and is waiting for the customer to send data? A PVC B ISDN C DSL D VPN

Answer A is correct. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data. Answer B is incorrect. Integrated Services Digital Network (ISDN) is a fully digital telephone network that supports both voice and high-speed data communications. Answer D is incorrect. A virtual private network (VPN) is a secure tunnel used to establish connections across a potentially insecure intermediary network. Answer C is incorrect. Digital subscriber line (DSL) is a technology that exploits the upgraded telephone network to grant consumers speeds from 144 Kbps to 20 Mbps (or more).

You are developing a new software application for a customer. The customer is currently defining the application requirements. Which process is being completed? A prototyping B sampling C abstraction D interpretation

Answer A is correct. A prototype or a blueprint of the product is developed on the basis of customer requirements. Prototyping is the process of putting together a working model, referred to as a prototype, to test various aspects of a software design, to illustrate ideas or features, and to gather feedback in accordance with customer requirements. A prototype enables the development team and the customer to move in the right direction. Prototyping can provide significant time and cost savings because it will involve fewer changes later in the development stage. A product is developed in modules. Therefore, prototyping provides scalability. Complex applications can be further subdivided into multiple parts and represented by different prototypes. The software design and development tasks can be assigned to multiple teams. A sample is a generic term that identifies a portion that is a representative of a whole. Interpreters are used to execute the program codes by translating one command at a time. Abstraction is an object-oriented programming (OOP) concept that refers to hiding unnecessary information to highlight important information or properties for analysis. Abstraction involves focusing on conceptual aspects and properties of an application to understand the information flow. Abstraction involves hiding small, redundant pieces of information to provide a broader picture.

Which type of virus is specifically designed to infect programs as they are loaded into memory? A resident B boot sector replication C companion D nonresident

Answer A is correct. A resident virus is specifically designed to infect programs as they are loaded into memory. A companion virus is designed to take advantage of the extension search order of an operating system. A nonresident virus is part of an executable program file on a disk that is designed to infect other programs when the infected program file is started. A boot sector replicating virus is written to the boot sector of a hard disk on a computer and is loaded into memory each time a computer is started.

Which type of network connection is created by tunneling through a public network? A a VPN B a LAN C a MAN D a WAN

Answer A is correct. A virtual private network (VPN) is created by tunneling through a public network, such as the Internet. Tunneling protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP), can create a tunnel, which is a secure connection through a public network. A local area network (LAN) connection is typically created by a Physical layer network communication protocol. A metropolitan area network (MAN), which spans the area of a city, is created by dedicated connections. A wide area network (WAN) connection spans a large distance, such as the distance between cities or continents. A WAN connection typically consists of two or more LAN connections and can be created by using either leased-lines or dedicated connections.

Your organization has recently implemented an artificial neural network (ANN). The ANN enabled the network to make decisions based on the experience provided to them. Which characteristic of the ANN is described? A adaptability B retention capability C neural integrity D fault tolerance

Answer A is correct. Adaptability is the artificial neural network (ANN) characteristic that is described. Adaptability refers to the ability of an ANN to arrive at decisions based on the learning process that uses the inputs provided. It is important to note that the ability of ANN learning is limited to the experience provided to them. An ANN is an adaptive system that changes its structure based on either external or internal information that flows through the network by applying the if-then-else rules. ANNs are computers systems where the system simulates the working of a human brain. A human brain can contain billions of neurons performing complex operations. An ANN can also contain a large number of small computational units that are called upon to perform a required task. A neural network learns by using various algorithms to adjust the weights applied to the data. The equation Z = f [wn in], where Z is the output, wn are weighting functions, and in is a set of inputs, scientifically describes a neural network. Fault tolerance refers to the ability to combat threats of design reliability and continuous availability. ANNs do not provide fault tolerance. Retention capability and neural integrity are generic terms and are invalid options.

Which of the following is true for a host-based intrusion detection system (HIDS)? A It monitors a single system. B It monitors an entire network. C It cannot detect malicious code. D It's invisible to attackers and authorized users.

Answer A is correct. An HIDS monitors a single system looking for abnormal activity. A network-based IDS (NIDS) watches for abnormal activity on a network. An HIDS is normally visible as a running process on a system and provides alerts to authorized users. An HIDS can detect malicious code similar to how anti-malware software can detect malicious code.

Of the following choices, what indicates the primary purpose of an intrusion detection system (IDS)? A Detect abnormal activity. B Diagnose system failures. C Rate system performance. D Test a system for vulnerabilities.

Answer A is correct. An IDS automates the inspection of audit logs and real-time system events to detect abnormal activity indicating unauthorized system access. While IDSs can detect system failures and monitor system performance, they don't include the ability to diagnose system failures or rate system performance. Vulnerability scanners are used to test systems for vulnerabilities.

Which of the following can help mitigate the success of an online brute-force attack? A Account lockout B Salting passwords C Encryption of password D Rainbow table

Answer A is correct. An account lockout policy will lock an account after a user has entered an incorrect password too many times, and this blocks an online brute-force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the stored password but isn't effective against a brute-force attack without an account lockout.

An organization ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following? A Need-to-know B Role Based Access Control C Principle of least permission D Separation of duties

Answer A is correct. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn't control all the elements of a process. Role Based Access Control (RBAC) grants access to resources based on a role.

You have decided to implement a full/incremental backup strategy. A full backup will be performed each Sunday. An incremental backup will be performed the other days of the week. What does an incremental backup do? A It backs up all the new files and files that have changed since the last full or incremental backup and resets the archive bit. B It backs up all the new files and files that have changed since the last full backup without resetting the archive bit. C It backs up all the files in a compressed format. D It backs up all the files.

Answer A is correct. An incremental backup backs up all the new files and files that have changed since the last full or incremental backup and resets the archive bit. When restoring the data, the full backup must be restored first, followed by each incremental backup in order. Incremental backups build on each other. For example, the second incremental backup contains the changes made since the first incremental backup. A restoration involving incremental backups would require restoring the most recent full backup first, and then restoring in order any incremental backups that occurred since the last full backup. A full backup backs up all the files every time it runs. Because of the amount of data that is backed up, full backups can take a long time to complete. A full backup is used as the baseline for any backup strategy and most appropriate when using offsite archiving. A compressed full backup backs up all the files in compressed format. A differential backup backs up all the new files and files that have changed since the last full backup without resetting the archive bit. When restoring the data, the full backup must be restored first, followed by the most recent differential backup. Differential backups are not dependent on each other. For example, each differential backup contains the changes made since the last full backup. Therefore, differential backups can take a significantly longer time than incremental backups. However, a differential restore requires only two backup files: the full backup and the latest differential backup. A continuous backup system is one that performs backups on a regular basis to ensure that data can be restored to a particular point-in-time. SQL Server 2000 is an application that provides this feature. If a continuous backup plan is not used, any data changes that occur since the last backup must be recreated after the restore is completed.

Eavesdropping is an example of what kind of attack? A Passive attack B Active attack C DoS attack D Bonk attack

Answer A is correct. Attacks may be passive or active. Eavesdropping is an example of a passive attack. Eavesdropping is simply listening to communication traffic for the purpose of duplicating it. It usually requires physical access to the IT infrastructure to connect a physical recording device to an open port or cable splice or to install a software-recordingtool onto the system. Answer B is incorrect. An active attack requires the attacker to be able to transmit data to one or both of the parties, or block the data stream in one or both directions. Answer C is incorrect. In a Distributed Denial of Service (DDoS) attack, the attacker uses multiple computers throughout the network that it has previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. Answer D is incorrect. Bonk attack is a variant of the teardrop attack that affects mostly Windows computers by sending corrupt UDP packets to DNS port 53. It is a type of DoS attack. It manipulates a fragment offset field in TCP/IP packets. This field tells a computer how to reconstruct a packet that was fragmented, because it is difficult to transmit big packets.

What type of memory device is usually used to contain a computer's motherboard BIOS? A EEPROM B ROM C EPROM D PROM

Answer A is correct. BIOS and device firmware are often stored on EEPROM chips to facilitate future firmware updates.

You are creating a monitoring solution for your company's network. You define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted. Which type of monitoring are you using? A behavior-based B anomaly-based C misuse-detection-based D signature-based

Answer A is correct. Behavior-based monitoring looks for behavior that is not allowed or may be perceived as malicious and acts accordingly. With this type of monitoring, you do not need to know the signature of the malicious action. In addition, the system may not recognize the actions as being outside the norm. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring. Misuse-detection-based monitoring is the same as signature-based monitoring. Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature database. Anomaly-based monitoring detects any changes or deviations in network traffic. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous behavior. Sometimes the baseline is established through a manual process. Network-based monitoring is attached to the network in a place where it can monitor all network traffic. It implements passive and active responses. Passive responses including logging, notification, and shunning. Active responses include terminating processes or sessions, network configuration changes, and deception.

Which of the following includes the authorization rights of the access control subject? A Capability table B Access control list C Rainbow table D Access control matrix

Answer A is correct. Capability tables are created for each subject, and they identify the objects that the subject can access. It includes the authorization rights of the access control subject such as read, write, execute, and so on. Answer B is incorrect. ACLs (access control lists) are lists of subjects that are authorized to access a specific object. Answer D is incorrect. An access control matrix is a table that includes subjects, objects, and assigned privileges. Answer C is incorrect. A rainbow table provides precomputed values for cryptographic hashes. These are commonly used for cracking passwords stored on a system in hashed form.

Which principle stipulates that multiple changes to a computer system should NOT be made at the same time? A change management B due diligence C due care D acceptable use

Answer A is correct. Change management stipulates that multiple changes to a computer system should NOT be made at the same time. This makes tracking any problems that can occur much simpler. Change management includes the following rules: Distinguish between your system types. Document your change process. Develop your changes based on the current configuration. Always test your changes. Do NOT make more than one change at a time. Document your fallback plan. Assign a person who is responsible for change management. Regularly report on the status of change management.

Your company decides that a new software product must be purchased to help the marketing staff manage their marketing campaigns and the resources used. During which phase of the software acquisition process do you document the software requirements? A Planning phase B Maintaining phase C Monitoring phase D Contracting phase

Answer A is correct. During the planning phase, the software requirements are documented. You should also create an acquisition strategy during this phase and develop the evaluation criteria. During the contracting phase, you should issue the request for proposal (RFP), evaluate the proposals, and complete final contract negotiations with the selected seller. During the monitoring phase, you should ensure that the supplier completes the contract and formally accept the final product. In the maintaining phase, you should maintain the software, including possibly decommissioning the software at some future date.

Which of the following is not a valid access control model? A Compliance-based access control model B Mandatory Access Control model C Nondiscretionary access control model D Discretionary Access Control model

Answer A is correct. Compliance-based access control model is not a valid type of access control model. The other answers list valid access control models.

Which process includes auditing and tracking of changes made to the trusted computing base? A configuration management B media controls C system controls D input and output controls

Answer A is correct. Configuration management identifies controls and audit changes made to the trusted computing base. The audit changes include changes made to the hardware, software, and firmware configurations throughout the life cycle of infrastructural assets. Configuration management ensures that changes to the infrastructure will take place in a controlled manner by following a process approach. It also ensures that future changes do not violate an organization's security policy and security objectives. The configuration management process involves proper approval and authorization, testing, implementation, and documentation of the changes that have taken place in the infrastructure. All the changes made to the infrastructure are subject to audits and reviews to ensure compliance with the security policy. Configuration management involves information capture and version control. Configuration management reports the status of change processing. Configuration management documents the functional and physical characteristics of each configuration item. The four major aspects of configuration management are: Configuration identification Configuration control Configuration status accounting Configuration auditing Media controls ensure that confidentiality, integrity, and availability of the data stored on storage media is properly adhered to and is not compromised. Media controls define appropriate controls for labeling, handling, storage, and disposal of storage media. They have nothing to do with the trusted computing base. You should keep the following media controls in mind: The data media should be logged to provide a physical inventory control. All data storage media should be accurately marked. A proper storage environment should be provided for the media. System controls restrict the execution of instructions that can only be executed when an operating system is running in either the supervisor or the privileged mode. System controls are a part of the operating system architecture. The type of instructions that can be executed at a certain level is defined by the operating system architecture by using the control tables of the operating system. Controlling the input to and output from a system involves programming an application to accept only restricted and specific values as inputs. This prevents errors and misuse by manipulating the input values. To accomplish the purpose of producing output, an application should only accept legitimate values. For example, an accounting package designed to perform calculations should not accept alphabetical characters as input values. Configuration identification involves the use of configuration items (CIs). A CI is a uniquely identifiable subset of the system that represents the smallest portion to be subject to independent configuration control procedures. CIs can vary widely in size, type, and complexity.

Your company implements several databases. You are concerned with the security of the data in the databases. Which statement is correct for database security? A Data control language (DCL) implements security through access control and granular restrictions. B Bind variables provide access control through implementing granular restrictions. C Data manipulation language (DML) implements access control through authorization. D Data identification language implements security on data components.

Answer A is correct. Data control language (DCL) implements security through access control and granular restrictions. DCL is used to configure which DML statements users can use. None of the other statements is true. Data identification language is not a valid language used in databases. A bind variable is a placeholder in a SQL statement that must be replaced with a valid value or value address for the statement to execute successfully. Data manipulation language (DML) is used to change the values of data within a database.

Which of the following helps monitor the outgoing traffic of the enterprise network? A Egress monitoring B Continuous monitoring C Keystroke monitoring D Traffic analysis E Trend analysis

Answer A is correct. Egress monitoring helps monitor the outgoing traffic of the enterprise network using egress monitors. An egress monitor helps scan and identify the malicious and/or suspicious activities within the enterprise network. The TCP/IP packets being sent out of the internal network are scanned via a firewall, router, or similar edge device. Packets that don't meet security policies are not allowed to egress. Answer B is incorrect. Continuous monitoring allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis. Answer C is incorrect. Keystroke monitoring is an act of recording the keystrokes a user performs on a physical keyboard. Answers D and E are incorrect. Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than actual packet contents. This is sometimes referred to as network flow monitoring.

Which statements are true of halon as a fire suppression agent? Halon is safe for humans. Halon deals with Class A category of fire. Halon gas suppresses fire by a chemical reaction. FM-200 is an EPA-approved replacement for halon. Halon is currently approved by the Environmental Protection Agency (EPA). A options c and d B options b, c, and d C options a and b D option e E option d F option c G option b H option a

Answer A is correct. Halon suppresses Class B and C fires that involve both electrical equipment and liquids, such as petroleum products. Halon was usually used in data centers and server rooms storing electrical equipment. Halon works by disrupting the chemical reactions of a fire. It was discovered that halon as a suppression agent depletes the ozone and is potentially harmful to humans. Therefore, in 1987, the Montreal Protocol banned the use of halon. The EPA-approved replacements for halon include water, FM-200, NAF-S-III, CEA-410, FE-13, argon, argonite, and inergen. FM-200 is used for data centers as a substitute for halon because it does not harm computers or human beings.

What happens when a trusted computing base (TCB) failure occurs as a result of a lower-privileged process trying to access restricted memory segments? A The system goes into maintenance mode. B The system reboots immediately. C Administrator intervention is required. D Operating system reinstallation is required.

Answer A is correct. If a process with lower privilege attempts to access the restricted memory segments, the system transits into maintenance mode, also referred to as an emergency system restart. An emergency system restart occurs in response to a system failure. An emergency system restart can be caused by a trusted computing base (TCB) failure, a media failure, or a user performing an insecure activity. A lower privileged process trying to access restricted memory segments is an example of an insecure activity. A system reboot occurs in response to other TCB failures. This is a controlled reboot of the system. The purpose of performing a system reboot is to release system resources and perform the necessary system activities. A system cold start occurs if a user or a system administrator intervenes. A system cold start occurs when the recovery procedures are inadequate to recover the system from a TCB or a media failure. The system remains in an inconsistent state during an attempt by the system to recover. Operating system reinstallation is not a valid response for trusted recovery. Trusted recovery includes a system reboot, an emergency system restart, and system cold start.

During an XOR operation, two bits are combined. Both values are the same. What will be the result of this combination? A 0 B 1 C X D OR

Answer A is correct. If two bits are combined in an XOR operation and both bit values are the same, the result of the combination is 0. If two bits are combined in an XOR operation and both bit values are different, the result of the combination is 1. The other two options are invalid.

Your organization has decided to implement the Diffie-Hellman asymmetric algorithm. Which statement is true of this algorithm's key exchange? A Authorized users exchange secret keys over a nonsecure medium. B Unauthorized users exchange public keys over a nonsecure medium. C Authorized users exchange public keys over a secure medium. D Authorized users need not exchange secret keys.

Answer A is correct. In Diffie-Hellman key exchange, authorized users exchange secret keys over a nonsecure medium. The Diffie-Hellman algorithm is a cryptographic protocol in which the sending and receiving parties jointly establish the shared secret key to enable its use for all future encryption and decryption of bulk data. A Diffie-Hellman key exchange algorithm is not typically used to encrypt data. It is a method used to securely exchange keys over a non-secure medium. Therefore, Diffie-Hellman is a key exchange protocol and is used for secure key distribution. Diffie-Hellman does not assist in bulk encryption and decryption. In Diffie-Hellman key exchange, the authorized users do not exchange public keys but a shared secret key over a non-secure medium. Unauthorized users should not have access to the secret keys because they are not authorized participants of a secure communication.

What type of federal government computing system requires that all individuals accessing the system have a need to know all of the information processed by that system? A Dedicated B System high C Compartmented D Multilevel

Answer A is correct. In a dedicated system, all users must have a valid security clearance for the highest level of information processed by the system, they must have access approval for all information processed by the system, and they must have a valid need to know of all information processed by the system.

In which of the following cryptographic attacks does the attacker try to repeat or delay a cryptographic transmission? A Replay attack B Man-in-the-middle attack C Ciphertext only attack D Known plaintext attack

Answer A is correct. In a replay attack, the attacker tries to repeat or delay a cryptographic transmission. A replay attack can be prevented using session tokens. Answer D is incorrect because in a known plaintext attack, the attacker should have both the plaintext and ciphertext of one or more messages. These two items are used to extract the cryptographic key and to recover the encrypted text. Answer C is incorrect because in a ciphertext only attack, the attacker obtains encrypted messages that have been encrypted using the same encryption algorithm. Answer B is incorrect because in a man-in-the-middle attack, the attacker places himself in the middle of the communications flow between two parties.

What type of attack uses email and attempts to trick high-level executives? A Whaling B Vishing C Phishing D Spear phishing

Answer A is correct. Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).

In which of the analysis can forensic analysts perform forensic reviews of applications or activities taking place within a running application? A Software analysis B Hardware and embedded device analysis C Media analysis D Network analysis

Answer A is correct. In software analysis, forensic analysts can perform forensic reviews of applications or activities taking place within a running application. In some situations, the forensic analyst may be asked to perform a review of software code and look for back doors, logic bombs, or other security vulnerabilities when malicious insiders are suspected. In other situations, forensic analysts may be required to review and interpret the log files from application or database servers, and look for other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks. Answer C is incorrect. In media analysis, information is identified and extracted from storage media. Answer D is incorrect. Network analysis is required to capture traffic sent over the network. Answer B is incorrect. Hardware and embedded device analysis may include a review of personal computers, smart phones, tablet computers, and embedded computers in cars, security systems, and other devices.

You are reviewing the access control methods used by an organization. The organization is concerned with the cost of access control. Which aspect of the information being safeguarded will most affect this cost? A information value B information type C information redundancy D information replacement cost

Answer A is correct. Information value will most affect the cost of access control. Information that has a high value to the company must be protected. This affects the confidentiality of the information. The maximum effective cost of access control is determined based on the value of the information. Information type will affect the access control design. While it may affect the cost, it is not the most important factor affecting it. Information redundancy will affect the access control design. Information redundancy ensures that more than one copy of important data is retained. The redundant copies could be on a CD-ROM, on another hard drive, or on backup media. Generally, information redundancy does not greatly affect the cost of access control because the redundant copies retain the same access control permissions as the original copies. Information replacement cost will affect the cost of its access control, but it is not the factor that will most affect it. Information replacement cost should include the cost to replace the equipment as well as the labor time it would take to bring the information back online.

You are preparing a proposal for management about the value of using cryptography to protect your network. Which statement is true of cryptography? A Key management is a primary concern of cryptography. B Availability is a primary concern of cryptography. C Cryptography is used to detect fraudulent disclosures. D The keys in cryptography can be made public.

Answer A is correct. Key management is one of the most crucial considerations of cryptography. An algorithm and a key are required for the encryption of data. The algorithm is publicly known while the key is kept secret. The confidentiality, integrity, and authenticity of data can be addressed through cryptography only if the keys are not compromised. A single key is used for encryption and decryption in a symmetric cryptosystem. Separate keys are used to encrypt and decrypt data in an asymmetric cryptosystem. In both the scenarios, the safety of the keys in a cryptographic system is of prime concern. The keys should not be compromised during transmission of the message. The cryptographic keys should not be captured, modified, corrupted, or disclosed to unauthorized individuals. Therefore, it is important that key distribution and management be controlled. The following individuals are responsible for key management: Users who protect their own keys Administrators who maintain public and private keys The authentication server that holds, maintains, and distributes the keys to the sending and receiving parties Effective key management has the following requirements: The key should be distributed and managed in a secure manner. The key should be generated randomly and should use the full keyspace of the algorithm. The duration of the key should be based on the sensitivity of data. The key should be backed up in the event of a lost or destroyed key. The key should be disposed in a secure manner. Cryptography cannot be used to detect fraudulent disclosures. The primary purpose of cryptography is to protect sensitive information against disclosure and not to detect fraudulent disclosures. Cryptography also protects against fraudulent modifications of any kind. Cryptography addresses the confidentiality, integrity, and authenticity of data. It does not deal with the availability of data.

What is the primary problem of symmetric cryptography? A key management B different keys for encryption and decryption C hardware and software implementation D high processing

Answer A is correct. Key management is the primary problem with symmetric cryptography. Symmetric cryptography uses the one key to encrypt and decrypt the data, whereas asymmetric cryptography uses different keys to encrypt and decrypt the data. The two keys are referred to as private and the public keys. The issues of key management include key recovery, key storage, and key change. Symmetric cryptography actually requires much less processing than asymmetric cryptography. Symmetric (private key) cryptography is easier to implement and approximately 1000 to 10000 times faster than asymmetric (public key) cryptography. Each authorized person communicating by using the symmetric algorithm should have a copy of the secret key. If the number of users runs into hundreds, hundreds of identical keys are required to be handled. Therefore, it becomes difficult to manage the keys. Symmetric encryption requires that each communication node has its own key. Symmetric cryptography may be less secure than asymmetric cryptography because of the same keys being used for encryption and decryption. Symmetric cryptography requires a separate secure mechanism to deliver keys to the participating nodes in the communication.

What is a security enhancement for Linux that is implemented using a loadable kernel module? A low water-mark mandatory access control (LOMAC) B role-based access control (RBAC) C discretionary access control (DAC) D mandatory access control (MAC)

Answer A is correct. Low water-mark mandatory access control (LOMAC) is a security enhancement for Linux that is implemented using a loadable kernel module. Role-based access control (RBAC) is an access control model that configures user access based on the user's role in the company. It is not an implementation specific to Linux only. Discretionary access control (DAC) is an access control model that configures user access based on the identity and assignment of the user or on the groups to which the user belongs. This model leaves configuration at the discretion of the resource owners. It is not an implementation specific to Linux only. Mandatory access control (MAC) is an access control model that configures user access based on the user's security clearance and object's security classification. It is not an implementation specific to Linux only.

Which tool is NOT a back door application? A Nessus B NetBus C Masters Paradise D Back Orifice

Answer A is correct. Nessus is NOT a back door application. It is a network vulnerability scanner. Back Orifice, NetBus, and Masters Paradise are all back door applications. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer. Back doors can also be mechanisms created by hackers to gain network access at a later time. Back doors are very hard to trace, as an intruder will often create several avenues into a network to be exploited later. The only real way to be sure these avenues are closed after an attack is to restore the operating system from the original media, apply the patches, and restore all data and applications.

No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent all but which of the following? A Espionage B Piggybacking C Abuse D Masquerading

Answer A is correct. No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Espionage cannot be prevented by physical access controls.

Which of the following acts as a proxy between an application and a database to support interaction and simplify the work of programmers? A ODBC B DSS C Abstraction D SDLC

Answer A is correct. ODBC acts as a proxy between applications and the backend DBMS.

Which of these attacks is an attack on an organization's cryptosystem? A known plaintext attack B brute force attack C Denial of Service (DoS) D buffer overflow

Answer A is correct. Of the given attacks, only a known plaintext attack is an attack on an organization's cryptosystem. In this type of attack, the attacker has both the plaintext and ciphertext for a message. The attackers want to discover the key used to encrypt the message so that other messages can be read. Attacks against cryptosystems include the following: cipher-only attacks - This attack occurs when an attacker has several messages that have all been encrypted using the same algorithm. The aim of the attack is to discover the key used in the encryption. Once the key is discovered, all messages sent using that key can be decrypted. This is the most common type of attack but is the hardest to accomplish. known plaintext attacks - This attack occurs when an attacker has the plaintext and ciphertext version of a message. The aim of the attack is to discover the key used in the encryption. chosen plaintext attacks - This attack occurs when an attacker has the plaintext and ciphertext and can select the plaintext that gets encrypted to see the corresponding ciphertext. The aim of the attack is to discover the key used in the encryption. chosen ciphertext attacks - This attack occurs when an attacker chooses the ciphertext to be decrypted and has access to the resulting decrypted plaintext. The aim of the attack is to discover the key used in the encryption. differential cryptanalysis - This attack looks at ciphertext pairs and analyzes the result of the differences in the corresponding plaintext pairs. The aim of the attack is to discover the key used in the encryption. linear cryptanalysis - This attack occurs when an attacker carries out a known plaintext attack on several encrypted messages encrypted using the same key. The more messages used, the higher the probability that the correct key will be discovered. side-channel attacks - This attack uses inference to determine the value of the encryption key. This method applies reverse engineering instead of mathematical techniques. replay attacks - This attack occurs when an attacker captures some messages and resends the messages, hoping to fool the receiver into thinking the attacker is a legitimate entity. Usually this information involved authentication information. algebraic attacks - This attack analyzes the vulnerabilities of the mathematics used in the algorithm and attempts to exploit the algebraic structure. analytic attacks - This attack identifies structural weaknesses in an algorithm's design. statistical attacks - This attack identifies statistical weakness in an algorithm's design. Keep in mind that many countries restrict the use or exportation of cryptographic systems. Criminals could use encryption to avoid detection and prosecution. The U.S. government has greatly reduced its restrictions on cryptography exportation, but there are still some restrictions in place. Products that use encryption cannot be sold to any country the United States has declared is supporting terrorism. The fear is that the enemies of the country would use encryption to hide their communication, and the government would be unable to break this encryption and spy on their data transfers. Brute force attacks, Denial of Service (DoS) attacks, and buffer overflow attacks are considered attacks against operations. Brute force attacks are attacks that try different inputs to achieve a particular goal, often used to obtained user credentials for unauthorized access. DoS attacks are actions that prevent a system or its resources from operating as planned. Buffer overflow attacks occur when too much data is accepted as input to an application or operating system.

Which interface language is an application programming interface (API) that can be configured to allow any application to query databases? A ODBC B JDBC C XML D OLE DB

Answer A is correct. Open Database Connectivity (ODBC) is an application programming interface (API) that can be configured to allow any application to query databases. The application communicates with the ODBC. The ODBC translates the application's request into database commands. The ODBC retrieves the appropriate database driver. Java Database Connectivity (JBDC) is an API that allows a Java application to communicate with a database. Extensible Markup Language (XML) is a standard for arranging data so that it can be shared by Web technologies. Object Linking and Embedding Database (OLE DB) is a method of linking data from different databases together.

Which of the following provides priority to different applications, users, or data to guarantee a specific level of performance? A QoS B DRM C SCADA D CoC

Answer A is correct. QoS (quality of service) can be defined as a resource reservation control mechanism that is designed to provide priority to different applications, users, or data to guarantee a specific level of performance. QoS is required because all packets are not equal. In converged networks, there may be many different types of traffic. Depending on the type of traffic, QoS has different requirements so it allows users to strategically optimize network performance to select different traffic types. Answer C is incorrect. SCADA (supervisory control and data acquisition) refers to ICS (industrial control system) used to monitor critical infrastructure systems and control power distribution, as well as many other forms of automation. Answer D is incorrect. CoC (chain of custody) should be documented to preserve evidences for presentation in court. It is a documentation that shows who has collected and accessed each piece of evidence. Answer B is incorrect. DRM (digital rights management) is a technique of controlling access to copyrighted material.

Which function is provided by remote procedure call (RPC)? A It allows the execution of individual routines on remote computers across a network. B It provides an integrated file system that all users in the distributed environment can share. C It provides code that can be transmitted across a network and executed remotely. D It identifies components within a distributed computing environment (DCE).

Answer A is correct. Remote procedure call (RPC) allows the execution of individual routines on remote computers across a network. It is used in a distributed computing environment (DCE).Globally unique identifiers (GUIDs) and universal unique identifiers (UUIDs) are used to identity components within a DCE. They uniquely identify users, resources, and other components in the environment. A UUID is used in a Distributed Computing Environment. Mobile code is code that can be transmitted across a network and executed remotely. Java and ActiveX code downloaded into a Web browser from the World Wide Web (WWW) are examples of mobile code. A distributed file service (DFS) provides an integrated file system that all users in the distributed environment can share. A directory service ensures that services are made available only to properly designated entities.

Which method of resetting the BIOS password requires physical access to the computer? A resetting the CMOS contents via hardware B resetting the CMOS contents via software C cracking the BIOS password D using a back door BIOS password

Answer A is correct. Resetting the CMOS contents via hardware requires physical access to the computer. To reset the CMOS contents via hardware, you would need to open the computer case and activate the jumpers that reset the CMOS contents, or remove the CMOS battery entirely. The other listed methods do not require physical access to the computer. You can reset the CMOS contents via software remotely. Other remote methods include cracking the BIOS password and using a back door BIOS password. Back doors are those applications that vendor's create to ensure that they are able to access their devices. After installing new devices or operating systems, you need to ensure that all back doors and default passwords are either disabled or reset. Often, hackers first attempt to use such back doors and default passwords to access new devices.

While developing your organization's Web site, the Web developer needs to ensure that certain messages are transmitted securely. Which technology would be the best choice for this purpose? A S-HTTP B SET C HTTPS D HTTP

Answer A is correct. Secure HTTP (S-HTTP) would be the best choice to ensure that certain messages from the Web server are transmitted securely. Hypertext Transfer Protocol (HTTP) is the technology that transmits messages from the Internet. It provides no security. HTTP Secure (HTTPS) is HTTP running over Secure Sockets Layer (SSL). It is used to secure entire portions of a Web site. While HTTPS will secure entire sections of a Web site, S-HTTP secures only certain messages. Secure Electronic Transaction (SET) is a security technology that secures credit card transactions.

Which of the following determines whether an organization will work under a discretionary, mandatory, or nondiscretionary access control model? A Security policy B Implicit deny C Constrained interface D Single sign-on

Answer A is correct. Security policy determines whether an organization will work under a discretionary, mandatory, or nondiscretionary access control model. It identifies assets that need protection and the extent to which security solutions should go to protect them. Some organizations create a security policy as a single document and other organizations create multiple security policies with each one focused on a separate area. Answer D is incorrect. SSO (single sign-on) is a centralized access control technique that allows the authentication of subject only once on a system and permits multiple resources to access subject without repeated authentication prompts. Answer C is incorrect. A constrained or restricted interface is implemented within an application in order to restrict what users can do or see based on their privileges. Answer B is incorrect. The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

Which access control model uses the star (*) integrity axiom and the simple integrity axiom? A Biba model B Clark-Wilson model C Bell-LaPadula model D Chinese Wall model

Answer A is correct. The Biba access control model, a formal security model for the integrity of objects and subjects in a system, uses the star (*) integrity axiom and the simple integrity axiom. The * integrity axiom, sometimes referred to as "no write up," is used to ensure that a subject does not write to an object at a higher integrity level. The simple integrity axiom, sometimes referred to as "no read down," is used to ensure that a subject does not read data from a lower integrity level. None of the other models uses these axioms. The main emphasis of the Biba model is integrity. It addresses unauthorized modification of data. The Biba model uses a subject-object relationship. It ensures that integrity is maintained by preventing data from flowing between the integrity levels. The goal of integrity is to prevent the modification of information by unauthorized users, prevent the unauthorized or unintentional modification of information by authorized users, and preserve the internal and external consistency of the information. Subjects are assigned classes according to their trustworthiness; objects are assigned integrity labels according to the harm that would be done if the data were modified improperly. The two most well-known access control models are the Bell-LaPadula model and the Biba model.

Which of the following should be members of the Computer Security Incident Response Team (CSIRT)? IT department member Legal department member Public relations department member Management team member A all of the options B options c and d C options a and b D option d E option c F option b G option a

Answer A is correct. The Computer Security Incident Response Team (CSIRT) should contain the following members: CSIRT Team Leader CSIRT Incident Lead CSIRT Associate Members, includingIT department memberLegal department member or legal counselPublic relations team memberManagement team member The team members have specific roles during an incident investigation. The CSIRT has the following responsibilities during an incident investigation: Initial Assessment - owned by CSIRT Incident Lead Initial Response - owned by CSIRT Incident Lead Forensic Evidence Collection - owned by Legal department member Temporary Fix Implementation - owned by CSIRT Incident Lead Incident Communication - owned by Management team member Local Law Enforcement Contact - owned by Management team member Permanent Fix Implementation - owned by CSIRT Incident Lead Financial Impact Determination - owned by Management team member As part of an incident investigation, your organization should have established rules of engagement that define all roles and responsibilities for a security incident. These rules should be periodically reviewed and updated to ensure that they are up to date. The rules of engagement define how the CSIRT should handle the incident and what actions are legal. Legal counsel and local law enforcement should be involved in the development of the rules of engagement. In addition, the rules of engagement should grant authorization to CSIRT team members to carry out their duties. The scope of the CSIRT team members' duties should be clearly defined to prevent any future legal issues.

Which of the following key sizes is used by International Data Encryption Algorithm (IDEA)? A 128-bit B 64-bit C 32-bit D 16-bit

Answer A is correct. The International Data Encryption Algorithm (IDEA) is a block cipher that operates on 64-bit blocks using a 128-bit key. This algorithm was intended as a replacement for the Data Encryption Standard. IDEA was used in Pretty Good Privacy (PGP) v2.0, and was incorporated after the original cipher used in v1.0 was found to be insecure. It is an optional algorithm in OpenPGP. IDEA is a minor revision of an earlier cipher, PES (Proposed Encryption Standard). It was originally known as IPES (Improved PES). The cipher is patented in a number of countries but is freely available for non-commercial use.

Your company has an e-commerce site that is publicly accessible over the Internet. The e-commerce site accepts credit card information from a customer and then processes the customer's transaction. Which standard or law would apply for this type of data? A PCI DSS B SOX C Basel II D The Economic Espionage Act of 1996

Answer A is correct. The Payment Card Industry Data Security Standard (PCI DSS) applies to any entity that transmits, stores, or accepts credit card data. This is a private sector standard and not a law. The Economic Espionage Act of 1996 protects companies from industry or corporate espionage, and specifically addresses technical, business, engineering, scientific, or financial trade secrets. Basel II is an accord that went into effect in 2006. This accord affects financial institutions. Its three main pillars are as follows: Minimum Capital Requirements - determines the lowest amount of funds that a financial institute must keep in hand. Supervision - ensures oversight and review of risks and security measures. Market Discipline - requests members to disclose risk exposure and to validate market capital. The Sarbanes-Oxley (SOX) Act of 2002 was written to prevent companies from committing fraud by knowingly providing inaccurate financial reports to shareholders and the public. It is mainly concerned with corporate accounting practices. Section 404 of this act specifically addresses information technology.

Which model employs a directed graph that defines how privileges can transfer from one subject to another subject or to an object? A Take-Grant model B Information flow model C Trusted computing base D Brewer and Nash model

Answer A is correct. The Take-Grant model employs a directed graph that defines how privileges can transfer from one subject to another subject or to an object. Answer D is incorrect. The Brewer and Nash model is designed to grant access controls to change dynamically based on a user's preceding activity. Answer B is incorrect. The informational flow model focuses on the flow of information for ensuring and enforcing security. Answer C is incorrect. A trusted computing base (TCB) is a combination of software, hardware, and controls that form a trusted base ensuring security policy.

Which one of the following technologies is considered flawed and should no longer be used? A WEP B TLS C SHA-3 D PGP

Answer A is correct. The WEP algorithm has documented flaws that make it trivial to break. It should never be used to protect wireless networks.

Which of the following models deals with how objects can be accessed by subjects on the basis of established rights and capabilities? A Access control matrix B Biba C Clark-Wilson D Sutherland

Answer A is correct. The access control matrix model deals with how objects can be accessed by subjects on the basis of established rights and capabilities. In access control matrix model, an access control matrix is used. The access control matrix is a table of subjects and objects. This table indicates the actions or functions that are performed on each object by each subject. Each column of the matrix is an access control list (ACL) and each row of the matrix is a capabilities list. An ACL is linked to the object. It lists valid actions that can be performed by each subject. A capability list is linked to the subject. It lists valid actions that can be taken on each object. Answer B is incorrect. The Biba model, also called the Biba Integrity model, is a formal state transition system of computer security policy that is used to depict a set of access control rules designed for ensuring data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt objects in a level ranked higher than the subject, or be corrupted by objects from a lower level than the subject. Answer C is incorrect. The Clark-Wilson model provides a foundation for specifying and analyzing an integrity policy for a computing system. It is primarily concerned with formalizing the notion of information integrity. It protects integrity by preventing unauthorized users from making changes. The model's enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction. Answer D is incorrect. The Sutherland model is an integrity model that focuses on preventing interference in support of integrity. It is formally based on the state machine model and the information flow model. For protection of integrity, the Sutherland model does not directly specify specific mechanisms. In the model, a set of system states, initial states, and state transitions are defined. Integrity is maintained and interference is prohibited through the use of and limitations to only these predetermined secure states.

During which step of the NIST SP 800-137 are the decisions on risk responses made? A Respond to findings. B Review and update the monitoring program and strategy. C Establish the ISCM program. D Define the ISCM strategy.

Answer A is correct. The decisions on risk responses are made during the Respond to findings step of the NIST SP 800-137. They are considered an output of this step. NIST SP 800-137 guides the development of information security continuous monitoring (ISCM) for federal information systems and organizations. It defines the following steps to establish, implement, and maintain ISCM: Define an ISCM strategy. Establish an ISCM program. Implement an ISCM program. Analyze data, and report findings. Respond to findings. Review and update the ISCM strategy and program. The decisions on risk responses are not part of any of the other listed steps of the NIST SP 800-137.

Which statement is true of an information processing facility? A Doors and walls should have the same fire rating. B Windows should be shielded by metallic bars. C Critical areas must be illuminated six feet high. D A critical path analysis does not have to include a redundant path for every critical path.

Answer A is correct. The doors and walls of an information processing facility should have the same fire rating, in conformance with safety codes and regulations. Fire extinguishers should be kept at known places in the information facility. Doors must resist forced entry to avoid theft or access to computer systems. To avoid trapping people during fire and flood, windows should not be shielded with metallic bars. According to the National Institute of Standards and Technology (NIST), critical areas must be illuminated to a height of eight feet high and with two foot-candles of intensity. A critical path analysis can determine the level of protection for an environment by keeping track of environmental components, their interaction, and interdependencies. A critical path analysis includes a redundant path for every critical path to ensure uninterrupted business operation for the organization.

Which of the following best describes an implicit deny principle? A All actions that are not expressly allowed are denied. B All actions that are not expressly denied are allowed. C None of the above. D All actions must be expressly denied.

Answer A is correct. The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn't require all actions to be denied.

Which statement is true of the information flow model? A The information flow model allows the flow of information within the same security level. B The information flow model does not permit the flow of information from a lower security level to a higher security level. C The information flow model only deals with the direction of flow. D The Biba model is not built upon the information flow model.

Answer A is correct. The information flow model allows the flow of information between the different security levels and the objects within the same security level based on an access control matrix. A flow acts as a type of dependency by relating two versions of the same object. The flow maps the transformation of the object from one version to another. The Biba model and the Ball-LaPadula model are based on both the information flow model and the state machine model. The information flow model allows every type of information flow and does not restrict itself to the direction of flow. Information is allowed to flow between different security levels or within the same security level if there is no restriction on the operation. If a user attempts a restricted operation, the system uses the access control matrix to verify whether the user is permitted to perform the action or not.

During a recent forensic investigation, several message digests were obtained. What is the main disadvantage of using this evidence? A modified timestamp B faster processing C slower access time D stringent authentication

Answer A is correct. The main disadvantage of message digests is that the timestamp can be modified. During the course of a forensic investigation, the last access time for a file is changed when a message digest is created on the data collected. Message digests are necessary to ensure that the evidence is not tampered with during the course of the investigation. A logging timestamp is changed due to a transaction taking place and overwrites the timestamp of the incident that originally occurred. A message digest is a fixed output created by using a one-way hash function. A message digest is created from a variable set of input, also referred to as a checksum. A message digest is helpful in detecting whether any change is made to the records during the course of the chain of custody. The message digest is expected to be smaller than the original data string. Message digests do not provide a stringent authentication and deal with integrity of information. Message digests do not contribute to either a higher processing time or a slower access time.

Management is concerned that attackers will attempt to access information in the database. They have asked you to implement database protection using bogus data in hopes that the bogus data will mislead attackers. Which technique is being requested? A noise and perturbation B trusted front-end C cell suppression D partitioning

Answer A is correct. The noise and perturbation technique are being requested. This technique involves inserting randomized bogus information along with valid records of the database to mislead attackers and protect database confidentiality and integrity. This alters the data but allow users to access relevant information from the database. This technique also creates enough confusion to prevent the attacker from telling the difference between valid and invalid information. Partitioning is not being requested. Partitioning is another protection technique for database security. Partitioning involves splitting the database into many parts and making it difficult for an intruder to collect and combine confidential information and deduce relevant facts. Cell suppression is not being requested. Cell suppression is the technique used to protect confidential information stored in the databases by hiding the database cells that can be used to disclose confidential information. A trusted front-end is not being requested. A trusted front-end refers to providing security to the database by incorporating security features into the functionality of the front-end client software that is used to issue instructions to the back-end server by using a structured query language. The trusted front-end client software acts as an interface to the back-end database system and provides the resultant output based on the input instructions issued by the user.

Which security model ensures that the activities performed at a higher security level do not affect the activities at a lower security level? A noninterference model B Brewer and Nash model C information flow model D Biba model

Answer A is correct. The noninterference model provides multilevel security and ensures that the commands and activities performed at one security level do not affect the activities at another security level. The activities performed at a lower security level should neither be affected by nor interfere with the subjects or objects of a higher security level. Such a model provides protection against object reuse or execution of malicious programs, which attempt to gain access to restricted resources. The noninterference model addresses the situation wherein one group is not affected by another group using specific commands. The Biba model deals with the integrity of data and adheres to the following requirements: A subject at a lower integrity level should not be able to write to an object at a higher integrity level. A subject should not be able to read data from an object at a lower integrity level. The information flow model is concerned with the type of information, whether legal or illegal, that flows. This model is not concerned with the direction of the information flow. The model states that information can flow from one security level to another or among the same security levels unless a restricted operation is performed. The Brewer and Nash model, also referred to as the Chinese Wall model, states that access controls for a system will dynamically change according to a user's activities and the previous access requests. A request from the user to access the information may be denied if the request presents a conflict of interest. For example, a user from the Accounts department may not be allowed to view the financial reports for a sister concern of the same organization. This ensures that the user does not introduce any conflict of interest.

Near the end of a recent incident investigation, the incident investigator suggests that your organization takes several recommended countermeasures. Which step of the investigation process is being carried out? A presentation B collection C examination D analysis

Answer A is correct. The presentation step of the investigation process is being carried out. This step can include documentation, expert testimony, clarification, mission impact statement, recommended countermeasures, and statistical interpretation. The collection step of the investigation process is not being carried out. This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques. The examination step of the investigation process is not being carried out. This step can include traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction. The analysis step of the investigation process is not being carried out. This step can include traceability, statistical analysis, protocol analysis, data mining, and timeline determination. The proper steps in a forensic investigation are as follows: Identification Preservation Collection Examination Analysis Presentation Decision

Which type of security identifies the process of safeguarding information assets after the implementation of security? A operations security B physical security C application security D access control security

Answer A is correct. The primary goal of operations security is to guard against information asset threats generated within an organization. It includes taking steps to make sure an environment and the things within it are covered by a certain level of protection. Operations security is important because an environment continually changes and has the potential of lowering its level of protection. Operations security aims at continuous maintenance of security infrastructure through implementation of routine activities that keep the infrastructure up and running in a secure manner. Operations security also depends on the routine procedures and processes of other types of security. For example, to enable operations security, physical security controls should be implemented and maintained, thereby ensuring the confidentiality, integrity, and availability of business operations. Physical controls refer to facility perimeter security, including fencing, gates, locks, and lighting. Physical security controls work in conjunction with operation security to achieve the security objectives of the organization. Application security controls provide processes for input, processing, interprocess communications, communication between different programs, and the resultant output. Access control is a method of limiting resource access to authorized users and preventing access to illegitimate users.

You are part of the design team for an organization's information processing facility. Which option or options represent potential physical security risks to the design? spoofing physical theft power failure hardware damage denial of service (DoS) attack A options b, c, and d B options c, d, and e C options a, b, and c D option e E option d F option c G option b H option a

Answer A is correct. The primary physical security risks include physical theft, interruption of critical services, physical damage to hardware assets, threats affecting confidentiality, and integrity and availability of critical resources of an organization. Physical security addresses the following major categories of risks: Interruption of services: Power failure is an example of interruption of critical services that are vital to the business operations of an organization. Hardware damage is an example of loss of computer services. Physical theft: Physical theft not only amounts to loss of an asset but also leads to unauthorized disclosure of information. A denial of service (DoS) attack and an IP spoofing attack are network-based threats and do not pose a physical security risk.

You have been hired as a security consultant for an organization that does contract work for the U.S. Department of Defense (DoD). You must ensure that all data that is part of the contract work is categorized appropriately. What is the highest data classification category you can use? A Top Secret B Sensitive C Secret D Confidential

Answer A is correct. Top Secret is the highest data classification category that can be used when categorizing data for government or military use. This system has five main levels of classification (from lowest to highest): Unclassified Sensitive Confidential Secret Top secret While other classification levels do exist, they usually operate within these five main levels.

What is an example of a brute force attack? A using a program to guess passwords from a SAM file B gathering packets from a network connection C searching through a company's trash D sending multiple ICMP messages to a Web server

Answer A is correct. Using a program to guess passwords from a Security Account Manager (SAM) file is an example of a brute force attack. A SAM file, which is used on some Windows networks, contains encrypted passwords. A hacker can initiate a brute force attack in an attempt to decrypt passwords stored in a SAM file. You can defend against a brute force network attack by increasing the complexity and keyspace of the password. Sending multiple Internet Control Message Protocol (ICMP) messages to a Web server is a type of denial of service (DoS) attack that is referred to as a ping of death. Searching through a company's trash to find sensitive information is a type of physical attack that is sometimes referred to as dumpster diving. Using a packet analyzer to gather packets from a network connection between two computers is a method that can be used to initiate a man in the middle (MITM) attack.

What should you implement on the client computers to best manage the encryption keys, passwords, drive encryption, and digital rights for users? A TPM B VM C DNS D PKI

Answer A is correct. You should implement Trusted Platform Module (TPM) on the client computers to best manage the encryption keys, passwords, drive encryption, and digital rights for users. A public key infrastructure (PKI) is used to centrally manage digital certificates. A Domain Name System (DNS) is used to resolve fully qualified domain names (FQDNs) to IP addresses. A virtual machine (VM) is a software computer that, like a physical computer, runs an operating system and applications. Virtual machines share resources with the host computer.

You need to implement security countermeasures to protect from attacks being implemented against your PBX system via remote maintenance. Which policies provide protection against remote maintenance PBX attacks? Turn off the remote maintenance features when not needed. Use strong authentication on the remote maintenance ports. Keep PBX terminals in a locked, restricted area. Replace or disable embedded logins and passwords. A all of the options B options a and b only C options a, b, and c only D option d E option c F option b G option a

Answer A is correct. You should implement all of the given policies to provide protection against remote maintenance PBX attacks. You should turn off the remote maintenance features when not needed and implement a policy whereby local interaction is required for remote administration. You should use strong authentication on the remote maintenance ports. This will ensure that authentication traffic cannot be compromised. You should keep PBX terminals in a locked, restricted area. While this is more of a physical security issue, it can also affect remote maintenance attacks. If the physical security of a PBX system is compromised, the attacker can then reconfigure the PBX system to allow remote maintenance. You should replace or disable embedded logins and passwords. These are usually configured by the manufacturer to allow back door access to the system.

You have been asked to implement antivirus software for your virtualization environment. Where should you install the antivirus software? A on both the host computer and all virtual computers B on the host computer only C on each virtual computer only D on the physical computer only

Answer A is correct. You should install the antivirus software on both the host computer and all virtual computers. Virtual machines can be compromised with viruses just like a physical computer. Virtualization allows you to implement virtual computers on your network without purchasing the physical hardware to implement the server. Virtualization allows you to isolate the individual virtual machines in whatever manner you need. However, all virtual machines located on a virtual host are compromised if the virtual host is compromised. Therefore, it is important to not limit your implementation of the appropriate security measures to the virtual host. You should also implement the appropriate security measures on each virtual machine, including implementing antivirus software and using the principle of least privilege. You should not install the antivirus software on the host computer only, on each virtual computer only, or on the physical computer only. Because virtual machines can be compromised with viruses just like a physical computer, you should ensure that the antivirus software is installed on both the host computer and each virtual computer.

You need to format data from your database so that it can be easily displayed using Web technologies. Which interface language should you use? A XML B JDBC C OLE DB D ADO

Answer A is correct. You should use extensible markup language (XML). XML is an interface language used to arrange data so that it can be shared by Web technologies. This flexible language can be used to arrange the data into a variety of formats using tags. Answers B, C, and D are incorrect. Java Database Connectivity (JDBC) is an application programming interface (API) that allows a Java application to communicate with a database. Object Linking and Embedding Database (OLE DB) is a method of linking data from different databases. ActiveX Data Objects (ADO) is an API that allows ActiveX programs to query databases.

Which protocol should you configure on a remote access server to authenticate remote users with smart cards? A EAP B PAP C CHAP D MS-CHAP

Answer A is correct. You should use the Extensible Authentication Protocol (EAP). By using an EAP authentication protocol, such as EAP-Transport Level Security (EAP-TLS), for authentication, the remote access server can authenticate remote users with smart cards. The other authentication protocols listed do not support authentication using smart cards. Password Authentication Protocol (PAP) requires that users authenticate using a password. The password is transmitted in plain text, thereby allowing a possible security breach. Challenge Handshake Authentication Protocol (CHAP) provides a higher level of security. Passwords are not sent in plain text. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) comes in two versions. Version 2 provides better security because it provides mutual authentication, meaning both ends of the connection are authenticated.

What is NOT an example of an operational control? A an audit trail B a business continuity plan C configuration management D a backup control

Answer B is correct. A business continuity plan refers to the procedures undertaken for dealing with long-term unavailability of business processes and resources. Business continuity planning differs from disaster recovery. Disaster recovery aims at minimizing the impact of a disaster. Business continuity planning includes the following steps: Moving critical systems to another environment during the repair of the original facility Performing operations in a constrained mode with lesser resources till the conditions of the primary facility return to normal. Dealing with customers, partners, and shareholders through various channels until the original channel is restored. Operational controls ensure the confidentiality, integrity, and availability of business operations by implementing security as a continuous process. Audit trails are operational controls and detective controls. Audit trails identify and detect not only unauthorized users but also authorized users who are involved in unauthorized activities and transactions. Audit trails achieve the security objectives defined by the security policy of an organization, and ensure the accountability of users in the organization. They provide detailed information regarding the computer, the resource usage, and the activities of users. In the event of an intrusion, audit trails can help identify frauds and unauthorized user activity. Backup controls, software testing, and anti-virus management are other examples of operational software controls. Configuration management is an operational control. Configuration management identifies both controls and audit changes made to the trusted computing base (TCB). The audit changes include changes made to the hardware, software, and firmware configurations throughout the operational life cycle of infrastructural assets. Configuration management ensures that changes to the infrastructure take place in a controlled manner and follow a procedural approach. Configuration management also ensures that future changes to the infrastructure do not violate the organization's security policy and security objectives. Maintenance accounts are considered a threat to operational controls. This is because maintenance accounts are commonly used by hackers to access network devices.

Which type of water sprinkler system is best used in colder climates? A wet pipe B dry pipe C deluge D pre-action

Answer B is correct. A dry pipe water sprinkler system is best used in colder climates. Because water is not held in the pipes of the system, the pipes will not freeze. In a dry pipe system, the following steps occur when a fire is detected: The heat or smoke sensor is activated. The water fills the pipes leading to the sprinkler heads. The fire alarm sounds. The electric power is disconnected. Water flows from the sprinklers. Wet pipe systems hold water in the pipes. This system is usually implemented throughout buildings in warmer climates. Pre-action systems are similar to dry pipe systems. The main difference is that pre-action systems holds pressurized air in the pipes. When the pressurized air is reduced, the pipes are filled. In addition, the sprinkler heads include a thermal-fusible link that must melt before the water is released. This type of system is more expensive, and is therefore only used in data processing environments. A deluge system releases a larger amount of water in a shorter time.

Which form of Denial of Service attack is well known for spoofing the source and destination addresses as the address of the victim? A Teardrop B Land C Ping of Death D Smurf

Answer B is correct. A land DoS attack is well known for spoofing the source and destination addresses as the address of the victim. This attack tricks the system into constantly replying to itself and can lead it to freeze, crash, or reboot. Answer A is incorrect. In a teardrop attack, the attacker fragments the traffic in a way that it becomes impossible for a system to refragment the data packets. Answer D is incorrect. A smurf attack floods the victim with ICMP (Internet Control Message Protocol) echo packets. In this attack, the attacker broadcasts the echo request to all systems on the network and spoofs the source IP address. Answer C is incorrect. A ping of death attack uses a ping packet of 32 or 64 bytes, which is resized to over 64KB. When a system receives a ping packet larger than 64KB, it results in a problem

Your company has hired a security firm to test your network's security. What would need to be used outside your network? A protocol analyzer B penetration tester C vulnerability scanner D port scanner

Answer B is correct. A penetration tester would need to be used outside your network. This tests your network's security to see if it can be penetrated. You can only penetrate a network from outside of it. None of the other tests needs to be used outside your network. A vulnerability scanner checks your network for known vulnerabilities and provides methods for protection against the vulnerabilities. A port scanner identifies ports and services that are available on your network. A protocol analyzer captures packets on your network. A penetration test originates from outside the network. A vulnerability scan usually originates from within the network. The formal steps in the penetration test are as follows: Document information about the target system or device. (This is discovery.) Gather information about attack methods against the target system or device. This includes performing port scans. (This is enumeration.) Identify the known vulnerabilities of the target system or device. (This is vulnerability mapping.) Execute attacks against the target system or device to gain user and privileged access. (This is exploitation.) Document the results of the penetration test and report the findings to management, with suggestions for remedial action. (This is reporting.) The IP addresses of the computers are usually discovered during a penetration test. As components of the network are discovered, the methods used will be determined.

Which of the following is a set of routines, protocols, and tools that users can use to work with a component, application, or operating system? A DevOps B API C SCADA D OCSP

Answer B is correct. API (application programming interface) is a set of routines, protocols, and tools that users can use to work with a component, application, or operating system. It helps in reducing the development time of applications by reducing application code. Most operating environments, such as MS-Windows, provide an API so that programmers can write applications consistent with the operating environment. Answer A is incorrect because DevOps is a software development method that emphasizes communication, collaboration, automation, and measurement of co-operation between software developers and other IT professionals. Answer C is incorrect because SCADA (supervisory control and data acquisition) refers to ICS (industrial control system) used to monitor critical infrastructure systems and control power distribution, as well as many other forms of automation. Answer D is incorrect because OCSP (Online Certificate Status Protocol) eliminates the latency inherent in the use of certificate revocation lists.

Which component is NOT associated with the Common Criteria? A target of evaluation B accreditation C security target D protection profile

Answer B is correct. Accreditation is not an associated component of the Common Criteria. Accreditation is the process in which the management accepts system functionality and assurance. Accreditation represents the satisfaction of the management regarding the functionality and the assurance of the product. The Common Criteria is associated with the functionality and assurance attributes of a product. The Common Criteria was started in 1993 with an aim to combine evaluation criteria, such as TCSEC and ITSEC, into a global standard for evaluation of infrastructure products, their security functionality, and their assurance. The Common Criteria is a worldwide recognized and accepted standard for evaluation of infrastructure products. This evaluation criterion reduces the complexity of the ratings and ensures that the vendors manufacture products for international markets. Therefore, the Common Criteria addresses the functionality in terms of what a product does and assures that the product will work consistently and predictably. The Common Criteria assigns an evaluation assurance level. Unlike the Orange Book, which assigns a rating to a product based on the methods they use to relate to the Bell-LaPadula model, the Common Criteria assigns a rating based on a protection profile. A protection profile contains a set of security requirements for a product and the rationale behind such requirements. In Part 3 of the Common Criteria, Security Assurance Requirements, seven predefined packages of assurance components that make up the CC scale for rating confidence in the security of IT products and systems are called evaluation assurance level (EAL). A protection profile can be documented and presented by vendors and customers who demand a security solution. The seven EAL levels are as follows: EAL1: The product is functionally tested. EAL2: The product is structurally tested. EAL3: The product is methodically tested and checked. EAL4: The product is methodically designed, tested, and reviewed. EAL5: The product is semi-formally designed and tested. EAL6: The product has a semi-formally verified design and is tested. EAL7: The product has a formally verified design and is tested. The thoroughness of the testing increases and the testing becomes more detailed with each level. The target of evaluation (TOE) defines the product that is to be evaluated for rating. The TOE is a part of common criteria. The vendor's security target defines the functionality and assurance mechanisms that meet the security solution. The EAL or package describes the requirements to be fulfilled by the proposed security solution to achieve a specific EAL rating for the product.

You are designing the reporting solution for your company's information security continuous monitoring (SCM) program. You need to create a mechanism whereby end users are able to create the reports that they need. You set up the business intelligence (BI) solution, connect it to the data sources, establish security settings, and determine which objects users can access. Which type of reporting are you implementing? A automated reporting B ad-hoc reporting C data feed D recurring reporting

Answer B is correct. Ad-hoc reporting is being used when you set up the business intelligence (BI) solution, connect it to the data sources, establish security settings, and determine which objects users can access. Automated reporting delivers information by setting up in advance the reports that need to be run and then automatically generating and delivering these reports. With automated reporting, users do not create the reports they need. Recurring reporting is very similar to automated reporting. It allows reports to be generated on a regular basis for information that is always needed. With recurring reporting, users do not create the reports they need. A data feed allows users to receive updated data from data sources. A web feed or RSS feed are popular forms of data feeds. With data feeds, users receive information, not reports.

You must document the appropriate guidelines that should be included as part of any security policy that involves personnel who travel with company-issued devices. You have been given a list of possible tips that travelers should be included in the guidelines as follows: Privacy when traveling, no matter the connection medium, is not guaranteed. Personnel movements can be tracked using mobile devices. Malicious software can be inserted onto a device from any connection that is controlled by someone else or through thumb drives. Do not take the device with you if you do not need it. Which tips are valid tips that should be included as part of the guidelines for personnel? A points A, B, and C only B All of the points C points A, C, and D only D points B, C, and D only

Answer B is correct. All of the tips list are valid tips that should be included as part of the guidelines for personnel that may travel with company-issued devices. Other tips include: All information that you transmit can be intercepted. All individuals are at risk, although some in sensitive corporate or government positions may be at a higher risk. Foreign criminals are adept at posing as someone you trust to obtain sensitive information. If your device is ever examined or left in a hotel room when the room is examined, assume that the hard drive has been copied and the device compromised.

What is the concept of a computer implemented as part of a larger system that is typically designed around a limited set of specific functions (such as management, monitoring, and control) in relation to the larger product of which it's a component? A IoT B Embedded system C SoC D Application appliance

Answer B is correct. An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it's a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller.

A user inherits a permission based on his group membership. Which type of right has been implemented? A access right B implicit right C explicit right D capability

Answer B is correct. An implicit right occurs when a user inherits a permission based on group membership. It can also occur due to role assignment. A capability is an access right that is assigned directly to a subject. An explicit right occurs when a user is given a permission directly. An access right is a generic term referring to any permission granted to a user, whether implicitly or explicitly.

You must provide SOC 2 and SOC 3 reports on the security, availability, confidentiality, processing integrity, and privacy of operational controls. As part of these reports, you must provide information regarding the backup and restoration of data. To which tenet of SOC 2 and SOC 3 does this information apply? A privacy B availability C confidentiality D security

Answer B is correct. Backup and restoration of data applies to the availability tenet of the SOC 2 and SOC 3 reports. Availability also includes environmental controls, disaster recovery, business continuity, and availability process. Privacy includes management, privacy notice, data collections, data use and retention, data access, data disclosure to third parties, data quality, and monitoring and enforcement. Security includes the IT security policy, security awareness, risk assessment, logical and physical access, security monitoring, user authentication, incident management, asset classification, personnel security, and other topics. Confidentiality includes the confidentiality policy, input confidentiality, data processing confidentiality, output confidentiality, information disclosure, and systems development confidentiality.

Your organization is considering leasing an off-site data center to provide facility recovery if a disaster occurs. Management wants to lease a cold site. What are some disadvantages of this type of site? expense recovery time administration time testing availability A option a B options b and d C option c D option d E options a and c F option b

Answer B is correct. Cold sites take a long time to bring online. They also are not as available for testing as other alternatives. Therefore, recovery time and testing availability are two disadvantages in using a cold site. Cold sites are inexpensive, and require no daily administration time. Therefore, expense and administration time are two advantages in using a cold site. Hot sites are expensive. They require a lot of administration time to ensure that the site is ready within the maximum tolerable downtime (MTD). Therefore, expense and administration time are two disadvantages in using a hot site. In addition, another disadvantage of a hot site is that it would need extensive security controls. Hot sites are available within the MTD and are available for testing. Therefore, recovery time and testing availability are two advantages in using a hot site. Warm sites are less expensive than hot sites, but more expensive than cold sites. The recovery time of a warm site is more than is needed for a hot site, but less than that needed for a cold site. Warm sites usually require less administration time because only the telecommunications equipment is maintained, not the computer equipment. Warm sites are easier to test than cold sites, but harder to test than hot sites. Redundant sites are expensive and require a lot of administration time. However, they require a small recovery time and are easier to test than the facilities owned by other companies.

Which statement is NOT true of cryptanalysis? A It is a tool used to develop a secure cryptosystem. B It is used to test the strength of an algorithm. C It is a process of attempting reverse engineering of a cryptosystem. D It is used to forge coded signals that will be accepted as authentic.

Answer B is correct. Cryptanalysis is not used to test the strength of an algorithm. Cryptanalysis is the process of obtaining plaintext from the ciphertext without knowing the secret key. The process is accomplished by forging signals or text. These forged signals will be accepted as authentic. Cryptanalysis is based on the permutations and combinations that are used as inputs during the course of analysis. Cryptanalysis is also referred to as a process of reverse engineering used to obtain an output from a deciphered input.

Which of the following business continuity exercises can be quite involved and should be performed annually? A structured walkthrough B disaster simulation testing C emergency evacuation drill D table-top exercise

Answer B is correct. Disaster simulation testing can be quite involved and should be performed annually. To complete this test, you should create a simulation of an actual disaster, including all of the equipment, supplies, and personnel needed. This test will determine if you can carry out critical business functions during the event. None of the other exercises is as involved as disaster simulation testing. In a table-top exercise, personnel from every business unit that understand disaster recovery meet in a conference room to examine the plan and look for gaps. A structured walkthrough occurs when each team member walks through his plan components to identify weaknesses, usually with a specific disaster in mind. Emergency evacuation drills are usually completed at least twice a year, and only ensure that personnel know how to properly evacuate the facilities.

What type of access control model is used on a firewall? A DAC model B Rule-based access control model C RBAC model D MAC model

Answer B is correct. Firewalls use a rule-based access control model with rules expressed in an access control list. A Mandatory Access Control (MAC) model uses labels. A Discretionary Access Control (DAC) model allows users to assign permissions. A Role Based Access Control (RBAC) model organizes users in groups.

Management has asked you to ensure that voltage is kept clean and steady your facility. Which component is MOST appropriate for this purpose? A concentric circle B line conditioners C UPS D HVAC

Answer B is correct. Fluctuations in voltage supply, such as spike and surges, can damage electronic circuits and components. A line conditioner ensures clean and steady voltage supply by filtering the incoming power and eliminating fluctuations and interference. An uninterruptible power supply (UPS) provides clean distribution of power. The UPS provides a backup power supply. A UPS can also provide surge suppression, but can only protect those items connected to it. In addition, the protection provided is very limited. For voltage issues for the primary power supply, you should use voltage regulators or line conditioners. The heating, ventilation, and air conditioning (HVAC) system is installed in a building to regulate temperature. This includes air conditioning plants, chillers, ducts, and heating systems. HVAC is also referred to as climate control. It is important to note that HVAC has no role in regulating voltage. HVAC should maintain a humidity level of 40 to 60 percent in the air. High humidity can cause either condensation on computer parts or corrosion on electric connections. A low humidity level can cause static electricity that can damage the electronic components of computer equipment. Static electricity can also be reduced using anti-static sprays and anti-static flooring. The concentric circle approach defines a circular security zone and determines physical access control. The zone should be secured by fences, badges, mantraps, guards, dogs, and access control systems, such as biometric identification systems. Concentric circle is a layered defense architecture and does not deal with electric power.

Which of the following is an attack that sends out an overload of UDP packets from a spoofed source so that an overload of ICMP unreachable replies flood the victim? A Brute force B Fraggle C Polymorphic shell code D Dictionary

Answer B is correct. Fraggle is an attack that sends out an overload of UDP packets from a spoofed source so that an overload of ICMP unreachable replies flood the victim. Answer A is incorrect. The brute force attack is a type of password guessing attack. In this type of attack, attackers systematically try every conceivable combination to find out the password of a user. Answer D is incorrect. The dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs available on the Internet to automate and execute dictionary attacks. Answer C is incorrect. In a polymorphic shell code attack, the attacker sends malicious data which continuously changes its signature. The signature is changed by the attacking payload sent by the attacker. Since the new signature of the data does not match the old signature entered into the IDS signature database, the IDS becomes unable to point out the malicious data. Such data can harm the network as well as the IDS.

Which of the following is not considered a violation of confidentiality? A Eavesdropping B Hardware destruction C Social engineering D Stealing passwords

Answer B is correct. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.

Which of the following will indicate that modification has been made in a message? A The private key has been altered. B The message digest values do not match. C The message has been encrypted properly. D The public key has been altered.

Answer B is correct. Hashing algorithms generate message digests to detect whether modification has taken place or not. The sender and receiver independently generate their own digests and the receiver compares these values. If they are different, the receiver knows that the message has been altered in some way. Answers D, A, and C are incorrect. They will not indicate that modification has been made in a message.

___________________ is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic. A IDEA B IPsec C SDLC D UDP

Answer B is correct. IPsec, or IP Security, is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic.

What happens when a trusted computing base (TCB) failure occurs as a result of a lower-privileged process trying to access restricted memory segments? A Operating system reinstallation is required. B The system goes into maintenance mode. C The system reboots immediately. D Administrator intervention is required.

Answer B is correct. If a process with lower privilege attempts to access the restricted memory segments, the system transits into maintenance mode, also referred to as an emergency system restart. An emergency system restart occurs in response to a system failure. An emergency system restart can be caused by a trusted computing base (TCB) failure, a media failure, or a user performing an insecure activity. A lower privileged process trying to access restricted memory segments is an example of an insecure activity. A system reboot occurs in response to other TCB failures. This is a controlled reboot of the system. The purpose of performing a system reboot is to release system resources and perform the necessary system activities. A system cold start occurs if a user or a system administrator intervenes. A system cold start occurs when the recovery procedures are inadequate to recover the system from a TCB or a media failure. The system remains in an inconsistent state during an attempt by the system to recover. Operating system reinstallation is not a valid response for trusted recovery. Trusted recovery includes a system reboot, an emergency system restart, and system cold start.

In PKI, what is the entity that signs a certificate? A a principal B an issuer C a subject D a verifier

Answer B is correct. In a public key infrastructure (PKI), an issuer is the entity that signs a certificate. Signing a certificate verifies that the name and key in the certificate are valid. PKI is a system designed to securely distribute public keys. A PKI typically consists of the following components: certificates, a key repository, a method for revoking certificates, and a method to evaluate a certificate chain, which security professionals can use to follow the possession of keys. Chain of custody might be used in proving legal cases against hackers. A principal is any entity that possesses a public key. A verifier is an entity that verifies a public key chain. A subject is an entity that seeks to have a certificate validated. A PKI provides digital certification. It includes a certification authority (CA) and timestamping. A Lightweight Directory Access Protocol (LDAP) server is used in a PKI to provide the directory structure. A PKI provides non-repudiation support.

Which of the following can be considered a single point of failure within a single sign-on implementation? A RADIUS B Authentication server C Users workstation D Logon credentials

Answer B is correct. In a single sign-on technology, all users are authenticating to one source. Authentication requests cannot be processed if that source goes down. Answers C, D, and A are incorrect. They cannot be considered as a single point of failure within a single sign-on implementation because their failure will not cause an entire system to fail.

Which task does a key revocation system accomplish? A key validation B key invalidation C key generation D private key protection

Answer B is correct. Key revocation systems are designed to invalidate keys. Keys are generated by key generation systems. Data Encryption Standard (DES), for example, provides a key generation system that produces 56-bit encryption keys. A receiver of a key can certify the identity of the sender of the key by using a key certification system. Encryption systems typically provide password protection to protect private keys.

Which term is an estimate of the amount of time a piece of equipment will last and is usually determined by the equipment vendor or a third party? A MTTR B MTBF C BCP D BIA

Answer B is correct. Mean time between failures (MTBF) is an estimate of the amount of time a piece of equipment will last and is usually determined by the equipment vendor or a third party. Mean time to repair (MTTR) is an estimate of the amount of time it will take to fix a piece of equipment and return it to production. The owner of the equipment usually determines this amount of time. A business impact analysis (BIA) is created to identify the vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. A business continuity plan (BCP) is created to ensure that policies are in place to deal with long-term outages and disasters. Its primary goal is to ensure that the company maintains its long-term business goals both during and after the disruption and mainly focuses on the continuity of the data, telecommunications, and information systems infrastructure. Elements of the BCP plan approval and implementation include: Creating an awareness of the plan Obtaining senior management approval of the results Updating the plan regularly and as needed The BCP should be tested if there have been substantial changes to the company or the environment. They should also be tested at least once a year.

Which statement is true of the Rijndael algorithm? A Rijndael uses fixed block lengths and fixed key lengths. B Rijndael uses variable block lengths and variable key lengths. C Rijndael uses fixed block lengths and variable key lengths. D Rijndael uses variable block lengths and fixed key lengths.

Answer B is correct. Rijndael is a block cipher algorithm that uses variable block lengths and variable key lengths. The block and key size that Rijndael algorithms support are 128, 192, and 256 bits. The number of rounds of encryption depends upon the size of the key and the block. Rijndael is a symmetric key algorithm. Rijndael operates at the nonlinear, key-addition, and linear-mixing layers. Rijndael requires low memory and provides resistance against all known attacks and has been chosen to protect sensitive but unclassified government information. The NIST Advanced Encryption Standard (AES) uses the Rijndael algorithm. AES and Rijndael are often referred to as iterated block ciphers.

Which of the following protocols work at the Network layer of the OSI model? Each correct answer represents a complete solution. Choose all that apply. A Simple Network Management Protocol (SNMP) B Routing Information Protocol (RIP) C File Transfer Protocol (FTP) D Internet Group Management Protocol (IGMP)

Answers B and D are correct. The following protocols of the OSI model work at the Network layer: Routing Information Protocol (RIP) Internet Group Management Protocol (IGMP) Answers A and C are incorrect. Simple Network Management Protocol (SNMP) and File Transfer Protocol (FTP) work at the Application layer of the OSI model.

Which of the following types of virus hides themselves by actually tampering with the operating system and making antivirus packages believe that everything is functioning normally? A Encrypted viruses B Stealth viruses C Multipartite viruses D Polymorphic viruses

Answer B is correct. Stealth viruses hide themselves by actually tampering with the operating system. These viruses make the antivirus packages believe that everything is functioning normally. Answer C is incorrect. Multipartite viruses make use of a group of techniques that include infecting documents, executables, and boot sectors in order to infect the computers. Mostly, multipartite viruses first enter the memory and then infect the boot sector of the hard drive. Once this virus enters into the memory, it can infect the entire system. Answer D is incorrect. Polymorphic viruses have the ability to change their own signature at the time of infection. These viruses are very complicated and are difficult to detect. These viruses cannot be detected by the signature-based antivirus. Answer A is incorrect. Encrypted viruses use cryptographic techniques to avoid detection. These viruses are quite similar to the polymorphic viruses in their outward appearance. Each infected system has a virus with a different signature. However, these viruses alter the way they are stored on the disk. They do not produce the modified signatures by changing their codes.

Which technology centralizes authentication, accounting, and per-command authorization? A RADIUS B TACACS+ C AD D LDAP

Answer B is correct. Terminal Access Controller Access Control System (TACACS+) centralizes authentication, accounting, and per-command authorization. TACACS+ enables two-factor authentication, enables a user to change passwords, and resynchronizes security tokens. Remote Authentication Dial-In User Service (RADIUS) offers a centralized system for authentication. RADIUS does not offer centralized accounting or per-command authorization, but is more widely supported than TACACS+. Active Directory (AD) is a directory service supported on Windows networks. Lightweight Directory Access Protocol (LDAP) is used to create a connection between directory services or between a directory service and a client.

What technology does the Java language use to minimize the threat posed by applets? A Stealth B Sandbox C Confidentiality D Encryption

Answer B is correct. The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.

What port is typically used to accept administrative connections using the SSH utility? A 20 B 22 C 25 D 80

Answer B is correct. The SSH protocol uses port 22 to accept administrative connections to a server.

In which of the following orders is the information packaged during encapsulation? A Data, Packet, Segment, Frame B Data, Segment, Packet, Frame C Packet, Data, Segment, Frame D Segment, Data, Packet, Frame

Answer B is correct. The information is packaged in the following order during encapsulation: Data Segment Packet Frame

Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level? A No read down property B No read up property C No write up property D (star) Security Property

Answer B is correct. The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher-security-level object.

In the context of backup media, what is meant by the term retention time? A the amount of time a tape takes to back up the data B the amount of time a tape is stored before its data is overwritten C the amount of time a tape takes to restore the data D the amount of time a tape is used before being destroyed

Answer B is correct. The retention time is the amount of time a tape is stored before its data is overwritten. The longer the retention time, the more media sets will be needed for backup purposes. A longer retention time will give you more flexibility for restoration. The backup time is the amount of time a tape takes to back up the data. It is based on the speed of the device and the amount of data being backed up. The life of a tape is the amount of time a tape is used before being destroyed. The life of a tape is based on the amount of time it is used. Most vendors provide an estimate on backup media life. The restoration time is the amount of time a tape takes to restore the data. It is based on the speed of the device, the amount of data being restored, and the type of backups used. When selecting backup devices and media, you should consider the physical characteristics or type of the drive. The type of the drive includes the media type, capacity, and speed. You should also consider the rotation scheme. The rotation scheme includes the frequency of backups and the tape retention time.

Which service provided by a cryptosystem turns information into unintelligible data? A nonrepudiation B confidentiality C integrity D authorization

Answer B is correct. The service provided by a cryptosystem that turns information into unintelligible data is confidentiality. Nonrepudiation ensures that the sender of the data cannot deny having sent the data. Authorization allows users to access a resource once their identity is proven. Integrity ensures that data has not been changed by an unauthorized user since the data was created, transmitted, or stored.

When all the system testing and bugs correction has done, the software product will be delivered to the user for __________. A white-box testing B acceptance testing C black-box testing D stress testing

Answer B is correct. When all the system testing and bugs correction has done, the software product will be delivered to the user for acceptance testing conducted on project's completion. Basically, acceptance testing is done by the user, sometimes stakeholders may be involved. This test is used to establish confidence in the system and focuses on a validation type testing. Answer A is incorrect because white-box testing examines the internal logical structures of a program and steps through the code line by line, analyzing the program for potential errors. Answer D is incorrect because stress testing tests stress limits of a system (maximum number of users, peak demands, and so on).Answer C is incorrect because black-box testing examines the program from a user perspective by providing a wide variety of input scenarios and inspecting the output.

An organization wants to implement the access control model that is easiest to administrator. Which access control model should they use? A DAC B RBAC C ACL D MAC

Answer B is correct. They should use role-based access control (RBAC). RBAC is the easiest access control model to administer. With RBAC, each user is assigned to one or more roles. Object permissions are granted to the roles. The roles are easily determined based on the roles defined within the organization. Examples of roles include data entry clerk, bank teller, loan manager, network manager, and so on. In this way, RBAC can be mapped to the organizational structure of the company. An access control list (ACL) is not an access control model. It is an access control entity that gives a table of subjects and the level of access granted to a particular object. Mandatory access control (MAC) is usually considered difficult to implement because of several factors. First, a specialized operating system is required for proper implementation. Also, each subject and object must be assigned a security label. These labels are used to determine access rights. Discretionary access control (DAC), while easier to administer than MAC, is not as easy to administer as RBAC. DAC requires that the data owner determine the level of object access that should be granted to each subject. Subjects can be users or groups of users. DAC is the easiest access control method to implement. DAC and MAC can be effectively replaced by RBAC.

Which hashing algorithm uses a 192-bit hashing value and was developed for 64-bit systems? A MD5 B Tiger C HAVAL D SHA

Answer B is correct. Tiger uses a 192-bit hashing value and was developed for 64-bit systems. None of the other hashing algorithms was developed for 64-bit systems. HAVAL uses a variable-length hash. Secure Hash Algorithm (SHA) uses a 160-bit hash value. Message Digest 5 (MD5) uses a 128-bit hash value.

How many possible keys exist in a 4-bit key space? A 8 B 16 C 128 D 4

Answer B is correct. To determine the number of keys in a key space, raise 2 to the power of the number of bits in the key space. In this example, 24 = 16.

You are implementing enterprise access management for your company. You need to ensure that the system you implement allows you to configure a trust with another company such that your users can access the other company's network without logging in again. What should you implement to ensure that this trust can be configured? A biometrics B federated identity management C password management D smart cards

Answer B is correct. To ensure that you can configure a trust with another company that allows your users to access the other company's network without logging in again, you should implement federated identity management. Federated identity management allows single sign-on (SSO) between companies. Password management is necessary in any enterprise access management implementation. If passwords are not managed properly, security breaches are likely to occur. However, password management will not ensure that the trust between the companies can be configured. Smart cards provide a more secure login and authentication mechanism than passwords. However, smart cards will not ensure that the trust between the companies can be configured. Biometrics provides a more secure login and authentication mechanism than passwords or smart cards. However, biometrics will not ensure that the trust between the companies can be configured. Enterprise access management (EAM) provides access control management services to Web-based enterprise systems. EAM provide SSO, role-based access control, and accommodation of a variety of authentication mechanisms, including passwords, smart cards, and biometrics.

Which entity must certify the public key pair of a root CA? A an external CA B a subordinate CA C the root CA D a Kerberos server

Answer C is correct. A root certificate authority (CA) must certify its own public key pair. An organization may also want to have a root CA's public key pair certified by an external CA for added security and confidence in the key pair. Neither a subordinate CA nor a Kerberos server is used to certify a root CA's key pair.

You have been hired as the security administrator for an organization that uses mandatory access control (MAC). When using this type of access control, which entities make up a security label? A roles and privileges B classification and categories C definitions and permissions D identities and rights

Answer B is correct. When using mandatory access control (MAC), a security or sensitivity label is comprised of a classification and different categories. The classification indicates the sensitivity level of the subject or object, such as secret or top-secret. The different categories enforce the need-to-know rules by categorizing the subjects and objects into categories, such as human resources and accounting. The categories should be determined by the organization based on the organization access control needs. The other entities are not valid parts of a security label. MAC is more prohibitive in nature. Therefore, it is more secure than discretionary access control (DAC). However, DAC is more flexible and scalable than MAC. MAC defines security levels that are imposed on all subjects and objects.

Given two messages, M1 and M2, what is the LEAST likely outcome when using the same one-way hash function, H, to encrypt the messages? A H(M1) is not equal to H(M2) B H(M1) = H(M2) C H(M1) < H(M2) D H(M1) > H(M2)

Answer B is correct. When using the same one-way hash function to encrypt two different messages, it is the least likely outcome that H(M1) = H(M2). When you apply a hash function to two different messages, it is unlikely that the two resulting hash values will be the same. This means that is the computationally infeasible that two messages have the same hash value. Because of this, one-way hashes are collision free. All of the other options are more likely to occur than that the two results will be the same. For a cryptographic hash function, H(M) is relatively easy to compute for a given message. Hash functions generate a fixed-length result that is independent of the length of the input message. One-way functions are difficult or impossible to invert.

One of the planned international offices will perform highly sensitive tasks for a governmental entity. For this reason, you must ensure that the company selects a location where a low profile can be maintained. On which of the following criteria do you base your facility selection? A accessibility B visibility C surrounding area D construction

Answer B is correct. You are concerned with visibility. The amount of visibility depends on the organization and the processes carried out in the facility. In the case of this office, you need to ensure that the company selects a location where a low profile can be maintained. Accessibility is the ease with which employees and officers can access the facility. Construction, determines the building materials used to construct the facility. Surrounding area is the environment in which the facility is located, and primarily is concerned with the local crime rate and distance to emergency services. None of these factors is relevant to maintaining a low profile.

As a part of the incident response team, you have been given a procedures document that identifies the steps you must complete during a forensic investigation. When should the evidence collection step be completed? A after the incident has been identified only B after the incident has been identified and the evidence has been preserved C after the incident has been identified, the evidence has been preserved, and the evidence has been analyzed D after the evidence has been preserved only

Answer B is correct. You should complete the evidence collection step after the incident has been identified and the evidence has been preserved. The proper steps in a forensic investigation are as follows: Identification - This step can include event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis. Preservation - This step can include imaging technologies, chain of custody standards, and time synchronization. Collection - This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques. Examination - This step can include traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction. Analysis - This step can include traceability, statistical analysis, protocol analysis, data mining, and timeline determination. Presentation - This step can include documentation, expert testimony, clarification, mission impact statement, recommended countermeasures, and statistical interpretation. Decision - This step can include management reports, court decisions, and internal decisions.

During a recent security audit at your organization, a rogue subject was discovered. You need to discover the access rights for this subject only. Which entity should you review? A access control list (ACL) B capability table C group D access rights function

Answer B is correct. You should review the subject's capability table. A capability table is used to display the access rights for a subject pertaining to a certain table. Subjects are bound to capability tables. A group is a subset of users that are grouped together based on their role, department membership, or other qualifying criteria that the system administrator determines. Permissions can be assigned to groups to reduce administrative effort for configuring access. An access control list (ACL) is used to display the access rights subjects can take upon objects. Objects are bound to ACLs. There is no such thing as an access rights function. The access control matrix model ensures that the appropriate access for objects is granted to subjects. It consists of a list of subjects, a list of objects, a function that returns an object's type, and the matrix itself, where objects are columns and subjects are rows. This model is commonly implemented using ACLs and capability tables. The rows of an access control matrix indicate the capabilities that a user has to a number of resources. The columns of an access control matrix indicate the capabilities that multiple users have to a single resource.

You are using a network analyzer to monitor traffic on your network. Users report that sessions are hanging intermittently throughout the day. You suspect that your network is under attack. You decide to use the network analyzer to determine the problem. Which information should you examine? A protocol statistics B packet capture C station statistics D port statistics

Answer B is correct. You should use packet capture information to examine the sessions that are hanging intermittently throughout the day. You will need to examine the packets being sent and determine which devices failed to respond. A packet capture provides detailed information on each packet on your network. All of the other options should only be used if you know which protocol, station (device), or port is the cause of the problem. You should not use protocol statistics for this problem because you are not sure which protocol, if any, is causing the problem.

Your company follows a full/incremental strategy as a backup solution. The full/incremental strategy starts with a full backup each Saturday evening and an incremental backup all other evenings. Assume that each of the backups was stored on a different tape. If the system crashed on Monday morning, how many tapes would you need to recover the data? A one B two C four D three

Answer B is correct. You would first need to recover the full backup from Saturday. Because the incremental backups would be backing up different data each day of the week, each of the incremental backups must be restored and in the chronological order. As the system crashes on Monday morning, you will need to restore two backups: the full backup from Saturday evening and the incremental backup from Sunday evening. When incremental backups are included in your backup plan, you will need to restore the full backup and all incremental backups that have been taken since the full backup. Because the failure occurred on Monday morning, only the full Saturday backup and the incremental Sunday backup need to be restored. If the crash had occurred on Tuesday morning, you would have needed to restore three backups: Saturday evening's full backup, Sunday evening's incremental backup, and Monday evening's incremental backup. If the crash had occurred on Wednesday morning, you would have needed to restore four backups: Saturday evening's full backup, Sunday evening's incremental backup, Monday evening's incremental backup, and Tuesday evening's incremental backup.

Which type of malicious code is hidden inside an otherwise benign program when the program is written? A a worm B a logic bomb C a Trojan horse D a virus

Answer C is correct. A Trojan horse is a type of malicious code that is embedded in an otherwise benign program when the program is written. A Trojan horse is typically designed to do something destructive when the infected program is started. Trojan horses, viruses, worms, and logic bombs are all examples of digital pests. Software development companies should consider reviewing code to ensure that malicious code is not included in their products. A virus is added to a program file after a program is written. A virus is often associated with malicious programs that are distributed in e-mail messages. A worm creates copies of itself on other computers through network connections. A logic bomb is designed to initiate destructive behavior in response to a particular event. For example, a logic bomb might be programmed to erase a hard disk after 12 days.

Which type of error occurs when an invalid subject is authenticated? A Type 4 B Type 1 C Type 2 D Type 3

Answer C is correct. A Type 2 error occurs when an invalid subject is authenticated. This is also known as a false positive authentication. The ratio of Type 2 errors to valid authentications is called the FAR (false acceptance rate). For example, hacker Joe doesn't have an account but he uses his fingerprint to authenticate and the system recognizes him. Answer B is incorrect because a Type 1 error occurs when a valid subject is not authenticated. This is also known as a false negative authentication. Answers D and A are incorrect because there are no such type of errors.

What defines the minimum level of security? A standards B procedures C baselines D guidelines

Answer C is correct. A baseline defines the minimum level of security and performance of a system in an organization. A baseline is also used as a benchmark for future changes. Any change made to the system should match the defined minimum-security baseline. A security baseline is defined through the adoption of standards in an organization. Guidelines are the actions that are suggested when standards are not applicable in a particular situation. Guidelines are applied where a particular standard cannot be enforced for security compliance. Guidelines can be defined for physical security, personnel, or technology in the form of security best practices. Standards are the mandated rules that govern the acceptable level of security for hardware and software. Standards also include the regulated behavior of employees. Standards are enforceable and are the activities and actions that must be followed. Standards can be defined internally in an organization or externally as regulations. Procedures are the detailed instructions used to accomplish a task or a goal. Procedures are considered at the lowest level of an information security program because they are closely related to configuration and installation problems. Procedures define how the security policy will be implemented in an organization through repeatable steps. For instance, a backup procedure specifies the steps that a data custodian should adhere to while taking a backup of critical data to ensure the integrity of business information. Personnel should be required to follow procedures to ensure that security policies are fully implemented. Procedural security ensures data integrity.

Which of the following is a collaborative cloud deployment model in which infrastructure is shared between several organizations from a specific community with common goals? A Hybrid cloud B Public cloud C Community cloud D Private cloud

Answer C is correct. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns in the areas of security, compliance, jurisdiction, and so on. Answer B is incorrect. A public cloud deployment model includes assets available for any consumers to rent or lease and is hosted by an external CSP. It is accessible publicly and is owned by a third-party cloud provider. Answer D is incorrect. A private cloud deployment model includes cloud-based assets for a single organization. It can be created and hosted by organizations using their own resources. Answer A is incorrect. A hybrid cloud deployment model includes a combination of public and private clouds and thus, does not provide cloud-based assets to two or more organizations. The creation and maintenance of this model is a complex process due to the potential disparity in cloud environments.

Which of the following statements is true of a digital certificate? A It is a process of finding a unique fixed-length mathematical derivation (hashes) of a plaintext message. B It is a message digest that is encrypted using the sender's private key. C It binds the identity of an individual to a key pair. D It is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key.

Answer C is correct. A digital certificate binds the identity of an individual to a key pair. A digital certificate is an electronic credit card that establishes an individual's credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains the name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Answer B is incorrect. A digital signature is a message digest that is encrypted using the sender's private key. Answer A is incorrect. Hashing is a process of finding a unique fixed-length mathematical derivation (hashes) of a plaintext message. Answer D is incorrect. Hash-based Message Authentication Code (HMAC) is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key.

Which of the following statements is true of a digital certificate? A It is a process of finding a unique fixed-length mathematical derivation (hashes) of a plaintext message. B It is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key. C It binds the identity of an individual to a key pair. D It is a message digest that is encrypted using the sender's private key.

Answer C is correct. A digital certificate binds the identity of an individual to a key pair. A digital certificate is an electronic credit card that establishes an individual's credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains the name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Answer D is incorrect. A digital signature is a message digest that is encrypted using the sender's private key. Answer A is incorrect. Hashing is a process of finding a unique fixed-length mathematical derivation (hashes) of a plaintext message. Answer B is incorrect. Hash-based Message Authentication Code (HMAC) is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key.

Which of the following disaster recovery tests includes the operations that shut down at the primary site and are shifted to the recovery site according to the disaster recovery plan? A Parallel B Structured walk-through C Full-interruption D Simulation

Answer C is correct. A full-interruption test includes operations that shut down at the primary site and are shifted to the recovery site according to the disaster recovery plan. It operates just like a parallel test. The full-interruption test is very expensive and difficult to arrange. Sometimes, it causes a major disruption of operations if the test fails. Answer B is incorrect. The structured walk-through test is also known as the table-top exercise. In a structured walk-through test, team members walk-through the plan to identify and correct weaknesses and how they will respond to the emergency scenarios by stepping in the course of the plan. It is the most effective and competent way to identify the areas of overlap in the plan before conducting more challenging training exercises. Answer A is incorrect. A parallel test includes the next level in the testing procedure, relocates the employees to an alternate recovery site, and implements site activation procedures. These employees present with their disaster recovery responsibilities as they would for an actual disaster. The disaster recovery sites have full responsibilities to conduct the day-to-day organization's business. Answer D is incorrect. A simulation test is a method used to test the disaster recovery plans. It operates just like a structured walk-through test. In the simulation test, members of a disaster recovery team are presented with a disaster scenario and then, they discuss on appropriate responses. These suggested responses are measured and some of them are taken by the team. The range of the simulation test should be defined carefully for avoiding excessive disruption of normal business activities.

Which access control model is usually associated with a multi-level security policy? A role-based access control (RBAC) B discretionary access control (DAC) C mandatory access control (MAC) D rule-based access control

Answer C is correct. A multi-level security policy is usually associated with mandatory access control (MAC). In MAC, sensitivity labels, also called security labels, are attached to all objects. These sensitivity labels contain a classification. For a subject to have write access to an object in a multi-level security policy, the subject's sensitivity label must dominate the object's sensitivity label.Mandatory access controls rely on use of labels for subjects and objects. Rule-based access control is an access control technique, not an access control model. Role-based access control (RBAC) allows access to resources be controlled by the user's role. Discretionary access control (DAC) allows the resource owner to determine the level of access that users have.

Which type of firewall is considered a second-generation firewall? A packet-filtering firewall B kernel proxy firewall C proxy firewall D dynamic packet-filtering firewall

Answer C is correct. A proxy firewall is a second-generation firewall, meaning it was the second type created. Other types followed. A kernel proxy firewall is a fifth-generation firewall, and a packet-filtering firewall is a first-generation firewall. A dynamic packet-filtering firewall is a fourth-generation firewall. Third-generation firewalls typically use a system that examines the state and context of incoming packets. This type of firewall tracks protocols that are considered connectionless, such as User Datagram Protocol (UDP).

Which network device acts as an Internet gateway, firewall, and Internet caching server for a private network? A IDS B VPN C proxy server D IPS

Answer C is correct. A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network. Hosts on the private network contact the proxy server with an Internet Web site request. The proxy server checks its cache to see if a locally stored copy of the site is available. If not, the proxy server communicates with its Internet connection to retrieve the Web site. The proxy server is virtually invisible to the client and the Internet connection. A proxy server can be configured to allow only outgoing Hypertext Transfer Protocol (HTTP) traffic by configuring which users have permissions to access the Internet via the proxy server. A virtual private network (VPN) is a private network that users can connect to over a public network. An intrusion detection system (IDS) is a network device that detects network intrusion and either logs the intrusion or contacts the appropriate personnel. An intrusion prevention system (IPS) is a network device that detects network intrusion attempts and prevents the network intrusion. An IPS provides more security than an IDS because it actually provides prevention, not just detection.

Which security threat is a software application that displays advertisements while the application is executing? A spyware B virus C adware D worm

Answer C is correct. Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware that monitors your Internet usage and personal information. Some adware will even allow credit card information theft. A worm is a program that spreads itself through network connections. Spyware often uses tracking cookies to collect and report on a user's activities. Not all spyware is adware, and not all adware is spyware. Spyware requires that your activities be monitored and tracked; adware requires that advertisements be displayed. A virus is malicious software (malware) that relies upon other application programs to execute itself and infect a system.

What should you use to connect a computer to a 100BaseTX Fast Ethernet network? A Use a CAT5 UTP cable with an RJ-11 connector. B Use an RG-58 cable with a BNC connector. C Use a CAT5 UTP cable with an RJ-45 connector. D Use a fiber-optic cable with an ST connector. E Use a fiber-optic cable with an SC connector.

Answer C is correct. Among the available choices, you should use Category 5 unshielded twisted-pair (CAT5 UTP) cable and RJ-45 connectors to connect a computer to a 100BaseTX Ethernet network. On a 100BaseTX network, you can use two pairs of either CAT5 UTP or Type 1 shielded twisted-pair (STP) cable. RJ-45 connectors typically connect computers to a 100BaseTX network. Although an RJ-45 connector is similar in appearance to a standard RJ-11 telephone connector, an RJ-45 connector is wider than an RJ-11 connector. Additionally, an RJ-45 connector supports eight wires, whereas an RJ-11 connector supports up to six wires. RG-58 coaxial cable and BNC connectors, including BNC barrel connectors and BNC T connectors, are used on 10Base2 Ethernet networks. BNC terminating resistors are also required on both ends of the 10Base2 bus to prevent signals from bouncing back into the cable and corrupting data. Some coaxial implementations require fixed spacing between the connections; twisted pair cabling has no such requirements. Fiber-optic cable, such as 62.5/125 multimode cable and 8/125 single-mode cable, is used on some types of Ethernet networks, such as 10BaseFB Ethernet and 100BaseFX Fast Ethernet networks. Fiber-optic cables use LC, SC, and ST connectors. Fiber optic cable has three basic physical elements: the core, the cladding, and the jacket. The core is the innermost transmission medium, usually made of glass or plastic. The next outer layer, the cladding, is also made of glass or plastic with different properties than the cladding, and helps to reflect the light back into the core. The outermost layer, the jacket, provides protection from heat, moisture, and other environmental elements. CAT1, CAT3, CAT5, CAT5e, and CAT6 cable are all twisted pair technologies.

Your organization includes an Active Directory domain with three domain controllers. Users are members or organizational units (OUs) that are based on departmental membership. Which type of database model is used in the domain? A an object-oriented database model B a relational database model C a hierarchical database model D an object-relational database model

Answer C is correct. An Active Directory domain, which uses the Lightweight Directory Access Protocol (LDAP), is a hierarchical database model. A hierarchical database model uses a logical tree structure. LDAP is the most common implementation of a hierarchical database model. A relational database model is not used in the scenario. A relational database model uses rows and columns to arrange data and presents data in tables. The fundamental entity in a relational database is the relation. Relational databases are the most popular. Microsoft's SQL Server is a relational database. An object-oriented database model is not used in this scenario. An object-oriented database (OODB) model can store graphical, audio, and video data. A popular object-oriented database is db4objects from Versant Corporation. An object-relational database model is not used in this scenario. An object-relational database is a relational database with a software front end written in an object-oriented programming language. Oracle 11g is an object-relation database. Another type of database model is the network database model. This database model expands the hierarchical database model. A network database model allows a child record to have more than one parent, while a hierarchical database model allows each child to have only one parent.

What security method, mechanism, or model reveals a capabilities list of a subject across multiple objects? A Clark-Wilson B Biba C Access control matrix D Separation of duties

Answer C is correct. An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list. Answer D is incorrect. The separation of duties mechanism ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances. Answer B is incorrect. The Biba Model describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. Answer A is incorrect. The Clark-Wilson model uses a multifaceted approach to enforcing data integrity. Instead of defining a formal state machine, the Clark-Wilson model defines each data item and allows modifications through only a small set of programs.

Which entity can an administrator use to designate which users can access a file? A a proxy server B a NAT server C a firewall D an ACL

Answer D is correct. An access control list (ACL) is a security mechanism that is used to designate which users can gain various types of access, such as read, write, and execute access to resources on a network. An ACL provides security as granular as the file level. The DAC model uses ACL to identify the users who have permissions to a resource. A firewall allows and denies network access through communications ports. A NAT server presents public Internet Protocol (IP) addresses to the Internet on behalf of computers on a private network. A proxy server can be used to enable hosts to access Internet resources. A proxy server can increase the performance of a network by caching Web pages, which can reduce the amount of time required for clients to access Web pages.

Management has requested that you implement controls that take corrective action against threats. Which entity is an example of this type of control? A backups B audit trails C business continuity planning D separation of duties

Answer C is correct. Business continuity planning is an example of a corrective control. Corrective controls are controls that take corrective action against threats. Audit trails are an example of detective controls. Detective controls are controls that detect threats. Backups are an example of recovery and compensative controls. Recovery controls are controls that recover from an incident or failure. Compensative controls are controls that provide an alternate measure of control. To restore a system and its data files after a system failure, you should implement the recovery procedures. Recovery procedures could include proper steps of rebuilding a system from the beginning and applying the necessary patches and configurations. Separation of duties is an example of a preventative control. Directive controls are controls that tell users what is expected of them and what is considered inappropriate. Recovery controls are controls that describe the actions to take to restore a system to its normal state after a disaster occurs.

What is typically part of an information policy? A acceptable use B authentication C classification of information D employee termination procedure

Answer C is correct. Classification of information is typically part of an information policy. A company usually has at least two information classifications: public and proprietary. Public information can be revealed to the public, and proprietary information can only be shared with individuals who have signed a non-disclosure agreement. Some companies also use the restricted classification. Only a small group of individuals within a company can gain access to restricted information. The cornerstone of a well-defined information policy is to limit individual access to that information which the individual 'needs to know' to perform required functions. Authentication is typically part of a company's security policy. Acceptable use is typically part of a company's computer use policy. An acceptable use policy typically stipulates that company employees use computers and other equipment only for purposes of completing company projects. An employee termination procedure is typically part of a company's management policies, which also include new employee and transferred employee procedures. Termination procedures should include disabling a user's network access account no later than the end of the last day of the employee's relationship with the company. Because a network is vulnerable to attack by employees who are being terminated, most companies do not provide advanced notice to terminated employees. It is also a common practice to provide an escort for the terminated employee from the time they are informed of termination until the time they leave company facilities. This practice limits the possibility that the person will damage company equipment or harm other personnel. In the event of an unfriendly termination, it is essential that system access be removed as quickly as possible after termination.

Which service provided by a cryptosystem is most important for the military? A nonrepudiation B authentication C confidentiality D integrity

Answer C is correct. Confidentiality is the most important service provided by a cryptosystem for the military. Integrity and confidentiality are important to financial institutions. Integrity ensures that the data has not been changed. Nonrepudiation is important if an agency must ensure that the sender cannot deny sending the message. Authentication is important in court because it confirms who sent the message.

The research department at your company has decided to implement a new file server. The department manager will be responsible for granting access to the folders and files based on a user's or a group's identity. Which type of access control model is being used? A MAC B RBAC C DAC D ACL

Answer C is correct. Discretionary access control (DAC) is based on identity. This identity can be a user's identity or a group's identity, and is sometimes referred to as identity-based access control. DAC is the type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources certain users can access. An access control list (ACL) is not an access control model, although it is used in a DAC model. It is an access control entity that lists user access levels to a given object. Mandatory access control (MAC) is a model based upon security labels. Role-based access control (RBAC) is a model based upon user roles. An access control model should be applied in a preventative manner. A company's security policy determines which access control model will be used.

You have been specifically asked to implement a stream cipher. Which cryptographic algorithm could you use? A RC6 B MD5 C RC4 D RC5

Answer C is correct. RC4 is a stream cipher. Stream and block ciphers are two main types of symmetric algorithms. Block ciphers process one block of bits and stream ciphers one bit at a time. RC4, RC5, and RC6 do not provide one-way hashing. RC5 and RC6 are block ciphers. MD5 is a one-way hashing algorithm. One-way hashing refers to inserting a string of variable length into a hashing algorithm and producing a hash value of fixed length. This hash value is appended to the end of the message being sent. This hash value is recomputed at the receivers end in the same fashion in which it was created by using the same computational logic. If the recomputed hash value is the same as the generated hash value, the message was not altered during the course of transmission. MD2, MD4, and MD5 all take a message of arbitrary length and produce a message digest of 128-bits. Hashing algorithms include MD2, MD4, MD5, HAVAL, and all the Secure Hash Algorithm (SHA) variants.

Which one of the following storage locations provides a good option when the organization does not know where it will be when it tries to recover operations? A Field office B Primary data center C IT manager's home D Cloud computing

Answer D is correct. Cloud computing services provide an excellent location for backup storage because they are accessible from any location.

To what does ISO 15408 refer? A TCSEC B ITSEC C Common Criteria D security policy

Answer C is correct. ISO/IEC 15408 refers to the Common Criteria (CC) that is used to evaluate security properties of information technology (IT) products and systems, such as operating systems, applications, and other hardware, firmware, and software. The Information Technology Security Evaluation Criteria (ITSEC) evaluates the functionality and assurance attributes separately. This method of system evaluation and rating used in Europe is different from the Trusted Computer System Evaluation Criteria (TCSEC) in which the functionality and assurance of a system are bundled together for evaluation purposes. The U.S. Department of Defense (DoD) developed Trusted Computer System Evaluation Criteria (TCSEC) to evaluate and rate the effectiveness, assurance, trustworthiness, and functionality of operating systems, applications, and security products. The evaluation criteria were published in a book known as the Orange Book. A security policy refers to a group of rules that define the process of protecting and managing sensitive information. A security policy defines the security mechanisms that should be implemented to achieve the security objective. Common Criteria is a worldwide recognized and accepted standard for evaluation of infrastructure products. This evaluation criterion reduces the complexity of the ratings and ensures that the vendors manufacture products for international markets. Therefore, the Common Criteria addresses the functionality in terms of what a product does and assures that the product will work predictably and consistently. The Common Criteria assigns an evaluation assurance level. Unlike the Orange Book, which assigns a rating to a product based on how the products relate to the Bell-LaPadula model, the Common Criteria assigns a rating based on a protection profile.

In which of the following access controls can a user access resources according to his role in the organization? A DAC B MAC C RBAC D ABAC

Answer C is correct. In RBAC (role-based access control), a user can access resources according to his role in the organization. RBAC uses roles, and these roles are granted appropriate privileges based on jobs or tasks. Subjects are placed into roles and they inherit privileges assigned to the roles. Answer A is incorrect. DAC (discretionary access control) allows the owner or creator of an object to control and define subject access to that object. Answer B is incorrect. MAC (mandatory access control) uses a predefined set of access privileges for an object of the system. Answer D is incorrect. In ABAC (attribute-based access control), access is granted not based on the rights of the subject associated with a user after authentication, but based on the attributes of the user.

You have been asked to provide scoping and tailoring guidance for an organization's security controls. Which of the following guidelines is NOT true regarding this process? A Tailoring matches security controls to the needs of the organization. B Scoping provides instruction to an organization on how to apply and implement security controls. C Scoping and tailoring are closely tied to access control lists. D Scoping and tailoring allow an organization to narrow its focus.

Answer C is correct. It is NOT true to state that scoping and tailoring are closely tied to access control lists. Scoping and tailoring are closely tied to the security baselines, not the access control lists. Scoping provides instruction to an organization on how to apply and implement security controls. Tailoring matches security controls to the needs of the organization. Scoping and tailoring will allow an organization to narrow its focus to identify and address the appropriate risks.

What does the message authentication code (MAC) ensure? A message confidentiality B message replay C message integrity D message availability

Answer C is correct. Message authentication code (MAC), which is also referred to as message integrity code (MIC), ensures integrity of the messages. MAC adds authentication capability to a one-way hashing function. MAC does not ensure message replay. It provides protection against message replay attacks. A message replay can be performed to gain access to information and to reinsert the information back to a legitimate connection through attacks, such as man-in-the middle attacks. MAC cannot ensure the availability of the data or the system. A one-way hashing function does not use any key and only ensures that the message that is transferred is not tampered with by calculating a checksum value. Messages with one-way hashing can be intercepted and hashing can be reproduced. One-way hashing converts a message of arbitrary length into a value of fixed length. Given the digest value, it should be computationally infeasible to find the corresponding message. It should be impossible or rare to derive the same digest from two different messages. MAC applies a secret key to the message that is known to the authorized recipient only. Block chaining cryptography uses MAC to ensure the authenticity of the message. There are two basic types of MAC: Hash-MAC (HMAC) and CBC-MAC. In HMAC, a symmetric key is appended to the message that is known only to the authorized recipient. However, HMAC lacks confidentiality. When an HMAC function is used, a symmetric key is combined with the message, and then that result is put though a hashing algorithm. The result is an HMAC value. HMAC provides data origin authentication and data integrity. In CBC-MAC, the message is encrypted with a symmetric block cipher in CBC mode. Some MAC algorithms use stream ciphers as well. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.MAC was developed to prevent fraud in electronic fund transfers involved in online transactions.

Which statement is true of network address hijacking? A It uses ICMP echo messages to identify the systems and services that are up and running. B It involves flooding the target system with malformed fragmented packets to disrupt operations. C It allows the attacker to reroute data traffic from a network device to a personal computer. D It is used for identifying the topology of the target network.

Answer C is correct. Network address hijacking allows an attacker to reroute data traffic from a network device to a personal computer. Also referred to as session hijacking, network address hijacking enables an attacker to capture and analyze the data addressed to a target system. This allows an attacker to gain access to critical resources and user credentials, such as passwords, and to critical systems of an organization. Session hijacking involves assuming control of an existing connection after the user has successfully created an authenticated session. A scanning attack is used to identify the topology of the target network. Also referred to as network reconnaissance, scanning involves identifying the systems that are up and running on the target network and verifying the ports that are open, the services that a system is hosting, the type of operating system, and the applications running on a target host. Scanning is the initial process of gathering information about a network to find out vulnerabilities and exploits before an actual attempt to commit a security breach takes place. A smurf attack uses ICMP echo messages to identify the systems and services that are up and running. It is a denial-of-service (DoS) attack that uses spoofed broadcast ping messages to flood a target system. In a smurf attack, the attacker sends a large amount of ICMP echo packets with spoofed sources IP address as that of the target host to IP broadcast addresses. This results in the target host being flooded with echo replies from the entire network, causing the system to either freeze or crash. Ping of death, bonk, and fraggle are other examples of DoS attacks. In a teardrop attack, the attacker uses a series of IP fragmented packets, causing the system to either freeze or crash while the target host is reassembling the packets. A teardrop attack is primarily based on the fragmentation implementation of IP. To reassemble the fragments in the original packet at the destination, the host looks for incoming packets to ensure that they belong to the same original packet. The packets are malformed. Therefore, the process of reassembling the packets causes the system to either freeze or crash.

You work for an organization that employs temporary employees on a rotating basis. The organization experiences high employee turnover. Which access control model is best used in this environment? A discretionary access control B identity-based access control C role-based access control D mandatory access control

Answer C is correct. Role-based access control (RBAC) is best used in an environment where there is high employee turnover. When an employee leaves the company, it is very easy to add the employee's replacement to the role than to ensure that the new employee has all the permissions of the old employee. Mandatory access control (MAC) is best used in an environment where confidentiality is the biggest concern. Each subject and object is given a security label. Administrative effort in this model can be relatively high due to this fact. Discretionary access control (DAC) is used in environments where data owners need to control access permissions to their files. Administration in this model is usually decentralized. DAC would be difficult in an environment where there is high employee turnover because each data owner would need to be notified of employee resignations and replacements. Identity-based access control is usually implemented in DAC environments. Identity-based access control should not be used in an environment where there is high employee turnover. In a very large environment, this type of access control would be an administrative burden.

Which protocol is a dial-up connection protocol that requires both ends of the communication channel be assigned an IP address? A IMAP4 B DLC C SLIP D PPP

Answer C is correct. Serial Line Internet Protocol (SLIP) is an older dial-up connection protocol that requires both ends of the communication channel be assigned an IP address. SLIP was used over low-speed serial interfaces. Data Link Control (DLC) is a connectivity protocol that is used to connect IBM mainframe computers with LANs and in some earlier models, HP printers. Internet Mail Access Protocol version 4 (IMAP4) is an e-mail retrieval protocol that some e-mail clients use to download messages from e-mail servers. DLC and IMAP4 are not dial-up protocols. Point-to-Point Protocol (PPP) is a newer dial-up protocol with more advanced features than SLIP. It does not require that both ends of the communication channel be assigned an IP address. In addition, PPP supports several network communications protocols, such as TCP/IP, IPX/SPX, and NetBEUI.

Which tool is an intrusion detection system (IDS)? A Tripwire B Nessus C Snort D Ethereal

Answer C is correct. Snort is an intrusion detection system (IDS). Nessus is a vulnerability assessment tool. Tripwire is a file integrity checker. Ethereal is a network protocol analyzer.

Which of the following is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, or caller ID? A Multicasting B Screen scraping C Spoofing D Whaling

Answer C is correct. Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, and so on. In IP spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, and so on, because forging the source IP address causes the responses to be misdirected. Answer A is incorrect because multicasting is the transmission of data to multiple specific recipients. Answer D is incorrect because whaling is a variant of phishing that targets senior or high-level executives such as CEOs and presidents by sending an email that contains malicious activity. Answer B is incorrect because screen scraping is a technology that can allow an automated tool to interact with a human interface.

Which of the following statements is true of TCSEC? A It has five classifications: A, B, C, D, and E. B It is an ISO standard. C It is a criteria used to validate the security and assurance provided in products. D It is referred to as the Red Book.

Answer C is correct. TCSEC is a criteria used to validate the security and assurance provided in products. TCSEC offers a rating system (classes of trust) to apply to the organization's information systems. Answer D is incorrect. TCSEC is not referred to as the Red Book, it is referred to as the Orange Book. Answer A is incorrect. TCSEC has four classifications: A, B, C, and D. Answer B is incorrect. TCSEC is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system.

Consider the following IP address: 157.175.12.10/22. How many bits will be used for the host portion of this address? A 16 B 6 C 10 D 22

Answer C is correct. Ten bits are used for the host portion of 157.175.12.10/22. The IP address 157.175.12.10/22 is an example of a "slash x" network, also known as Classless Interdomain Routing (CIDR) notation. CIDR is a way of applying a subnet mask to an IP address to optimize address space while ignoring the traditional IP class categories. With classful addressing, 157.175.12.10 is a class B address, which means that 16 bits of the address are used for the network portion and 16 bits are used for the host portion of the address. With CIDR, the /22 notation at the end of the IP address means that 22 bits are used for the network portion of the address, and the host portion uses the 10 remaining bits. In turn, this would mean that this address space can be divided into smaller, more efficient blocks of space.

Which security model illustrates the multilevel security mode? A finite transaction model B access model C Bell-LaPadula model D Brewer and Nash model

Answer C is correct. The Bell-LaPadula model illustrates the multilevel security mode because it allows simultaneous processing of classified information across the security levels. This model addresses information flow from higher levels to low. The key advantage of the multilevel security mode is the ability to process information of different categories and allow access to a selected user base. This model formalizes the U.S. Department of Defense multi-level security policy. The finite transaction model and the access model are not valid categories of information flow models deploying the multilevel security mode. The Brewer and Nash model, also referred to as the Chinese Wall model, states that access controls for a system will dynamically change based on a user's activities and the previous access requests. Requests from users to access the information may be denied if the request presents a conflict of interest. For example, a user from the Accounts department may not be allowed to view the financial reports for a sister concern of the same organization. This ensures that the user does not introduce any conflict of interest. The multilevel security mode assigns sensitivity labels to subjects and objects. A subject is able to access the object if the sensitivity label of the subject is higher than or equal to the sensitivity label of the object. If the sensitivity label of the subject is lower than the sensitivity label of the object, the subject is denied access to the object.

Which of the following hashing algorithms pads the message to ensure that the message length is a multiple of 16 bytes? A MD5 B SHA-1 C MD2 D MD4

Answer C is correct. The Message Digest 2 (MD2) provides a secure hash function for 8-bit processors. It pads the message so that its length is a multiple of 16 bytes. It then computes a 16-byte checksum and appends it to the end of the message. A 128-bit message digest is then generated by using the entire original message along with the appended checksum. Answer B is incorrect. SHA-1 is the successor of SHA. It takes an input of a variable length and produces a 160-bit message digest. It processes a message in 512-bit blocks. It pads a message with additional data so that the message length reaches the next higher multiple of 512, if the message length is not a multiple of 512. Answer D is incorrect. MD4 is used for the 32-bit processors. It pads the message so that the message length is 64 bits smaller than a multiple of 512 bits. Answer A is incorrect. MD5 processes the message in 512-bit blocks. It requires four distinct rounds of computation to get a digest having the same length as the MD2 and MD4 algorithms. Its message length is 64 bits smaller than a multiple of 512 bits.

Which of the following statements is true related to the RBAC model? A A RBAC model is nonhierarchical. B A RBAC model uses labels. C A RBAC model allows users membership in multiple groups. D A RBAC model allows users membership in a single group.

Answer C is correct. The Role Based Access Control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The Mandatory Access Control (MAC) model uses assigned labels to identify access.

Which of the following layers is used for dialog control? A Physical B Data Link C Session D Network

Answer C is correct. The Session layer of the OSI model controls the dialogues (connections) between computers. It establishes, manages, and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. Answer B is incorrect. The Data Link layer corresponds to or is part of the link layer of the TCP/IP reference model. The Data Link layer is the protocol layer which transfers data between adjacent network nodes in a wide area network or between nodes on the same local area network segment. Answer A is incorrect. The Physical layer defines the means of transmitting raw bits rather than logical data packets over a physical link connecting network nodes. The bit stream may be grouped into code words or symbols and converted to a physical signal that is transmitted over a hardware transmission medium. Answer D is incorrect. The Network layer is responsible for routing packets delivery including routing through intermediate routers. It provides the functional and procedural means of transferring variable length data sequences from a source to a destination host via one or more networks while maintaining the quality of service functions.

Which of the following OSI layers handles flow control? A Physical B Data Link C Transport D Network

Answer C is correct. The Transport layer of the OSI model handles flow control. It is responsible for end-to-end message transfer capabilities independent of the underlying network, along with error control, segmentation, flow control, congestion control, and application addressing (port numbers). End to end message transmission or connecting applications at the Transport layer can be categorized as either connection-oriented implemented in Transmission Control Protocol (TCP), or connectionless implemented in User Datagram Protocol (UDP). Answer B is incorrect. The Data Link layer corresponds to or is part of the link layer of the TCP/IP reference model. The Data Link layer is the protocol layer which transfers data between adjacent network nodes in a wide area network or between nodes on the same local area network segment. Answer A is incorrect. The Physical layer defines the means of transmitting raw bits rather than logical data packets over a physical link connecting network nodes. The bit stream may be grouped into code words or symbols and converted to a physical signal that is transmitted over a hardware transmission medium. Answer D is incorrect. The Network layer is responsible for routing packets delivery including routing through intermediate routers. It provides the functional and procedural means of transferring variable length data sequences from a source to a destination host via one or more networks while maintaining the quality of service functions.

Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the degree of this table? A Undefined B Thirty C Three D Two

Answer C is correct. The cardinality of a table refers to the number of rows in the table while the degree of a table is the number of columns.

You need to ensure that all systems, networks, and major applications can be recovered. What should you create or perform? A risk analysis B vulnerability analysis C contingency plan D business impact analysis (BIA)

Answer C is correct. The contingency plan is created to ensure that all systems, networks, and major applications can be recovered. A contingency plan should be created for each major entity, including all hardware and software entities. A vulnerability analysis identifies your company's vulnerabilities. It is part of the business continuity plan. A risk analysis is part of the business impact analysis (BIA). It is used to calculate the risk to discover which functions would offer the greatest financial loss to the company. A BIA is created to identify the vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. A contingency plan addresses all potential, residual, and identified risks. Risks are usually identified by doing research on the types of systems in place. A failure in the contingency plan is usually the result of a management failure. The person designated to manage the contingency planning process should provide direction to senior management. In addition, this person should ensure the identification of all critical business functions and should integrate the planning process across business units. When any part of the LAN is not hosted internally, and is part of a building server environment, it is the responsibility of the contingency planner to identify the building server administrator, identify for him the recovery time frame required for your business applications, obtain a copy of the recovery procedures, and participate in the validation of the building's server testing.

A user reports that she is unable to access a file server. You discover that there are numerous open connections on the file server from several servers and routers. Which type of attack has affected the file server? A back door attack B man-in-the-middle attack C denial-of-service (DoS) attack D privilege escalation

Answer C is correct. The file server has become the victim of a denial-of-service (DoS) attack. Because multiple routers and servers are involved in the attack, a distributed DoS (DDoS) attack has actually occurred. A DDoS attack usually involves hijacking several computers and routers to use as agents in the attack, which overwhelms the bandwidth of the attack victim. Examples of DoS attacks include ping of death, smurf, and TCP SYN. Privilege escalation usually occurs by logging in to a system using your valid user account and then finding a way to access files that you do not have permissions to access. This usually involves invoking a program that can change your permissions, such as Set User ID (SUID) or Set Group ID (SGID), or invoking a program that runs in an administrative context. There are several methods of dealing with privilege escalation, including using least privilege accounts, privilege separation, and so on. Privilege escalation can also lead to DoS attacks. An example of privilege escalation is gaining access to a file you should not access by changing the permissions of your valid account. Back doors are hidden applications that vendors create to ensure that they are able to access their devices. After installing new devices or operating systems, you need to ensure that all back doors and default passwords are either disabled or reset. Often, hackers first attempt to use such back doors and default passwords to access new devices. A man-in-the-middle attack occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver.

What is the primary function of portable storage media, such as Zip, Jaz, and flash drives? A to modify data B to erase data C to exchange data D to classify data

Answer C is correct. The primary function of portable storage media, such as Zip drives, Jaz drives, flash drives, SyQuest, and Bernoulli boxes, is to facilitate data exchange across an organization to meet the business requirements. Portable storage media are usually preferred for data exchange processes because of their portable nature and high capacity. Erasing the data from a storage media, such as a hard drive, does not actually remove the data but only removes the pointers to the location where the data resides on the storage media. The erased data can be recovered by using data recovery procedures. Sanitization is the process of wiping out data from storage media to ensure that the data is not recoverable and cannot be reused. Data modification implies making changes to the information. Data modification can either be authorized or unauthorized in nature. Data classification involves assigning a level to the sensitive data and implementing countermeasures to maintain the confidentiality, integrity, and availability of data. For example, organizations can classify data into confidential, private, sensitive, and public. This classification can then be used to implement security controls. Operations security policies for all types of portable storage media should be in place to ensure that the data contained on these drives is not compromised. Audits should be performed periodically to ensure that operations security policies for portable storage media are being followed. This will ensure that employees will not remove portable storage media from your facility unless they are authorized to do so.

An earthquake damaged the building that houses your organization's data center. As a result, the alternate site in New Jersey must be configured and brought online. Which team should be responsible for this? A salvage team B damage assessment team C restoration team D security team

Answer C is correct. The restoration team should be responsible for configuring the alternate site and bringing it online when a disaster occurs. When configuring this alternate site, the most critical business functions should be brought online first. For this to occur, the priority levels of the business functions must be defined in the disaster recovery plan. Without these priority levels, the business may not be operational within the recovery timeframe. The salvage team is responsible for the recovery of the original site. This is called the reconstitution phase. It should be spelled out in the disaster recovery plan how the reconstitution phase should be implemented. The least critical functions should first be moved to the original site to ensure that the critical business functions are not adversely affected due to connectivity or installation errors. The security team is responsible for assessing security at the alternate and primary site when a disaster occurs. The damage assessment team is responsible for assessing the damage at the primary site when a disaster occurs. This includes estimating how long it will take to bring critical functions online. All of these teams support the disaster recovery plan, which has as its goal minimizing risks associated with a disaster.

Which processes define the supervisor mode? A processes that are executed in the outer protection rings B processes with no protection mechanism C processes that are executed in the inner protection rings D processes in the outer protection ring that have more privileges

Answer C is correct. The supervisor mode refers to processes that are executed in the inner protection rings. The processes in the inner protection rings are granted more privileges than the processes in the outer protection ring. The processes in the inner ring are executed in the privileged or the supervisor mode, while the processes working in the outer protection rings are executed in the user mode. These processes in the inner ring include the operating system kernel process and input/output (I/O) instructions. Processes are placed in a ring structure according to least privilege. Multiplexed Information and Computing Service (MULTICS) is an example of a ring protection system. All other options are incorrect. Each operating system has a protection mechanism, such as memory segments and protection rings, to ensure that the applications do not adversely affect the critical components of the operating system. The protection rings define the security policy for each application by limiting the operations that can be performed by the application. No application in the operating system functions without a protection mechanism. Operating systems are responsible for memory allocation, input and output tasks, and resource allocation. If an operating system allows sequential use of an object without refreshing it, disclosure of residual data can arise.

Company management has decided to implement group policies to ensure that the company's security policies are enforced across the organization. You must develop the appropriate group policies for your company. Which entities can you manage with these new policies? users client computers server computers domain controllers A option c B option b C option a D all of the options E none of the options F option d

Answer D is correct. Group policies can be used to manage users, client computers, server computers, and domain controllers. Group policies are the most efficient way to manage a large number of users or computers. For example, you can configure a group policy that forces users to change their password at the next login. Lesson

Which of the following describes the statement given below? "Anytime one entity accepts a user without requiring additional authentication on the behalf of another entity." A Tailoring B Watermarking C Transitive trust D Synthetic transaction

Answer C is correct. Transitive trust describes that anytime one entity accepts a user without requiring additional authentication on the behalf of another entity. For example, with transitive access, one party (A) trusts another party (B). If the second-party (B) trusts another party (C), a relationship can exist where the first-party (A) may also trust the third-party (C).Answer A is incorrect because tailoring is a process by which assessment procedures are scoped to match the characteristics of the information system under assessment. Answer D is incorrect because synthetic transactions are pre-recorded actions, taken on a service that mimic a user accessing the service and executing regular tasks. Answer B is incorrect because adding digital watermarks to documents to protect intellectual property is accomplished by means of steganography. The hidden information is known only to the file's creator. If someone later creates an unauthorized copy of the content, the watermark can be used to detect the copy and trace the offending copy back to the source.

As an IT department manager, you must ensure high availability and performance for your organization's network. You must also ensure that the network is secure. What is the relationship between network performance and security? A When you increase the security mechanisms, performance usually increases. B When you increase the security mechanisms, it has no effect on performance. C When you increase the security mechanisms, performance usually decreases. D Security should always be given a higher priority than performance.

Answer C is correct. When you increase the security mechanisms on the network, the performance of the network usually decreases. None of the other statements is true regarding the relationship between network performance and security. An organization should determine when security or performance should be given a higher priority. The security administrator and network administrator roles should be assigned to two different people. The hierarchy within an organization should ensure that the security administrator is under a different chain of command than the network administrator. This ensures that security is not ignored or assigned a lower priority than performance.

Your organization's data center is a secured portion of your organization's building. Entry to the data center requires that users enter a five-digit password. Only users in the information technology (IT) department are allowed access to the data center, and all IT department personnel use the same five-digit password. You must ensure that the password is changed appropriately. Which guideline should you NOT implement? A Change the password when an IT department employee leaves the organization. B Change the password when the password has been knowingly compromised. C Change the password when an IT department employee goes on extended leave. D Change the password at least every six months.

Answer C is correct. You should NOT change the password when an IT department employee goes on an extended leave. When the data center is protected by a password, you should adhere to the following guidelines: Change the password at least every six months. Change the password when an IT department employee leaves the organization. Change the password when it has been knowingly compromised.

As network administrator for an organization, you need to prevent unethical access to the organization's online library. For this, you need to apply a condition such that the employee name and the employee code should match to access the library. Which of the following access controls will you select to accomplish the task? A Role-based access control B Attribute-based access control C Mandatory access control D Discretionary access control

Answer C is correct. You should select MAC (mandatory access control) to accomplish this task. It prevents the unethical access for the organization's online library by applying the condition of matching the employee name and the employee code. It relies upon the use of classification labels. Each classification label represents a security domain, or a realm of security. A security domain is a collection of subjects and objects that share a common security policy. Answer D is incorrect. DAC (discretionary access control) allows the owner or creator of an object to control and define subject access to that object. Answer A is incorrect. In RBAC (role-based access control), a user can access resources according to his role in the organization. Answer B is incorrect. In ABAC (attribute-based access control), access is granted not based on the rights of the subject associated with a user after authentication, but based on the attributes of the user.

What is the proper range for a Class C IP network? A 1.0.0.0 - 126.0.0.0 B 240.0.0.0 - 255.0.0.0 C 224.0.0.0 - 239.0.0.0 D 192.0.0.0 - 223.255.255.0

Answer D is correct. 192.0.0.0 - 223.255.255.0 is the proper range for a Class C IP network.

You are examining an access control matrix for your organization. Which entity corresponds to a row in this matrix? A object B subject C access control list (ACL) D capability

Answer D is correct. A capability corresponds to a row in the access control matrix. A capability is a list of all the access permission that a subject has been granted. An object is an entity in the access control matrix to which subjects can be granted permissions. A column in an access control matrix corresponds to the access control list (ACL) for an object. A row in an access control matrix corresponds to a subject's capabilities, not just the subject. By storing a list of rights on each subject, the granting of capabilities is accomplished.

What is a list of serial numbers of digital certificates that have not expired, but should be considered invalid? A UDP B KDC C CA D CRL

Answer D is correct. A certificate revocation list (CRL) contains a list of serial numbers for digital certificates that have not expired but that a certification authority (CA) has specified to be invalid. Typically, the serial number of a digital certificate is placed in a CRL because the digital certificate has been compromised in some way. A CA generates and validates digital certificates. A key distribution center (KDC) is used in Kerberos network authentication to distribute resource access keys. User Datagram Protocol (UDP) provides connectionless communications on TCP/IP network.

Which of the following is an attack where the cryptanalyst can define his own plaintext, feed it into the cipher, and analyze the resulting ciphertext? A Brute force attack B Implementation attack C Chosen cipher-text attack D Chosen plaintext attack

Answer D is correct. A chosen plaintext attack is an attack where the cryptanalyst can define his own plaintext, feed it into the cipher, and analyze the resulting ciphertext. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen plaintext attack could reveal the scheme's secret key. Answer B is incorrect because an implementation attack exploits weaknesses in the implementation of a cryptography system. Answer C is incorrect because a chosen cipher-text attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. Answer A is incorrect because a brute force attack is a password attack that doesn't try to decrypt any information, but continue to try every possible valid combination for a key or password.

Your data center has its own lock to prevent entry. Your organization's security plan states that the lock to the data center should be programmable. Which type of lock should you use? A combination lock B tumbler lock C mechanical lock D cipher lock

Answer D is correct. A cipher lock is a lock that is programmable. Cipher locks are keyless. Users must enter the appropriate cipher using the lock's keypad. None of the other options is correct. The two main types of mechanical locks are warded locks and tumbler locks. Warded locks are basic padlocks. The lock has wards (metal projections around the keyhole), and only a particular key will work with the wards to unlock the lock. A tumbler lock has more pieces than a warded lock. The key fits into the cylinder, raising the lock pieces to the correct height. There are three types of tumbler locks: pin tumbler locks, wafer tumbler locks, and level tumbler locks. Combination locks require the correct combination of numbers to unlock.

Which fault tolerant solution is the most expensive to implement? A backups B RAID C redundant disk controllers D clusters

Answer D is correct. A cluster is the most expensive fault tolerant solution to implement of the solutions given. A cluster provides a fault tolerant server solution that allows multiple servers to appear as a single server to users. If one of the servers in the cluster fails, the remaining servers take up the load. Redundant Array of Independent Disks (RAID) is a fault tolerant disk solution where multiple disks within a computer are implemented. Generally, hard drives are not as expensive as computers. Backups are a fault tolerant solution that ensure that data is protected by backing up to tape, compact disc (CD), and other media. Backups are generally considered to be an inexpensive fault tolerance solution. Redundant disk controllers ensure that data has multiple paths through which to connect to hard drives. Disk controllers are generally less expensive than computers.

Which statement is true of covert channels? A A covert channel is addressed by a C2 rating provided by TCSEC. B A covert channel acts a trusted path for authorized communication. C A covert channel regulates the information flow and implements the security policy. D A covert channel is not controlled by a security mechanism.

Answer D is correct. A covert channel is not controlled by a security mechanism. A covert channel is a communication path that accesses information in an unauthorized manner and violates the security policy. A covert channel is not a regulated path of the information flow and is an effect of a software bug or a compromised system. Covert channels are addressed by the Trusted Computer System Evaluation Criteria (TCSEC) rating B2 and above. Covert storage channels are addressed in level B2, and covert timing channels are addressed in level B3.Unlike the covert channel that is specifically designed as an authorized communication channel, the covert channel is used by the attackers to violate the security policy of a system. Therefore, the covert channel is avoided for communication because it lacks the mandatory control. The two types of covert channels are as follows: Covert timing channel: In a covert timing channel, a process sends information to another process but modulates the use of system resources. For example, the process enables you to access a hard disk and the information regarding the number of CPU cycles. When the second process is completing a job, the first process waits for the signal and then performs the unauthorized job. Covert timing channels convey information by modifying the timing of a system resource in some measurable way. Covert storage channel: In a covert storage channel, the security risk arises due to the storage location. For example, a problem may arise when a process writes data to a specific location and another process is able to read this information either directly or indirectly, irrespective of the security level it occurs in. A covert storage channel is an information transfer that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Both the covert timing channel and the covert storage channel violate the security policy of a system. A Loki attack is an example of a covert channel.

Which type of firewall only examines the packet header information? A stateful firewall B kernel proxy firewall C application-level proxy firewall D packet-filtering firewall

Answer D is correct. A packet-filtering firewall only examines the packet header information. A stateful firewall usually examines all layers of the packet to compile all the information for the state table. A kernel proxy firewall examines every layer of the packet, including the data payload. An application-level proxy firewall examines the entire packet. Packet-filtering firewalls are based on access control lists (ACLs). They are application independent and operate at the Network layer of the OSI model. They cannot keep track of the state of the connection. A packet-filtering firewall only looks at a data packet to obtain the source and destination addresses and the protocol and port used. This information is then compared to the configured packet-filtering rules to decide if the packet will be dropped or forwarded to its destination.

Which of the following types of virus changes characteristics as it spreads? A File B Boot sector C Stealth D Polymorphic

Answer D is correct. A polymorphic virus changes characteristics as it spreads. It has the ability to change its own signature at the time of infection. This virus is very complicated and hard to detect. When the user runs the infected file in the disk, it loads the virus into the RAM. The new virus starts making its own copies and infects other files of the operating system. The mutation engine of the polymorphic virus generates a new encrypted code, thus changing the signature of the virus. Answer C is incorrect. A stealth virus is a virus that can redirect the disk head to read another sector instead of one in which it resides. It can also alter the reading of the infected file size shown in the directory listing. A stealth virus can change a file's date and time. Since a stealth virus uses encryption techniques, it becomes totally hidden from antiviruses and operating systems. Frodo and Whale are some good examples of stealth viruses. Answer B is incorrect. A boot sector virus infects the master boot files of the hard disk or floppy disk. Boot record programs are responsible for booting the operating system and the boot sector virus copies these programs into another part of the hard disk or overwrites these files. Therefore, when the floppy or the hard disk boots, the virus infects the computer. Answer A is incorrect. A file virus infects programs that can execute and load into the memory to perform predefined steps to infect systems.

Which type of firewall hides a packet's true origin before sending it through another network? A bastion host B stateful firewall C packet-filtering firewall D proxy firewall

Answer D is correct. A proxy firewall hides a packet's true origin before sending it through another network. The primary security feature of a proxy firewall is that it hides the client information. It is the only computer on a network that communicates with untrusted computers. A bastion host is a hardened system that usually resides on a demilitarized zone (DMZ) and is accessed frequently. A stateful firewall forwards packets on behalf of the client. It examines each packet and permits or denies it passage based on many factors, including the state table. The state table is used to track where in the TCP handshake a connection is so that any frames that arrive that are received out of normal sequence (an indicator of possible malicious activity) can be dropped. This type of firewall is also often referred to as a stateful-inspection firewall. A packet-filtering firewall forwards packets based on rules that define which traffic is permitted and denied on the network. A packet filtering firewall examines the data packet to get information about the source and destination addresses of an incoming packet, the session's communications protocol (TCP, UDP or ICMP), and the source destination application port for the desired service.

Which statement correctly defines spamming attacks? A sending multiple spoofed packets with the SYN flag set to the target host on an open port B sending spoofed packets with the same source and destination address C using ICMP oversized echo messages to flood the target computer D repeatedly sending identical e-mails to a specific address

Answer D is correct. A spamming attack involves flooding an e-mail server or specific e-mail addresses repeatedly with identical unwanted e-mails. Spamming is the process of using an electronic communications medium, such as e-mail, to send unsolicited messages to users in bulk. Packet filtering routers typically do not prove helpful in such attacks because packet filtering routers do not examine the data portion of the packet. E-mail filter programs are now being embedded either in the e-mail client or in the server. E-mail filter programs can be configured to protect from spamming attacks to a great extent. A ping of death is a type of DoS attack that involves flooding target computers with oversized packets and exceeding the acceptable size during the process of reassembly. This causes the target computer to either freeze or crash. Other DoS attacks, named smurf and fraggle, deny access to legitimate users by causing a system to either freeze or crash. In a SYN flood attack, the attacker floods the target with the spoofed IP packets, causing it to either freeze or crash. The Transmission Control Protocol (TCP) uses the synchronize (SYN) and acknowledgment (ACK) packets to establish communication between two host computers. The exchange of the SYN, SYN-ACK, and ACK packets between two host computers is referred to as handshaking. Attackers flood the target computers with a series of SYN packets to which the target host computer replies. The target host computer then allocates resources to establish a connection. The IP address is spoofed. Therefore, the target host computer never receives a valid response in the form of ACK packets from the attacking computer. When the target computer receives many SYN packets, it runs out of resources to establish a connection with the legitimate users and becomes unreachable for the processing of valid requests. A land attack involves sending multiple spoofed TCP SYN packets with the target host's IP address and an open port as both the source and the destination to the target host on an open port. The land attack causes the system to either freeze or crash because the computer replies to itself.

Who has the responsibility to integrate security considerations into application and system purchasing decisions and development projects? A Auditor B Security professional C Data custodian D System owner

Answer D is correct. A system owner has the responsibility to integrate security considerations into application and system purchasing decisions and development projects. The primary responsibility is to conduct security control assessments. A system owner should also ensure that necessary security controls, remote access controls, password management, operating system configurations, and so on, are providing adequate security. Answer C is incorrect because a data custodian is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. Answer B is incorrect because a security professional has the functional responsibility for security, including writing the security policy and implementing it. The security professional role is often filled by a team that is responsible for designing and implementing security solutions based on the approved security policy. Answer A is incorrect because an auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

What would detect when a user has more privileges than necessary? A Account management B Reporting C Logging D User entitlement audit

Answer D is correct. A user entitlement audit can detect when users have more privileges than necessary. Account management practices attempt to ensure that privileges are assigned correctly. The audit detects whether the management practices are followed. Logging records activity, but the logs need to be reviewed to determine if practices are followed. Reporting is the result of an audit.

What would an organization do to identify weaknesses? A Access review B Asset valuation C Threat modeling D Vulnerability analysis

Answer D is correct. A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Answers B, C, and A are incorrect. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, and threats are often paired with vulnerabilities to identify risk, but threat modeling doesn't identify weaknesses. An access review audits account management and object access practices.

What combination of backup strategies provides the fastest backup creation time? A Partial backups and incremental backups B Full backups and differential backups C Incremental backups and differential backups D Full backups and incremental backups

Answer D is correct. Any backup strategy must include full backups at some point in the process. Incremental backups are created faster than differential backups because of the number of files it is necessary to back up each time.

Eavesdropping is an example of what kind of attack? A Bonk attack B DoS attack C Active attack D Passive attack

Answer D is correct. Attacks may be passive or active. Eavesdropping is an example of a passive attack. Eavesdropping is simply listening to communication traffic for the purpose of duplicating it. It usually requires physical access to the IT infrastructure to connect a physical recording device to an open port or cable splice or to install a software-recording tool onto the system. Answer C is incorrect. An active attack requires the attacker to be able to transmit data to one or both of the parties, or block the data stream in one or both directions. Answer B is incorrect. In a Distributed Denial of Service (DDoS) attack, the attacker uses multiple computers throughout the network that it has previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. Answer A is incorrect. Bonk attack is a variant of the teardrop attack that affects mostly Windows computers by sending corrupt UDP packets to DNS port 53. It is a type of DoS attack. It manipulates a fragment offset field in TCP/IP packets. This field tells a computer how to reconstruct a packet that was fragmented, because it is difficult to transmit big packets.

Your company has a backup solution that performs a full backup each Saturday evening and an incremental backup all other evenings. A vital system crashes on Monday morning. How many backups will need to be restored? A one B three C four D two

Answer D is correct. Because the system crashes on Monday morning, you will need to restore two backups: the full backup from Saturday evening and the incremental backup from Sunday evening. When incremental backups are included in your backup plan, you will need to restore the full backup and all incremental backups that have been taken since the full backup. Because the failure occurred on Monday morning, only the full Saturday backup and the incremental Sunday backup need to be restored. If the crash had occurred on Tuesday morning, you would have needed to restore three backups: Saturday evening's full backup, Sunday evening's incremental backup, and Monday evening's incremental backup. If the crash had occurred on Wednesday morning, you would have needed to restore four backups: Saturday evening's full backup, Sunday evening's incremental backup, Monday evening's incremental backup, and Tuesday evening's incremental backup.

What is the major disadvantage of using certificate revocation lists? A Key management B Vulnerability to brute-force attacks C Record keeping D Latency

Answer D is correct. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.

Which of the following is a conduction of independent technical review of a software product to determine whether specific security controls have been implemented as planned? A Authorization B Identification C Accreditation D Certification

Answer D is correct. Certification is a conduction of independent technical review of a software product to determine whether specific security controls have been implemented as planned. Answer C is incorrect. Accreditation should take place between the implementation and the beginning of operational use of the system or application. This process follows the certification process. Certification is the process used to review and evaluate security controls and functionality. The accreditation is the formal acceptance of the system by management and an explicit acceptance of risk. Answer B is incorrect. Identification is the capability to find, retrieve, report, change, or delete specific data without ambiguity. Answer A is incorrect. Authorization is the process of granting permission. It is a process that verifies whether a user has permission to access a Web resource.

In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against PBX fraud and abuse? A Encrypting communications B Taping and archiving all conversations C Using transmission logs D Changing default passwords

Answer D is correct. Changing default passwords on PBX systems provides the most effective increase in security.

Which of the following is known as management of changes made to a system's hardware, software, or firmware throughout its operational life cycle? A Capacity management B Problem management C Incident management D Configuration management

Answer D is correct. Configuration management is known as management of changes made to a system's hardware, software, or firmware throughout its operational life cycle. Answer C is incorrect. Incident management is the process of restoring normal service operation as fast as possible while reducing unfavorable impact on business operations. Answer B is incorrect. Problem management reduces the adverse impact of incidents and problems on the business that occur due to errors in the IT infrastructure. Answer A is incorrect. Capacity management ensures that the service provider has, at all times, sufficient capacity so that the current and the future needs of the customer get fulfilled.

Local law enforcement contacts you regarding a recent computer crime. You supply evidence to the investigators. The investigators tell you that the evidence you supplied is corroborative evidence. Which statement is true of this type of evidence? A It always acts as concrete evidence. B It can sometimes be used alone. C It should be controlled by multiple sources. D It enables you to prove either a point or an idea.

Answer D is correct. Corroborative evidence enables you to prove either a point or an idea. Corroborative evidence is additional evidence that is credible and admissible in the court of law. Although corroborative evidence cannot prove a fact on its own, it is used to supplement other evidences. Corroborative evidence confirms, supports, or strengthens other evidence by rendering evidence more probable. Corroborative evidence is maintained and controlled by a single independent source different from either the accuser or the accused. Corroborative evidence may be either circumstantial or direct in nature. Corroborative evidence must be gathered from independent sources to confirm that the crime is committed and that the accused committed the crime.

You are the security administrator for a consulting firm. One of your clients' needs to encrypt traffic. However, he has specific requirements for the encryption algorithm. It must be a symmetric key block cipher. Which of the following should you choose for this client? A RC4 B SSH C PGP D DES

Answer D is correct. DES (Data Encryption Standard) is a block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is based on a symmetric-key algorithm that uses a 56-bit key. DES consequently came under intense academic scrutiny, which motivated the modern understanding of block ciphers and their cryptanalysis. Answer C is incorrect. PGP (Pretty Good Privacy) is a public key/asymmetric encryption algorithm. PGP is an encryption method that uses public-key encryption to encrypt and digitally sign e-mail messages during communication between e-mail clients. PGP is effective, easy to use, and free. Therefore, it is one of the most common ways to protect messages on the Internet. Answer B is incorrect. SSH (Secure Shell) is a network protocol that allows data to be exchanged using a secure channel between two networked devices. It uses public-key cryptography to authenticate the remote computer. Answer A is incorrect. RC4 (Rivest Cipher 4) is a stream cipher. RC4 is a stream cipher designed by Ron Rivest. It is used in many applications including Transport Layer Security (TLS), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and so on. RC4 is fast and simple. Some ways of using RC4 can lead to very insecure cryptosystems such as WEP.

In computing environments, the process of removal of data remanence from media devices has many names. Which of the following terms does not describe this process? A Purging B Degaussing C Overwriting D Deleting

Answer D is correct. Deleting data does not ensure that the data remanence is properly removed. Answers A, B, and C are incorrect. Purging, degaussing, and overwriting are the terms that describe the process of removal of data remanence from media devices in computing environments.

The research department at your company has decided to implement a new file server. The department manager will be responsible for granting access to the folders and files based on a user's or a group's identity. Which type of access control model is being used? A RBAC B MAC C ACL D DAC

Answer D is correct. Discretionary access control (DAC) is based on identity. This identity can be a user's identity or a group's identity, and is sometimes referred to as identity-based access control. DAC is the type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources certain users can access. An access control list (ACL) is not an access control model, although it is used in a DAC model. It is an access control entity that lists user access levels to a given object. Mandatory access control (MAC) is a model based upon security labels. Role-based access control (RBAC) is a model based upon user roles. An access control model should be applied in a preventative manner. A company's security policy determines which access control model will be used

Which of the following is also known as encrypted text? A Plaintext B Hypertext C Cookies D Ciphertext

Answer D is correct. Encrypted text is referred to as ciphertext while original text is referred to as plaintext. Ciphertext is text encrypted using an encryption key. It is meaningless to anyone without the decryption key. The process of conversion from plaintext to ciphertext is known as encryption and that from ciphertext to plaintext is known as decryption. Answer A is incorrect because plaintext is information a sender wishes to transmit to a receiver. It includes an ordinary sequential file readable as textual material without much processing. Answer B is incorrect because hypertext is a document with links to other documents. Users click a link to view the linked document. Answer C is incorrect because a cookie is a small bit of text that accompanies requests and pages as they move between Web servers and browsers. It contains information that is read by a Web application whenever a user visits a site.

What are ethics? A Regulations set forth by a professional organization B Laws of professional conduct C Mandatory actions required to fulfill job requirements D Rules of personal behavior

Answer D is correct. Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.

According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a moderate risk of seismic activity? A 20 percent B 40 percent C 60 percent D 80 percent

Answer D is correct. Forty-one of the 50 U.S. states are considered to have a moderate, high, or very high risk of seismic activity. This rounds to 80 percent to provide the value given in option D.

Which of the following is not a typical security measure implemented in relation to a media storage facility containing reusable removable media? A Using sanitization tools on returned media B Employing a librarian or custodian C Using a check-in/check-out process D Hashing

Answer D is correct. Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, while data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media.

Your company network has reached such a large size that it is becoming increasingly difficult to manage user accounts and passwords. Management has asked you to investigate a cloud solution that you could deploy to make administration easier and to implement single sign-on. Which cloud deployment solution should you suggest? A PaaS B DBaas C IPaaS D IDaas

Answer D is correct. Identity as a Service (IDaaS) is a cloud-based identity management solution that will allow an organization to implement single sign-on. An IDaaS solution via a cloud provider usually includes the following: Single sign-on Provisioning Password management Access governance Granular access controls Centralized administration Integration with internal directory services Integration with external services Integration Platform as a Service (IPaaS) is a cloud-based solution that enables the development, execution, and governance of integration flows to connect on premises and cloud-based processes, services, applications and data within individual or across multiple organizations. Database as a Service (DBaaS) is a cloud-based solution that supports applications, without the application team assuming responsibility for traditional database administration functions. Platform as a Service (PaaS) is a cloud-based solution that allows customers to develop, run, and manage Web applications without having to build and maintain the infrastructure typically associated with developing and launching an app.

An organization has a datacenter that processes highly sensitive information and is staffed 24 hours a day. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on internet sites, exposing the organization's internal sensitive data. Which of the following administrator actions might have prevented this incident? A Add the tapes to an asset management database. B Degauss the tapes before backing up data to them. C Purge the tapes before backing up data to them. D Mark the tapes before sending them to the warehouse.

Answer D is correct. If the tapes were marked before they left the datacenter, employees would recognize their value and it is more likely someone would challenge their storage in an unstaffed warehouse. Purging or degaussing the tapes before using them will erase previously held data but won't help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn't prevent this incident.

In PKI, which term refers to a public key that can be used to verify the certificate used in a digital signature? A a target B a relying party C an issuer D a trust anchor

Answer D is correct. In a public key infrastructure (PKI), a trust anchor is a public key that verifies the certificate used in a digital signature. PKI is a system for securely sharing public keys. An issuer is a PKI entity that signs certificates provided by a subject. A PKI entity that verifies a certificate chain is referred to as a relying party or a verifier. In PKI, a target is a path to a public key.

Which of the following statements are true of the principle of least privilege? A It allows access of confidential data to only management. B It allows access to sensitive resources only. C It is the act of exploiting a bug or design flaw in a software application to gain access to resources. D It allows only access to those resources needed to perform a job function.

Answer D is correct. In information security, the principle of least privilege states that every program and every user of the system must operate using the least set of privileges necessary to complete the job. It allows only access to those resources needed to perform a job function. Answers A and B are incorrect. Since the principle of least privilege allows only those resources required to complete a job function, it makes no difference whether an employee belongs to management or the resources are sensitive or insensitive. However, if any resource is not required to perform a job, access should not be granted for that resource. Answer C is incorrect. Privilege escalation is the act of exploiting a bug or design flaw in a software application to gain access to resources, which normally would have been protected, from an application or user. The result is that the application performs actions with more privileges than intended by the application developer or system administrator.

What is the term used for a short duration increase in voltage? A Surge B Fault C Sag D Spike

Answer D is correct. Spike is a short duration increase in voltage. It occurs due to power outage, short circuits, lightning strikes, and many other reasons. Answer C is incorrect. Sag is a short duration decrease in voltage. It occurs when the rms (root mean square) voltage decreases between 10 and 90 percent of nominal voltage for one-half cycle to one minute. Answer B is incorrect. Fault is a momentary loss of power. It is an abnormal flow of electric current. Answer A is incorrect. Surge is a prolonged high voltage. It causes more damage as it lasts for a longer period of time during which the electric circuit has to deal with the excessive power.

You have recently implemented a public key infrastructure on a Windows Server 2008 network. Digital certificates will be issued to all valid users and computers. Which statement is NOT true of digital certificates? A X.509 is a digital certificate standard. B Level 1 assurance for a digital certificate only requires an e-mail address. C Digital certificates provide authentication before securely sending information to a Web server. D Level 2 assurance for a digital certificate only verifies a user's name and e-mail address.

Answer D is correct. Level 2 verifies a user's name, address, social security number, and other information against a credit bureau database. X.509 is a digital certificate standard. X.509 defines the manner in which a certificate authority creates a digital certificate. X.509 defines the various fields, such as distinguished names of the subject, serial number, version number, lifetime dates, and digital signature identifier, and the signature of the issuing authority, present in digital certificates. There are several versions of X.509 since its inception. The current version is X.509v4. The X.509 standard is used in many security protocols, such as secure socket layer (SSL) protocol. Level 1 assurance for a digital certificate only requires an e-mail address. Digital certification provides authentication before securely sending information to a Web server. Certificates act as safeguards for Internet transactions in which a user makes an online transaction with a Web server by providing services, such as nonrepudiation, authentication, and encryption and decryption of data. When a certificate is created, the user's public key and the validity period are combined with the certificate issuer and the digital signature algorithm identifier before computing the digital signature.

Which database interface language is a replacement for Open Database Connectivity (ODBC) and can only be used by Microsoft Windows clients? A ADO B JDBC C XML D OLE DB

Answer D is correct. Object Linking and Embedding Database (OLE DB) is the database interface language that is a replacement for ODBC and can only be used by Microsoft Windows clients. OLE is the Common Object Model (COM) that supports the exchange of objects among programs. A COM allows two software components to communicate with each other independent of their operating systems and languages of implementation. ActiveX Data Objects (ADO) is a set of ODBC interfaces that allow client applications to access back-end database systems. A developer will use ADO to access OLE DB servers. ADO can be used by many different types of clients. Java Database Connectivity (JDBC) allows a Java application to communicate with a database through ODBC or directly. Instead of using ODBC, it uses Java database applications. Extensible Markup Language (XML) structures data so that it can be shared easily over the Internet. Web browsers are designed to interpret the XML tags.

Which crime term is used to indicate when and where a crime occurred? A MOM B motive C means D opportunity

Answer D is correct. Opportunity is used to indicate when and where a crime occurred. Means is used to indicate how a criminal committed the crime. Motive is the term used to indicate why a crime is committed. Motive, opportunity, and means (MOM) are the three crime tenets that are investigated when a crime occurs.

What authentication protocol offers no encryption or protection for logon credentials? A RADIUS B SSL C CHAP D PAP

Answer D is correct. Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It simply provides a means to transport the logon credentials from the client to the authentication server.

What type of database backup strategy involves maintenance of a live backup server at the remote site? A Electronic vaulting B Remote journaling C Transaction logging D Remote mirroring

Answer D is correct. Remote mirroring is the only backup option in which a live backup server at a remote site maintains a bit-for-bit copy of the contents of the primary server, synchronized as closely as the latency in the link between primary and remote systems will allow.

Which of the following statements correctly identifies a problem with sanitization methods? A Stored data is physically etched into the media. B Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data. C Even fully incinerated media can offer extractable data. D Personnel can perform sanitization steps improperly.

Answer D is correct. Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.

What is employed when user accounts are created by one employee and user permissions are configured by another employee? A rotation of duties B a two-man control C a collusion D separation of duties

Answer D is correct. Separation of duties is employed when user accounts are created by one employee and user permissions are configured by another employee. An administrator who is responsible for creating a user account should not have the authorization to configure the permissions associated with the account. Therefore, duties should be separated. Collusion is the involvement of more than one person in fraud. Separation of duties drastically reduces the chances of collusion and helps prevent fraud. A two-man control implies that two operators review and approve each other's work. A two-man control acts as a crosscheck and reduces chances of fraud, minimizing the risks associated with operations involving highly sensitive information. An operator generally performs disk or tape mounting, backup and recovery, and handling hardware. They usually do not perform data entry. Rotation of duties or job rotation implies the ability of an employee to carry out tasks of another employee within the organization. In an environment using job rotation, an individual can perform the tasks of more than one role in the organization. This maintains a check on other employees' activities, provides a backup resource, and acts as a deterrent for possible fraud. Separation of duties requires the involvement of more than one individual to accomplish a critical task. Separation of duties ensures that no individual can compromise a system and is considered valuable in deterring fraud. Separation of duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and to the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can have a dual role where he can initiate as well as authorize transactions.

A customer has requested a computer with a Clipper chip. What is a Clipper chip? A It is a modem chip. B It is an encryption algorithm. C It is a unique serial number in the computer chip. D It is an encryption chip.

Answer D is correct. The Clipper chip is an encryption chip based on Skipjack algorithm. It was designed by the U.S. Government to be used in devices such as computers and modems that might use encryption. The chip was designed for surveillance of the enemy activities. The Escrowed Encryption Standard (EES) describes the Clipper chip. The unit key in the Clipper chip encrypts and decrypts the session key, but the message is not encrypted by using the unit key. Messages are encrypted by using the session key, which is again encrypted and decrypted by the unit key. Therefore, the Clipper chip consists of a unit key and a session key. The Clipper chip has the following components: A unique serial number in the database A copy of the unit key corresponding to the serial number in the database The Law Enforcement Access Field (LEAF) value is included in the encrypted message that is sent by the Clipper chip. The field value contains the serial number that was originally used to encrypt the message. Based on the serial key, the law enforcement agency can identify the unit key to be retrieved from the database and can decrypt the message. The correct sequence for using LEAF is as follows: Decrypt the LEAF with the family key, Kf. Recover the unique identifier, U, for the Clipper chip. Obtain a court order to obtain the two halves of the unit key, Ku, that is unique to each Clipper chip. Recover the Ku. Recover the session key, Ks. Use the session key to decrypt the message. The Clipper chip has the following disadvantages: The 80-bit unit key employed by the Clipper chip is considered weak. The 16-bit checksum used by the Clipper chip can be defeated. Each communication session can be easily identified by enabling the law enforcement agency to use the tag of the Clipper chip ID to invade the privacy of citizens. The Clipper chip is based on the classified Skipjack algorithm and is never opened for public review and testing. The Clipper chip has lost its support due to threats to personal privacy. Most companies turned to software-based encryption programs instead of hardware chips, such as Clipper chip. Therefore, in most cases, the use of Clipper chip has been abandoned.

Which one of the following is the final step of the Fagin inspection process? A Rework B Inspection C None of the above D Follow-up

Answer D is correct. The Fagin inspection process concludes with the follow-up phase.

Which of the following books is used to examine integrity and availability? A Brown Book B Purple Book C Orange Book D Red Book

Answer D is correct. The Red Book is used to examine integrity and availability. It is so named because of the red color of its cover. This book's official name is Trusted Network Interpretation. Answer C is incorrect. The Orange Book deals with confidentiality. It is so named because of the orange color of its cover. It is also known as the Department of Defense (DoD) Trusted Computer System Evaluation Criteria. It provides the information needed to classify computer systems as security levels of A, B, C, or D, defining the degree of trust. Answer A is incorrect. The Brown Book is used for understanding trusted facility management. It is so named because of the brown color of its cover. Answer B is incorrect. The Purple Book deals with database management. It is so named because of the purple color of its cover.

Mark is studying an application developed by his colleague. To understand the crucial part of the application, Mark needs to ensure that the details are suppressed. What concept is this referring to? A Encryption B Authentication C Polymorphism D Abstraction

Answer D is correct. This is referring to abstraction. Abstraction is used when objects are classified or roles are assigned to subjects. It is used to suppress unnecessary details to examine and review the important and inherent properties. It allows the separation of conceptual aspects of a system. Answer B is incorrect. Authentication is the act of establishing or confirming something (or someone) as authentic, that is, the claims made by or about the subject are true. Answer A is incorrect. Encryption is used to hide the meaning or intent of a communication from unintended recipients. Answer C is incorrect. Polymorphism is a programming language feature that allows values of different data types to be handled using a uniform interface.

Which term refers to the amount of time a company can tolerate the outage of a certain asset, entity, or service? A maximum recovery time B business impact analysis C mean time to repair D maximum tolerable downtime E mean time between failure

Answer D is correct. The maximum tolerable downtime (MTD) is the amount of time a company can tolerate the outage of a certain asset, entity, or service. The MTD can range from a few minutes to a few hours for the most critical assets to 30 days or more for nonessential assets. MTD is based on the criticality of the asset's operations. Critical assets usually cannot be replaced using manual methods. For example, a Web server that provides e-commerce functions will probably be more critical than a file server that provides a storage facility for users' files. A business impact analysis (BIA) identifies critical business operations and calculates the risk and threats those operations can incur. The maximum recovery time is an estimate of the maximum amount of time it will take to recover a system. This recovery usually includes recovering data backups. The mean time between failure (MTBF) is the estimated time a piece of equipment will last before it needs replacement. This is usually provided by the equipment vendor. The mean time to repair (MTTR) is the estimated time a piece of equipment will be down due to failure. A system is considered more reliable when it has a higher MTBF and lower MTTR.

What is the intent of least privilege? A Enforce the least restrictive rights required by users to complete assigned tasks. B Enforce the most restrictive rights required by users to run system processes. C Enforce the least restrictive rights required by users to run system processes. D Enforce the most restrictive rights required by users to complete assigned tasks.

Answer D is correct. The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don't execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.

Which of the following terms refers to the act of obtaining plain text from cipher text without a cryptographic key? A Algorithm B Ciphertext C Hacking D Cryptanalysis

Answer D is correct. The term cryptanalysis refers to the act of obtaining plain text from cipher text without a cryptographic key. It is a method of obtaining the meaning of encrypted information without accessing the secret information or key, which is normally required for encryption purposes. Answer B is incorrect. Ciphertext is a text that is converted to a non-readable format. Answer A is incorrect. Algorithm is a set of rules used to encrypt and decrypt data. Answer C is incorrect. Hacking is a process by which a person acquires illegal access to a computer or network through a security break or by implanting a virus on the computer or network.

What are the main types of mechanical locks? combination locks cipher locks warded locks tumbler locks A option c B options a and b C option d D options c and d E option b F option a

Answer D is correct. The two main types of mechanical locks are warded locks and tumbler locks. Warded locks are basic padlocks. The lock has wards (metal projections around the keyhole), and only a particular key will work with the wards to unlock the lock. A tumbler lock has more pieces than a warded lock. The key fits into the cylinder, raising the lock pieces to the correct height. There are three types of tumbler locks: pin tumbler locks, wafer tumbler locks, and level tumbler locks. Combination locks require the correct combination of numbers to unlock. Combination locks are not considered to be mechanical locks according to (ISC)2.Cipher locks are programmable and use keypads to control access. A specific combination must be entered.

Which statement is true of Compartmented Mode Workstations (CMW)? A CMW, by default, grants information-related access to all users having security clearance. B CMW operates on the principle of maximum privilege. C CMW operates in a dedicated security mode. D CMW requires the use of information labels.

Answer D is correct. The use of information labels as a security measure is unique to compartmented mode workstations (CMW). CMW deploys information labels and sensitivity labels. Information labels define the security protection level of objects and sensitivity labels define the permissions. CMW works in the compartmented security mode. In the compartmented security mode, the users have access to all the information, but may not have the need-to-know access to data or the formal approval required for data access. This process ensures that a user only has the access privileges required for the information specific to the user's job. For example, a user in the software testing department should not require access to the internal financial data of the organization. Therefore, the user need not know the methods used to access the information. The user is granted access according to the need to know principle and by using a formal approval process. In CMW minimum, data access is allowed to users at each level based on their respective segment or compartment. Therefore, CMW does not work on the concept of maximum privilege but on the concept of least privilege. The dedicated security mode is another category of security modes of operation. The dedicated mode manages a single classification of information unlike the compartmented security mode where users can simultaneously process multiple compartments of information.

You are deploying a virtual private network (VPN) for remote users. You want to meet the following goals: the VPN gateway should require the use of Internet Protocol Security (IPSec), all remote users must use IPSec to connect to the VPN gateway, and no internal hosts should use IPSec. Which IPSec mode should you use? A host-to-host B gateway-to-gateway C This configuration is not possible. D host-to-gateway

Answer D is correct. You should deploy host-to-gateway IPSec mode. In this configuration, the VPN gateway requires the use of IPSec for all remote clients. The remote clients use IPSec to connect to the VPN gateway. Any communication between the VPN gateway and the internet hosts on behalf of the remote clients does not use IPSec. Only the traffic over the Internet uses IPSec. In host-to-host IPSec mode, each host must deploy IPSec. This mode would require that any internal hosts that communicate with the VPN clients would need to deploy IPSec. In gateway-to-gateway IPSec mode, the gateways at each end of the connection provide IPSec functionality. The individual hosts do not. For this reason, the VPN is transparent to the users. This deployment best works when a branch office or partner company needs access to your network.

Because of the value of your company's data, your company has asked you to ensure data availability. You want to implement the techniques that can help to ensure data availability. Which mechanism(s) should you implement? auditing techniques data recovery techniques authentication techniques fault tolerance techniques access control techniques A option d B option e C options a and c only D options b and d only E option a F option b G option c

Answer D is correct. You should implement data recovery and fault tolerance techniques to ensure data availability. Fault tolerance techniques work to ensure that data is available in the event of hardware failure. Data recovery techniques work to ensure that an alternate copy of data can be made available in event of system failure. None of the other techniques works to ensure data availability. Auditing and authentication techniques work to ensure user accountability and data integrity. Access control techniques work to ensure data confidentiality and integrity.

As a security professional, you have been asked to determine the appropriate retention policies for media, hardware, data, and personnel. You decide to first document the appropriate data retention policies. Which of the following statements is NOT true of developing these policies? A The personnel that are most familiar with each data type should work with you to determine the data retention policy. B You must understand where data is stored and the type of data stored. C Once you create the data retention policies, personnel must be trained to comply with the data retention policies. D You should work with data custodians to develop the appropriate data retention policy for each type of data the organization owns.

Answer D is correct. You should not work with the data custodians to develop the appropriate data retention policy for each type of data the organization owns. You should work with data owners, not data custodians, to develop the appropriate data retention policy for each type of data the organization owns. The personnel that are most familiar with each data type should work with you to determine the data retention policy. You must understand where data is stored and the type of data stored. Once you create the data retention policies, personnel must be trained to comply with the data retention policies.

You have been asked to carry out a penetration test on your organization's network. You obtain a footprint of the network. What should you do next? A Attempt to gain unauthorized access by exploiting the vulnerabilities. B Identify vulnerabilities in systems and resources. C Report to management. D Perform port scans and resource identification.

Answer D is correct. You should perform port scans and resource identification. A penetration test should include the following steps: Discovery - Obtain the footprint and information about the target and attack methods that can be used. Enumeration - Perform ports scans and resource identification. Vulnerability mapping - Identify vulnerabilities in systems and resources. Exploitation - Attempt to gain unauthorized access by exploiting the vulnerabilities. Report - Report the results to management with suggested countermeasures. The formal steps in the penetration test are as follows: Document information about the target system or device. (This is discovery.) Gather information about attack methods against the target system or device. This includes performing port scans. (This is enumeration.) Identify the known vulnerabilities of the target system or device. (This is vulnerability mapping.) Execute attacks against the target system or device to gain user and privileged access. (This is exploitation.) Document the results of the penetration test and report the findings to management, with suggestions for remedial action. (This is reporting.)

Which options are components of the security kernel? software hardware reference monitor trusted computing base A point b B point c C point d D points c and d E points a and b F point a

Answer E is correct. Hardware, software, and firmware are the components of a security kernel. These components are a part of the trusted computing base (TCB). The components of a security kernel act as a mediator between the subjects and the objects by implementing and enforcing the reference monitor that acts as an abstract machine and regulates the information flow. The security kernel and the reference monitor work together to help protect the TCB. TCB is defined as a combination of security kernel components. The security kernel provides a foundation to build a trusted computing system. The four requirements of the security kernel are as follows: The security kernel should provide isolation for the processes. Every attempt to access the system should invoke the reference monitor. The reference monitor should be verified, and all the decisions logged. The security kernel should be small enough to be tested in a comprehensive manner. A computer system that employs the necessary hardware and software assurance measures to enable it to process multiple levels of classified or sensitive information is called a trusted system.

Which of the following codes are defined under 'Provide diligent and competent service to principals' of the Code of Ethics Canons described by the (ISC)2 code of ethics? Each correct answer represents a complete solution. Choose all that apply. A Respect their trust and the privileges that they grant you. B Preserve the value of their systems, applications, and information. C Preserve and strengthen the integrity of the public infrastructure. D Avoid conflicts of interest or the appearance thereof.

Answers A, B, and D are correct. The codes defined under 'Provide diligent and competent service to principals' of the Code of Ethics Canons described by the (ISC)2 code of ethics are as follows: Preserve the value of their systems, applications, and information. Respect their trust and the privileges that they grant you. Avoid conflicts of interest or the appearance thereof. Render only those services for which you are fully competent and qualified.

Your organization implements hybrid encryption to provide a high level of protection of your data. Which statements are true of this type of encryption? The secret key protects the encryption keys. Public keys decrypt the secret key for distribution. Asymmetric cryptography is used for secure key distribution. The symmetric algorithm generates public and private keys. Symmetric cryptography is used for encryption and decryption of data. A option d B option e C options a and b D options c and d E options c and e F option a G option b H option c

Answer E is correct. Hybrid encryption methods use both asymmetric and symmetric algorithms. Asymmetric algorithms are slow, complex, intensive, and require added system resources and extra time to encrypt and decrypt the data. Therefore, asymmetric algorithms are used to generate public and private keys that protect encryption keys, such as session keys and secret keys, and are responsible for automated key distribution. A symmetric algorithm generates a secret key that is used for bulk encryption and decryption of data. The following characteristics sum up the hybrid encryption method: The public and private keys generated by the asymmetric algorithm secure the process of session or secret key exchange. The public and private keys encrypt and decrypt the secret key between two communication points. It is important to note that both public and private keys can be used for the encryption and decryption processes. The secret key generated by the symmetric algorithm is used for bulk encryption and decryption of data. The secret key encrypts the actual message.

At which layer of the OSI model do routers operate? A Session B Physical C Data-link D Transport E Network

Answer E is correct. Routers operate at the Network layer of the OSI networking model. They use source and destination addresses, which are located at the Network layer, to route packets. Switches use MAC addresses, which are located at the Data-link layer, to forward frames. The Session layer starts, maintains, and stops sessions between applications on different network devices. The Physical layer provides the functions to establish and maintain the physical link between network devices. Repeaters work at the Physical layer. The Transport layer of the OSI model segments and reassembles data into a data stream and provides reliable and unreliable end-to-end data transmission. Bridges work at the Data-Link layer.

Your organization's data center design plan calls for glass panes to be used for one wall of the data center to ensure that personnel in the center can be viewed at all times. Which type of glass should be used? A standard B tempered C acrylic D wired E shatter-resistant

Answer E is correct. Shatter-resistant glass should be used in the glass panes used for one wall of the data center. This is because the wall will be acting as an exterior wall. Standard windows provide no extra protection. Tempered windows are those in which the glass is heated and then cooled suddenly to increase glass integrity and strength. Acrylic is a type of plastic instead of glass. Acrylic windows are usually stronger than glass windows. Polycarbonate acrylics are the strongest acrylics. Wired windows have a mesh of wire embedded between two sheets of glass. The wire helps to prevent shattering.

The business continuity committee has developed the business impact analysis (BIA), identified the preventative controls that can be implemented, and developed the recovery strategies. Next, the committee should develop a contingency plan. Which teams should be included in this plan's development to aid in the execution of the final plan? restoration team damage assessment team salvage team risk management team incident response team A option c B option d C option e D options a, d, and e E options a, b, and c F option a G option b

Answer E is correct. The teams that should be included in the contingency plan's development to aid in the execution of the final plan are the restoration, damage assessment, and salvage teams. Other teams that should also be included are the legal, media relations, network recovery, relocation, security, and telecommunications teams. The risk management team, while taking part in the actual development of the contingency plan, usually does not aid in the execution of the final plan. The risk management team helps to discover the risks and decide the probability of the risks. The incident response team is responsible for handling all responses for security incidents. They are not part of the execution of a contingency plan. The incident response team is responsible for handling all responses for security incidents. They are not part of the execution of a contingency plan.

To improve security, which mechanisms should be utilized with a cipher lock? door delay key override master keying hostage alarm A option a B option b C option c D option d E options a and b F options c and d G all of the options

Answer G is correct. All of the listed mechanisms should be utilized with a cipher lock. A door delay is an alert that triggers if the door remains open for too long. A key override is a combination that overrides normal procedures. It is often used by supervisors. A master keying is used to change the access code. A hostage alarm is a combination that a person enters if he is in a hostage situation. This combination allows the user to access the secure area while alerting law enforcement officials and/or security guards. Another option that is important is a visibility shield to ensure that someone cannot see the combination that is keyed in. Battery backups are also important for cipher locks to ensure that the lock still functions in the event of power failure. You should also configure the cipher lock to unlock during a power failure to ensure that no one is stuck inside the facility. Once the battery backup fails, the cipher lock automatically opens.

You have implemented a computer system that is protected by MAC. Which activity(ies) are considered illegal on this system? read-down read-up write-down write-up A option a B option b C option c D option d E all of the options F options a and d only G options b and c only

Answer G is correct. Read-up and write-down activities are considered illegal on a computer system that is protected by mandatory access control (MAC). MAC is a type of nondiscretionary access control that uses security levels and categories to restrict access to information. MAC assumes that users are careless and that programs cannot be trusted to carry out the needs of users. On a MAC computer, security levels, such as confidential, secret, and top secret are similar to those used by the U.S. military. Read-up is the ability of users in a lower security category to read information that is in a higher category. Write-down is the ability of someone in a higher security category to write files that users in lower security categories can view. Read-down and write-up activities are allowed on a MAC computer or network.

Which attacks are considered common access control attacks? spoofing phreaking SYN flood dictionary attacks brute force attacks A option b B option c C option d D option e E all of the options F options b and c only G options a, d, and e only H option a

Answer G is correct. Spoofing, dictionary attacks, and brute force attacks are common access control attacks. Spoofing occurs when an attacker implements a fake program that steals user credentials. A dictionary attack is a method where the attacker attempts to identify user credentials by feeding lists of commonly used words or phrases. A brute force attack is one in which the attacker tries all possible input combinations to gain access to resources. Phreaking is an attack performed by a group of hackers who specialize in telephone fraud. It is considered a telecommunications and network security attack. A SYN flood occurs when a network is flooded with synchronous (SYN) packages. As a result, the system is overloaded and performance suffers. Many times, legitimate users are denied access. A SYN flood is usually considered an application or system attack.

Which security threats are NOT self-replicating? worm virus spyware Trojan horse A option a B option b C option c D option d E all of the options F options a and b G options c and d

Answer G is correct. Spyware and Trojan horses are security threats that are NOT self-replicating. Spyware is actually a type of Trojan horse. These programs are downloaded and installed inadvertently when the user is downloading other programs. Viruses and worms can both self-replicate, meaning that the virus or worm can actually copy itself to multiple locations.

Which type or types of firewalls operate at the Network layer of the OSI model? stateful firewall kernel proxy firewall packet-filtering firewall circuit-level proxy firewall application-level proxy firewall A all of the options B option e C option d D option c E option b F option a G options a and c only H options b, d, and e only

Answer G is correct. Stateful and packet-filtering firewalls operate at the Network and Transport layer of the OSI model. Stateful firewalls also operate at the data-link layer. Circuit-level proxy firewalls operate at the Session layer. Kernel proxy and application-level proxy firewalls operate at the Application layer of the OSI model. Firewalls connect private and public networks. Their primary purpose is to protect the private network from security breaches by creating security checkpoints at the boundaries between the private and public networks. Firewalls create bottlenecks between the private and public networks because they must examine the packets that pass through them. If a dedicated firewall exists on your network, it will allow the centralization of security services. Firewalls provide packet filtering, Network Address Translation (NAT), proxy, and encrypted tunnel services, among other things. The encrypted tunnel services are probably the least important service provided by firewalls. Most firewalls include a protocol-filtering component that allows security administrators to configure firewall behavior based on protocols it encounters. The rule enforcement engine of a firewall ensures that the rules configured by the security administrator are enforced. Most firewalls include an extended logging function that allows security administrators to audit firewall activities.

You are designing the procedures for your company's user account review. Which actions should you include as part of this review? Ensure that all inactive accounts are disabled. Ensure that there are no duplicate accounts. Ensure that all active accounts have a password. Ensure that all passwords follow the complexity rules. Ensure that all accounts conform to the principle of least privilege. A option b B option c C option d D option e E all of the options F options a and b only G options a, c, and e only H option a

Answer G is correct. When implementing user account reviews, you should ensure that all inactive accounts are disabled, all active user accounts have a password, and that all user accounts conform to the principle of least privilege. It is not necessary to ensure that there are no duplicate accounts. Duplicate accounts may be necessary in some cases. It is not necessary to ensure that all passwords follow the complexity rules. This is part of password maintenance, not account maintenance.

A new security policy implemented by your organization states that all official e-mail messages must be signed with digital signatures. Which elements are provided when these are used? integrity availability encryption authenticatione non-repudiation A option a B option b C option c D option d E option e F options a, b, and c G options c, d, and e H options a, d, and e

Answer H is correct. A digital signature is a hash value that is encrypted with the sender's private key. The message is digitally signed. Therefore, it provides authentication, non-repudiation, and integrity in electronic mail. In a digitally signed message transmission using a hash function, the message digest is encrypted in the sender's private key. Digital signatures do not provide encryption and cannot ensure availability. Digital Signature Standard (DSS) defines digital signatures. It provides integrity and authentication. It is not a symmetric key algorithm. A digital signature cannot be spoofed. Therefore, attacks, such as man-in-the-middle attacks, cannot harm the integrity of the message. Microsoft uses digital signing to ensure the integrity of driver files. A form of digital signature where the signer is not privy to the content of the message is called a blind signature.

Which of the following are based on malicious code? Each correct answer represents a complete solution. Choose two. A Trojan horse B Worm C Biometrics D Denial-of-service (DoS)

Answers A and B are correct. Worms and Trojan horses are based on malicious code. A worm is a software program that uses computer networks and security holes to replicate itself from one computer to another. It usually performs malicious actions, such as using the resources of computers as well as shutting down computers. A Trojan horse (Trojan) is a malicious software program code that masquerades itself as a normal program. When a Trojan horse program is run, its hidden code runs to destroy or scramble data on the hard disk. An example of a Trojan horse is a program that masquerades as a computer logs on to retrieve user names and password information. Answer D is incorrect. A denial-of-service (DoS) attack is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as network saturation attack or bandwidth consumption attack. Answer C is incorrect. Biometrics is a method of authentication that uses physical characteristics, such as fingerprints, scars, retinal patterns, and other forms of biophysical qualities to identify a person.

Which of the following are tunneling protocols used in a virtual private network (VPN)? Each correct answer represents a complete solution. Choose all that apply. A L2TP B MD5 C SCP D PPTP

Answers A and D are correct. The tunneling protocols used in a virtual private network (VPN) are: Layer 2 Tunneling Protocol (L2TP) is a more secure version of Point-to-Point Tunneling Protocol (PPTP). It provides tunneling, address assignment, and authentication. It allows the transfer of Point-to-Point Protocol (PPP) traffic between different networks. L2TP combines with IPsec to provide tunneling and security for Internet Protocol (IP), Internetwork Packet Exchange (IPX), and other protocol packets across IP networks. Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP does not provide confidentiality or encryption. It relies on the protocol being tunneled to provide privacy. It is used to provide secure, low-cost remote access to corporate networks through public networks such as the Internet. Using PPTP, remote users can use PPP-enabled client computers to dial a local ISP and connect securely to the corporate network through the Internet. PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPsec. Answer C is incorrect. The Secure Copy protocol (SCP) is a network protocol that supports file transfers. It runs on port 22 and is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. It might not even be considered a protocol itself, but merely a combination of RCP and SSH. Answer B is incorrect. Message Digest 5 (MD5) is a cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.

Which of the following policies and controls should you deploy for the client systems based on their identified risks? Each correct answer represents a complete solution. Choose all that apply. A Deploy only licensed, supported operating systems. B Deploy anti-malware and anti-virus software on all client systems. C Deploy firewall and host-based intrusion detection systems on the client systems. D Use drive encryption on all client system hard drives.

Answers A, B, C, and D are correct. You should deploy all of the listed policies and controls for the client systems based on their identified risks.

Which of the following policies and controls should you deploy for the client systems based on their identified risks? Each correct answer represents a complete solution. Choose all that apply. A Use drive encryption on all client system hard drives. B Deploy firewall and host-based intrusion detection systems on the client systems. C Deploy anti-malware and anti-virus software on all client systems. D Deploy only licensed, supported operating systems.

Answers A, B, C, and D are correct. You should deploy all of the listed policies and controls for the client systems based on their identified risks.

Which of the following tools are used to provide security of the outgoing traffic? Each correct answer represents a complete solution. Choose all that apply. A Watermarking B Data loss prevention C Timeout D Steganography

Answers A, B, and D are correct. Egress monitoring helps monitor the outgoing traffic of the enterprise network with the help of egress monitors. Various tools are also used to provide security of the outgoing traffic such as steganography, watermarking, and data loss prevention. Steganography: It is an art of using cryptographic techniques to embed secret messages within another message. Watermarking: Adding digital watermarks to documents to protect intellectual property is accomplished by means of steganography. The hidden information is known only to the file's creator. If someone later creates an unauthorized copy of the content, the watermark can be used to detect the copy and trace the offending copy back to the source. Data loss prevention: It is a technology that reduces the risk of data loss even when the data is in use, in motion, or at rest. It identifies, monitors, and protects data through deep content inspection, contextual security analysis of transaction, and with a centralized management framework. Answer C is incorrect. Timeout is used to avoid session attacks. It defines that if a user works on a computer and closes the browser window, the website may not logout the user account, so in this case, the session will expire itself after a period of time.

Which of the following statements are true of virtual private network (VPN)? A It is a form of wide area network (WAN) that supplies network connectivity over a possibly long physical distance. B It operates at the physical layer of the OSI model. C It provides remote offices or individual users with secure access to their organization's network. D It is a network that uses a public telecommunication infrastructure, such as the Internet.

Answers A, C, and D are correct. Virtual private network (VPN) is a form of wide area network (WAN) that supplies network connectivity over a possibly long physical distance. VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. VPN can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP).Answer B is incorrect. VPN operates at the network layer of the OSI model.

Which of the following items are representatives of an administrative access control method? Each correct answer represents a complete solution. Choose all that apply. A Incident investigation B Policy C Procedure D Encryption E Closed circuit television

Answers B and C are correct. Policy and procedure are administrative access controls, defined by an organization's security policy and other regulations or requirements. Answer A is incorrect. Incident investigation is detective access control. Answers E and D are incorrect. Closed circuit television and encryption are preventive access control.

Which of the following are tunneling protocols used in a virtual private network (VPN)? Each correct answer represents a complete solution. Choose all that apply. A SCP B PPTP C L2TP D MD5

Answers B and C are correct. The tunneling protocols used in a virtual private network (VPN) are: Layer 2 Tunneling Protocol (L2TP) is a more secure version of Point-to-Point Tunneling Protocol (PPTP). It provides tunneling, address assignment, and authentication. It allows the transfer of Point-to-Point Protocol (PPP) traffic between different networks. L2TP combines with IPsec to provide tunneling and security for Internet Protocol (IP), Internetwork Packet Exchange (IPX), and other protocol packets across IP networks. Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP does not provide confidentiality or encryption. It relies on the protocol being tunneled to provide privacy. It is used to provide secure, low-cost remote access to corporate networks through public networks such as the Internet. Using PPTP, remote users can use PPP-enabled client computers to dial a local ISP and connect securely to the corporate network through the Internet. PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPsec. Answer A is incorrect. The Secure Copy protocol (SCP) is a network protocol that supports file transfers. It runs on port 22 and is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. It might not even be considered a protocol itself, but merely a combination of RCP and SSH. Answer D is incorrect. Message Digest 5 (MD5) is a cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.

social engineering attacks

Caller ID Spoofing: Occurs when a user intentionally falsifies the information transmitted to disguise his identity Shoulder Surfing: Uses direct observation methods, such as looking over someone's shoulder, to get information Vishing: Uses the telephone system to access private, personal, and financial information of a person Eavesdropping: Allows an attacker to listen the private conversation of sender and receiver without their consent Snooping: Allows an unauthorized user to access other person's or company's data

Alice wants to digitally sign a message she's sending to Bob. Click to select the steps that she follows, and then drag them into the correct order.

Explanation Here are the steps followed by Alice in a digital signature system: Generates a message digest of the original plain-text message using one of the cryptographically sound hashing algorithms, such as SHA-512. Encrypts only the message digest using her private key. This encrypted message digest is the digital signature. Appends the signed message digest to the plain-text message. Transmits the appended message to Bob.

flag bit designators to match them with their descriptions

Here are the flag bit designators: CWR (Congestion Window Reduced): Manages transmission over congested links FIN (Finish): Requests graceful shutdown of TCP session URG (Urgent): Indicates urgent data RST (Reset): Causes immediate disconnect of TCP session SYN (Synchronization): Requests synchronization with new sequencing numbers

Business continuity planning (BCP)

focuses on maintaining business operations with reduced or restricted infrastructure capabilities or resources. As long as the continuity of the organization's ability to perform its mission-critical work tasks is maintained, BCP can be used to manage and restore the environment. The BCP process has four main steps: Project scope and planning Business impact assessment Continuity planning Approval and implementation

Which of the following represents accidental or intentional exploitations of vulnerabilities? A Threat agents B Risks C Threat events D Breaches

Answer C is correct. Threat events are accidental or intentional exploitations of vulnerabilities.

Mark reads the following lines in the document from his workstation: Access the Aspen Bridge by telnet. Enter into privileged mode. Execute command 6 and press Enter. Load the config file. Hit Run. What type of document is Mark reading? A Security policy B Regulatory policy C Guideline D Procedure

A procedure is a detailed, step-by-step how-to document that specifies the exact actions required to implement a specific security mechanism, control, or solution. A procedure can discuss the complete system deployment operation or focus on a single product or aspect, such as deploying a firewall or updating virus definitions. Procedures are system and software specific in most cases. Answer A is incorrect. A security policy is a document that defines the scope of security required by an organization. Answer B is incorrect. A regulatory policy is used when industry or legal standards are applied to the organization. It contains the regulations that the organization must follow and defines the procedures that support compliance of the same. Answer C is incorrect. A guideline points to a statement in a policy or procedure that helps determine a course of action.

Which type of security plan is designed to be a forwarding looking document pointing out goals to achieve in a five-year time frame? A Operational B Tactical C Strategic

A strategic plan focuses on five-year goals, missions, and objectives. It is a fairly stable, long-term plan that defines an organization's security purpose. Answer A is incorrect. An operational plan is a highly-detailed, short-term plan based on the strategic and tactical plans. It is updated monthly or quarterly to retain compliance with tactical plans. Answer B is incorrect. The tactical plan is a midterm plan that provides details on accomplishing the goals defined in the strategic plan. It is useful for about a year.

Which of the following is the lowest military data classification for classified data? A Private B Sensitive C Secret D Proprietary

Answer C is correct. Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.

What process does a system use to officially permit access to a file or a program? A Authorization B Validation C Authentication D Identification

Answer A is correct. A system can use an authorization process to officially permit access to a file or a program. This process is used for granting permission and specifying access rights to resources. Answer B is incorrect. Validation confirms the data values being entered by a user are valid or not. Answer C is incorrect. Authentication is an act of establishing or confirming something (or someone) as authentic, such as, the claims made by or about the subject are true. Answer D is incorrect. Identification is the process by which a subject professes an identity and accountability is initiated.

What is defined in an acceptable use policy? A how users are allowed to employ company hardware B the method administrators should use to back up network data C the sensitivity of company data D which users require access to certain company data

Answer A is correct. An acceptable use policy defines how users are allowed to employ company hardware. For example, an acceptable use policy, which is sometimes referred to as a use policy, might answer the following questions: Are employees allowed to store personal files on company computers? Are employees allowed to play network games on breaks? Are employees allowed to "surf the Web" after hours? An information policy defines the sensitivity of a company's data. In part, a security policy defines separation of duties, which determines who needs access to certain company information. A backup policy defines the procedure that administrators should use to back up company information.

Management asks you to provide a list of all access controls that will detect when a security issue occurs. Which control is an example of this? A audit log B router C encryption D access control list (ACL)

Answer A is correct. An audit log is an example of a detective technical control because it detects security breaches once they have occurred. An audit log is also considered to be a compensative technical control. Routers, firewalls, and access control lists (ACLs) are examples of preventative technical controls because they prevent security breaches. They are all also compensative technical controls. There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative is developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or purposes: Preventative - A preventative control prevents security breaches and avoids risks. Detective - A detective control detects security breaches as they occur. Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. Deterrent - A deterrent control deters potential violations. Recovery - A recovery control restores resources. Compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. Directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.

As you are designing your security awareness training, you list the different groups that require different training. Which group should receive security training that is part education and part marketing? A executives B employees C developers D administrators

Answer A is correct. Company executives should receive security training that is part education and part marketing. The education component should be designed to give executives an overview of network security risks and requirements. The marketing component should include information that persuades executives of the requirement for strong security measures on a computer network. Without the support of company executives, a company cannot typically mount an effective network security defense. Administrators require frequent security updates so that they can configure a network in a secure manner. Developers require security training to ensure that they program in a manner that maintains or improves network security. Employees require general network security training on issues such as social engineering, creation of network credentials, and company security policy. Social engineering techniques include piggybacking, impersonation, and talking.

Which security principle identifies sensitive data and ensures that unauthorized entities cannot access it? A Confidentiality B Availability C Integrity D Authentication

Answer A is correct. Confidentiality identifies sensitive data and ensures that unauthorized entities cannot access it. Confidentiality is the opposite of disclosure. Availability ensures that data and resources are available to authorized entities in a timely manner. Integrity ensures that data and resources are edited only in an approved manner by authorized entities. Authentication is the process of identifying a subject requesting system access. When considering confidentiality in the private sector, information that is considered highly confidential should be available to anyone whose job requires access to the confidential data. Authorization to access highly confidential data should be required each time the data is accessed.

How is single loss expectancy (SLE) calculated? A Annualized rate of occurrence * asset value * exposure factor B Annualized rate of occurrence * vulnerability C Asset value ($) * exposure factor D Threat + vulnerability

Answer C is correct. SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).

What are the core security objectives for the protection of information assets? A Confidentiality, integrity, and availability B Asset, liabilities, and risks C Risks, threats, and vulnerabilities D Risks, liabilities, and vulnerabilities

Answer A is correct. Confidentiality, integrity, and availability are the core to protection of information assets of an organization. These three objectives are also referred to as the CIA triad. Availability includes the ability to provide redundancy and fault-tolerance, to operate at the optimum level of performance, the ability to cope with vulnerabilities and threats, such as DoS attacks, and to recover from disruption without compromising security and productivity. Integrity ensures the correctness of data and the reliability of information, the protection of data and the system from unauthorized alteration, and the inability of attacks and user mistakes to affect the integrity of the data and the system. Confidentiality is defined as the minimum level of secrecy maintained to protect the sensitive information from unauthorized disclosure. Confidentiality can be implemented through encryption, access control data classification, and security awareness. Maintaining the confidentiality of information prevents an organization from attacks, such as shoulder surfing and social engineering. These attacks can lead to the disclosure of confidential information and can disrupt business operations. Risks, threats, and vulnerabilities are evaluated during the course of risk analysis conducted by an organization. During a risk analysis, an asset is valued based on its sensitivity and value. The evaluation of risks, threats, and vulnerabilities provides an estimate regarding the controls that should be placed in an organization to achieve the security objectives of an organization. Common information-gathering techniques used in risk analysis include: Distributing a questionnaire Employing automated risk assessment tools Reviewing existing policy documents The rest of the options are invalid in terms of security evaluation and security objectives of an organization.

Which statement is true of downstream liability? A It ensures that organizations working together under a contract are responsible for their information security management. B It pertains to a single organization. C It is a term used to represent contractual liabilities of business operations. D It pertains to the organization's responsibility to maintain the privacy of information of the employees.

Answer A is correct. Downstream liability ensures that organizations working together under a contract are responsible for their information security management and security controls deployed. The companies might sign contracts to work together in an integrated manner. An example of such a contract is the extranet. In this contract, each company should apply the concept of due care and due diligence and implement countermeasures to protect information assets. Downstream liability ensures that each company provides its share of security and is responsible for any negligence caused due to lack of security controls in its infrastructure. Downstream liability pertains to multiple organizations working under a contract and is not limited to a single organization. Downstream liability pertains to legal or business obligations and not contractual obligations of business operations. Downstream liability involves a company and the business partners of the company. Downstream liability pertains to legal obligations of security requirements and does not deal with the privacy of information of employees. Various technologies of the companies bound by the contract should be interoperable to maintain harmony in business operations. Regular auditing should be performed to confirm that the companies are not negligent towards their actions and to their respective security concerns. For example, due to lack of information security management in a company, the network for a channel partner is infected with a worm attack. If the worm attack negatively affects the functionality of the partner company, then the partners may sue the primary company on grounds of negligence. Therefore, downstream liability is applicable in such a situation.

What will be the major resource consumed by the BCP process during the BCP phase? A Personnel B Processing time C Software D Hardware

Answer A is correct. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

Which of the following is the most important and distinctive concept in relation to layered security? A Series B Parallel C Filter D Multiple

Answer A is correct. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective. Answers D, B, and C are incorrect. These concepts are not related to layered security.

Which of the following is not considered an example of data hiding? A Preventing an authorized reader of an object from deleting that object B Preventing an application from accessing hardware directly C Restricting a subject at a lower classification level from accessing data at a higher classification level D Keeping a database from being accessed by unauthorized visitors

Answer A is correct. Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.

Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status? A ™ B ® C © D †

Answer A is correct. Richard's product name should be protected under trademark law. Until his registration is granted, he can use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark, and Richard can begin using the ® symbol.

Which of the following statements is not true? A Risks to an IT infrastructure are all computer based. B The process by which the goals of risk management are achieved is known as risk analysis. C IT security can provide protection only against logical or technical attacks. D An asset is anything used in a business process or task.

Answer A is correct. Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.

By using which analysis does a group reach an anonymous consensus while all members of that group are in the same room? A Delphi technique B Survey C Storyboarding D Brainstorming

Answer A is correct. The Delphi technique is a group decision method that seeks a consensus while retaining the anonymity of the participants. Answer D is incorrect. Brainstorming is a group creativity technique which tends to find a conclusion for a specific problem by gathering a list of ideas spontaneously contributed by its members. Answer C is incorrect. A storyboard is a graphic organizer in which image illustrations are present for the purpose of pre-visualizing a picture, animation, or motion graphic. Answer B is incorrect. Survey is an examination of someone or something.

Which of the following is considered an activity that has the potential to cause harm to information systems or networks? A Safeguard B Vulnerability C Threat D Asset

Answer C is correct. Threat is considered an activity that has the potential to cause harm to information systems or networks. Answer B is incorrect. Vulnerability refers to a software, hardware, or procedural weakness that may provide an open door to an attacker. Answer D is incorrect. Asset can be anything within the environment that is required to be protected. It can be a computer file, a network service, a system resource, a process, a program, and so on. Answer A is incorrect. Safeguard eliminates vulnerability or protects the system against particular threats.

Which US law makes it illegal to bypass electronic copy protection? A DMCA B PATRIOT Act C Economic Espionage Act D Federal Sentencing Guidelines

Answer A is correct. The Digital Millennium Copyright Act (DMCA) makes it illegal to bypass electronic copy protection. The first major provision of the DMCA is the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder. This clause was designed to protect copy-prevention mechanisms placed on digital media such as CDs and DVDs. Answer B is incorrect. The PATRIOT Act allows authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant. Answer D is incorrect. The Federal Sentencing Guidelines provides penalty recommendations for breaking federal laws. Answer C is incorrect. The Economic Espionage Act provides penalties for individuals found guilty of the theft of trade secrets.

As a health care provider, your organization must follow the guidelines of HIPAA. Which statement is true of HIPAA? A HIPAA is enforced by Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). B The HIPAA task force performs an inventory of the employees. C HIPAA addresses the issues of security and availability. D HIPAA imposes negligible penalties on offenders.

Answer A is correct. The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) is responsible for the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is also known as Kennedy-Kassebaum Act. The primary emphasis of HIPAA is on administration simplification through improved efficiency in health care delivery. This simplification is achieved by standardizing electronic data interchange and protection of confidentiality and security of health data. After deployment, HIPAA preempts state laws, unless the state law is more stringent. A stringent law implies that the state law is stricter than HIPAA regulations in a certain aspect. In such a scenario, the state law shall be applicable. HIPAA applies to health information that is either created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. HIPAA is not applicable to financial institutions, such as banks. It is applicable to any entity that may store health care information on a regular basis, including hospitals, clinics, universities, schools, billing agencies, and clearinghouses. Title II, Administrative Simplification, of the Health Insurance Portability and Accountability Act addresses transaction standards that include code sets, unique health identifiers, security and electronic signatures, and privacy. Title II covers health care providers who transmit health information electronically in connection with standard transactions, health plans, and health care clearinghouses. It does NOT cover employers. The American National Standards Institute Accredited Standards Committee X12 (ANSI ASC X12) Standard version 4010 applies to the transactions category of HIPAA. The implementation of HIPAA has resulted in changes in health care transactions and administrative information systems. HIPAA imposes heavy civil and criminal penalties for noncompliant offenders. The fines can range from $25K to $250K if there are multiple violations of the same standard. An individual may also be subjected to imprisonment for deliberately misusing the health information. The HIPAA task force keeps an inventory of the following data in a company: Systems Processes Policies Procedures Data The HIPAA task force determines the information that is critical to patient care and to the medical institution. These elements are listed by priority, availability, reliability, access, and usage. The task force responsible for the analysis of the company's information should carefully document the criteria use.

Which of the following laws will affect the organization? A SOX Act B GLBA of 1999 C HIPAA D FISMA of 2002

Answer A is correct. The Sarbanes-Oxley (SOX) Act will affect the organization. SOX Act affects any publicly traded company in the United States. The Gramm-Leach-Bliley Act (GLBA) of 1999 only affects financial institutions. The Health Insurance portability and Accountability Act (HIPAA) affects healthcare organizations. The Federal Information Security Management Act (FISMA) of 2002 affects every federal agency.

You are a member of the team that has been selected to create your organization's business continuity plan. What is the most vital document in this plan? A business impact analysis (BIA) B disaster recovery plan C vulnerability analysis D occupant emergency plan (OEP)

Answer A is correct. The business impact analysis (BIA) is the most vital document to the business continuity plan. The majority of the steps of the business continuity plan rely on the results of the BIA. The goals of the BIA include resource requirements (identifying the resource requirements of the critical business unit processes), criticality prioritization (identifying and prioritizing every critical business unit process), and downtime estimation (estimating the maximum down time the business can tolerate). The disaster recovery plan is created to ensure that your company is able to resume operation in a timely manner. As part of the business continuity plan, it mainly focuses on alternative procedures for processing transactions in the short term. It is carried out when the emergency occurs and immediately following the emergency. While it is an important part of the business continuity plan, it is not the most vital document because no other parts of the business continuity plan rely on it. Business recovery plans should be created for all areas within an organization. A vulnerability analysis identifies your company's vulnerabilities. It is part of the BIA. An occupant emergency plan (OEP) is created to ensure that injury and loss of life are minimized when an outage or disaster occurs. It also focuses on property damage. While it is an important part of the business continuity plan, it is not the most vital because no other parts of the business continuity plan rely on it.

When developing a security management program, which development will be the result of following a life cycle structure? A Written policies are mapped to and supported by security activities. B Individuals responsible for protecting company assets do not communicate. C Progress and return on investment cannot be assessed. D The organization relies on technology for all security solutions.

Answer A is correct. When written policies are mapped to and supported by security activities it is the result of following a life cycle structure. When the life cycle structure for developing a security management program is NOT followed, the following situations occur: Written policies and procedures are NOT mapped to and supported by security activities. Individuals responsible for protecting company assets do NOT communicate and are disconnected from each other. Progress and the return on investment of spending and resource allocation can NOT be assessed. The security program deficiencies are NOT understood, and a standardized way of improving the deficiencies does NOT exist. Compliance to regulations, laws, and policies is NOT assured. The organization relies on technology for all security solutions. Security breaches result in emergency measures in a reactive approach.

Your organization has just expanded its network to include another floor of the building where your offices are located. You have been asked to ensure that the new floor is included in the business continuity plan. What should you do? A Update the business continuity plan to include the new floor and its functions. B Complete a parallel test. C Complete a simulation test. D Complete a structured walk-through test.

Answer A is correct. You should update the business continuity plan to include the new floor and its functions. When new resources, hardware, or software are added, you will only need to modify the business continuity plan to include the new resources, hardware, or software. Most likely, your plan will already cover the resources that exist on the new floor. However, the plan will need to incorporate the fact that the new resources exist. It is not necessary to perform any tests until they are scheduled. Currently, the new floor is not included in the business continuity plan. Therefore, any type of test will not include resources on that floor. A structured walk-through test walks through the different scenarios of the plan to ensure that nothing is left out. A simulation test simulates an actual failure based on a scenario to test the reaction of personnel. The primary purpose for this test is to ensure that nothing is left out. A parallel test ensures that specific systems can perform at an alternate site. Systems are actually brought online at the alternate site and regular usage occurs.

Which of the following security factors does not come under CIA triad? A Confidentiality B Authentication C Integrity D Availability

Answer B is correct. Authentication does not come under CIA triad. CIA triad is the process defined by the CIA to confirm whether the security is properly implemented. Authentication is a process of verifying the identity of a person, network host, or system process. The authentication process compares the provided credentials with the credentials stored in the database of an authentication server. Answers C, D, and A are incorrect. Confidentiality, integrity, and availability are the security factors that come under CIA triad.

Which of the following statements is true of disaster recovery? A It is same as business continuity. B It deals with the actions that are required to take place right after a disaster. C It deals with the actions that are required to take place to keep operations running over a longer period of time. D It is a planning, which is a superset of a larger process known as business continuity planning.

Answer B is correct. Disaster recovery is defined as the process of restoring systems and data if there is partial or complete failure of computers due to technical or other causes. It resumes normal business operations as quickly as possible, after the disaster is over. It deals with the actions that are required to take place right after a disaster. Answer C is incorrect. Business continuity deals with the actions that are required to take place to keep operations running over a longer period of time. Answer D is incorrect. Disaster recovery planning is a subset of a larger process known as business continuity planning. Answer A is incorrect. Disaster recovery is different from business continuity. It deals with the actions that are required to take place right after a disaster. Business continuity deals with the actions that are required to take place to keep operations running over a longer period of time.

Which business continuity plan (BCP) element exists to alleviate the risk of certain threats by providing monetary compensation in the event those threats occur? A business impact analysis (BIA) B insurance C continuity of operations plan (COOP) D reciprocal agreement

Answer B is correct. Insurance exists to alleviate the risk of certain threats by providing monetary compensation in the event those threats occur. Insurance is usually purchased to cover asset loss due to fire or theft. There are specific types of insurance policies that now exist to cover certain catastrophic events. A business impact analysis (BIA) analyzes the threats to an organization to determine how the organization might be affected. A reciprocal agreement is an agreement between two organizations to provide alternate facilities to each other. A continuity of operations plan (COOP) is written to ensure that an organization is able to continue essential functions under a broad range of circumstances.

Which of the following is not specifically or directly related to managing the security function of an organization? A Metrics B Worker job satisfaction C Budget D Information security strategies

Answer B is correct. Managing the security function often includes assessment of budget, metrics, resources, and information security strategies, and assessing the completeness and effectiveness of the security program.

Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special type of oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection best suits their needs? A Patent B Trade secret C Copyright D Trademark

Answer B is correct. Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely. Answer A is incorrect. A patent is a form of intellectual property which provides an inventor with a set of exclusive rights for a specific period of time, generally 20 years. Answer D is incorrect. A trademark is a form of intellectual property which includes registered slogans, words, or logos used to identify a company and its products. Answer C is incorrect. Copyright is a form of intellectual property which grants exclusive rights to the creator of an original work for its use and distribution.

You have developed the information security policy for your organization. Which step should precede the adoption of this policy? A conducting security awareness training B obtaining management approval C implementation of standards D implementation of procedures

Answer B is correct. Obtaining management approval should precede the adoption of an information security policy. The development of the information security policy should be overseen by an organization's business operations manager. A security policy defines the broad security objectives of an organization. It establishes each individual's authority and responsibility. It also establishes procedures to enforce the security policy. An organization's senior management has the primary responsibility for the organization's security. Therefore, they must determine the level of protection needed and endorse the security policy. Departmental managers also contribute to the development of the information security policy. Development of the information security policy is usually tasked to a middle-level manager, such as the business operations manager. The implementation of standards, procedures, and guidelines should occur after the development of an information security policy. The security policy defines the procedure for setting up a security program and its goals. The management assigns the roles and responsibilities and defines the procedure to enforce the security policy. Security awareness training is based on the guidelines and standards defined in the security policy. Therefore, the training is conducted after the creation and adoption of the security policy. Awareness and training help users become more accountable for their actions. Security awareness improves the users' awareness of the need to protect information resources. Security education assists management in developing the in-house expertise to manage security programs. Description of specific technologies for information security is not included in the security policy.

The team writes business continuity procedures. The business continuity procedures return operations to normal conditions as part of the overall disaster recovery plan. Which of the following types of control is the business continuity procedure? A Physical B Recovery C Directive D Logical

Answer B is correct. Recovery controls attempt to return conditions to a normal state. Business continuity procedures are designed to return business operations to their normal state following a disaster. Answers C, D, and A are incorrect. The business continuity procedure is not a directive, logical, and physical control.

Which of the following is not an element of the risk analysis process? A Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage B Selecting appropriate safeguards and implementing them C Creating a cost/benefit report for safeguards to present to upper management D Analyzing an environment for risks

Answer B is correct. Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.

Which one of the following types of licensing agreements does not require that the user acknowledge that they have read the agreement prior to executing it? A Click-wrap agreement B Contractual license agreement C Standard license agreement D Shrink-wrap agreement

Answer D is correct. Shrink-wrap license agreements become effective when the user opens a software package. Click-wrap agreements require the user to click a button during the installation process to accept the terms of the license agreement. Standard license agreements require that the user sign a written agreement prior to using the software. Contractual license agreements use a written contract between the software vendor and the customer, outlining the responsibilities of each.

You are analyzing risks for your organization. You must ensure that senior management provides the risk management components that you needed. All of the following components are provided by senior management, EXCEPT: A monetary allocation B risk mitigation procedures C risk acceptance level D resource allocation

Answer B is correct. Risk mitigation procedures are NOT provided by senior management. The goal of risk mitigation is defining the acceptable level of risk an organization can tolerate and reducing risk to that level. The following risk management components are provided by senior management: established risk acceptance level resource allocation monetary funding allocation Senior management has the final responsibility for safeguarding the organization's information. When it comes to information security, management should define the purpose and scope of the security program, delegate the responsibility for the security program, and support the program as it is implemented. The purpose of risk management is to reduce the risk to a tolerable level.

The business continuity team is interviewing users to gather information about business units and their functions. Which part of the business continuity plan includes this analysis? A disaster recovery plan B business impact analysis (BIA) C occupant emergency plan (OEP) D contingency plan

Answer B is correct. The business impact analysis (BIA) includes interviewing to gather information about business units and their functions. A disaster recovery plan is created to ensure that your company is able to resume operation in a timely manner. Interviewing is not included as part of its development. A contingency plan is created to detail how all business functions will be carried out in the event of an outage or disaster. It should address residual risks. Interviewing is not included as part of its development. An occupant emergency plan (OEP) is created to ensure that injury and loss of life are minimized when an outage or disaster occurs. It also focuses on property damage. Interviewing is not included as part of its development. A BIA is created to identify the vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. It is a methodology commonly used in business continuity planning. Its primary goal is to help the business units understand how an event will impact corporate functions, without the recommendation of an appropriate solution. The purpose of the BIA is to create a document to understand what impact a disruptive event would have on the business. One of the first steps in the BIA is to identify the business units. The information gathering stage of the BIA includes deciding on which techniques to use (surveys or interviews), selecting the individuals you plan to interview, and customizing the technique to gather the appropriate information. The analytical stage of the BIA includes analyzing the gathered information, determining the critical business functions, maximum tolerable downtime (MTD) economic impact of disruption, and prioritizing the restoration of critical business functions. This leads to the establishment of a Recovery Time Objective (RTO) for each unit or item. The documentation stage includes documenting your findings and reporting back to managing. A BIA includes the following steps: Analyzing the threats associated with each functional area Determining the risk associated with each threat Identifying the major functional areas of information

How is the value of a safeguard to a company calculated? A ALE before safeguard * ARO of safeguard B ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard C Total risk - controls gap D ALE after implementing safeguard - annual cost of safeguard - controls gap

Answer B is correct. The formula to calculate the value of a safeguard to an organization is ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard

A business impact analysis (BIA) is a crisis management and business impact analysis technique that identifies those threats that can impact the business continuity of operations. Which of the following are the objectives defined by the business impact analysis? A Determining all potential financial, legal, and regulatory impacts B All of these C Defining the key inner and outer dealings and dependencies of each process D Setting up time frames for recovery of all business-related processes

Answer B is correct. The objectives defined by business impact analysis are as follows: Identifying the full business process Determining all potential financial, legal, and regulatory impacts Setting up time frames for recovery of all business-related processes Defining the key inner and outer dealings and dependencies of each process Identifying the required resources for all processes to recover and their related recovery time frames Training personnel in the recovery process Making management aware of the continuity plans

What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended? A Systems located in the United States B Systems used in interstate commerce C Federal interest systems D Government-owned systems

Answer B is correct. The original Computer Fraud and Abuse Act of 1984 covered only systems used by the government and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, including a large portion (but not all) of the computer systems in the United States.

Which business role must ensure that all operations fit within the business goals? A data owner B business/mission owner C system owner D data custodian

Answer B is correct. The person in the business/mission owner role must ensure that all operations fit within the business or mission goals.System and data owners are responsible for ensuring that proper controls are in place to maintain the integrity, confidentiality, and availability of the information. The system owner is responsible for maintaining and protecting one or more data processing systems. The role of a system owner includes the integration of required security features into the applications and the purchase decision of the applications. The system owner also ensures that the remote access control, password management, and operating system configuration provide the necessary security. The data owner is typically part of management. The data owner controls the process of defining IT service levels, provides information during the review of controls, and is responsible for authorizing the enforcement of security controls to protect the information assets of the organization. For example, a business unit manager has the primary responsibility of protecting the information assets by exercising due diligence and due care practices. The data custodian is directly responsible for maintaining and protecting the data. This role is typically delegated to the IT department staff and includes implementing the organization security through the implementation and maintenance of security controls. The data custodian role also includes the following tasks: Maintaining records of activity Verifying the accuracy and reliability of the data Backing up and restoring data on a regular basis

What is the discriminator used by the court to determine whether proper due care and due diligence was performed by an organization? A Session rule B Prudent man rule C Annualized loss expectancy D HITECH breach notification rule

Answer B is correct. The prudent man rule is used to determine whether proper due care and due diligence was performed by an organization. It requires senior official to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances. Answer D is incorrect. The HITECH breach notification rule requires HIPAA (Health Information Technology for Economic and Clinical Health Act) covered entities and their business associates to provide notice following a breach of unsecured protected health information. Answer A is incorrect. Session rules specify the amount of data each segment in a transport layer of the OSI model can contain, verify the integrity of data transmitted, and determine whether data has been lost. They are established through a handshaking process. Answer C is incorrect. The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset.

Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A 0.01 B 10,000,000 C 100,000 D 0.10

Answer B is correct. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

How is the value of a safeguard to a company calculated? A Total risk - controls gap B ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard C ALE before safeguard * ARO of safeguard D ALE after implementing safeguard + annual cost of safeguard - controls gap

Answer B is correct. The value of a safeguard to an organization is calculated by ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard [(ALE1 - ALE2) - ACS].

Which of the following focuses on verifying compliance with stated security objectives, requirements, regulations, and contractual obligations? A Data classification B Third-party governance C Procedure D Ownership

Answer B is correct. Third-party governance is the system of oversight that may be authorized by law, regulation, industry standards, or licensing requirements. Although the actual method of governance may change, it generally involves an outside investigator or auditor. A governing body or consultants hired by the target organization may designate these auditors. Third-party governance focuses on verifying compliance with stated security objectives, requirements, regulations, and contractual obligations. Answer C is incorrect. A procedure is a detailed, step-by-step how-to document that specifies the exact actions required to implement a specific security mechanism, control, or solution. Answer D is incorrect. Ownership is the formal assignment of responsibility to an individual or group. It can be made clear and distinct within an operating system. Generally, an owner has full capabilities and privileges over the object they own. Answer A is incorrect. Data classification is the means used to protect data depending on its need for secrecy, sensitivity, or confidentiality. When designing and implementing a security system, all data should not be treated in the same way as some data items require more security than others.

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the annualized loss expectancy? A $3,000,000 B $135,000 C $270,000 D $2,700,000

Answer B is correct. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). The SLE is the product of the AV and the EF. You know that the AV is $3,000,000 and the EF is 90 percent, based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000. Now, ALE is $2,700,000 * 0.05. This yields an ALE of $135,000.

When Microsoft uses a Security Development Lifecycle (SDL) process to consider and implement security at each stage of a product's development, which of the following goals it has in mind with this process? A To reduce the number of security-related design defects B All of the above C To reduce the severity of any remaining defects D To reduce the number of coding defects

Answer B is correct. When Microsoft uses a Security Development Lifecycle (SDL) process to consider and implement security at each stage of a product's development, it has the following goals in mind with this process: To reduce the number of security-related design defects To reduce the number of coding defects To reduce the severity of any remaining defects

When a new version of the BCP is developed, what is done with all of the previous versions of the BCP distributed across an organization? A They are all stored in an archival library. B They are collected and destroyed. C They are retained by each person. D They are sold on the Internet.

Answer B is correct. When a new version of the BCP (business continuity planning) is developed, all the previous versions of the BCP are collected and destroyed so that only a single copy of the plan is in distribution and no confusion exists as to the correct implementation of the BCP.

Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A Business continuity manager B Chief executive officer C Chief information officer D Vice president of business operations

Answer B is correct. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer is the highest ranking.

What is NOT an example of an operational control? A a backup control B an audit trail C a business continuity plan D configuration management

Answer C is correct. A business continuity plan refers to the procedures undertaken for dealing with long-term unavailability of business processes and resources. Business continuity planning differs from disaster recovery. Disaster recovery aims at minimizing the impact of a disaster. Business continuity planning includes the following steps: Moving critical systems to another environment during the repair of the original facility Performing operations in a constrained mode with lesser resources till the conditions of the primary facility return to normal. Dealing with customers, partners, and shareholders through various channels until the original channel is restored. Operational controls ensure the confidentiality, integrity, and availability of business operations by implementing security as a continuous process. Audit trails are operational controls and detective controls. Audit trails identify and detect not only unauthorized users but also authorized users who are involved in unauthorized activities and transactions. Audit trails achieve the security objectives defined by the security policy of an organization, and ensure the accountability of users in the organization. They provide detailed information regarding the computer, the resource usage, and the activities of users. In the event of an intrusion, audit trails can help identify frauds and unauthorized user activity. Backup controls, software testing, and anti-virus management are other examples of operational software controls. Configuration management is an operational control. Configuration management identifies both controls and audit changes made to the trusted computing base (TCB). The audit changes include changes made to the hardware, software, and firmware configurations throughout the operational life cycle of infrastructural assets. Configuration management ensures that changes to the infrastructure take place in a controlled manner and follow a procedural approach. Configuration management also ensures that future changes to the infrastructure do not violate the organization's security policy and security objectives. Maintenance accounts are considered a threat to operational controls. This is because maintenance accounts are commonly used by hackers to access network devices.

Your organization has asked the security team to add terrorist attacks to the organization's business continuity plan. Which type of threat does this represent? A supply system threat B manmade threat C politically motivated threat D natural environmental threat

Answer C is correct. A terrorist attack is a politically motivated threat. A terrorist attack is usually an attack against a particular country view from a group that opposes that the political views of that country. Often, a particular group takes credit for a terrorist attack. Politically motivated threats include strikes, riots, civil disobedience, and terrorist attacks. Natural environmental threats include floods, earthquakes, tornadoes, hurricanes, and extreme temperatures. Supply system threats include power outages, communications interruptions, and water and gas interruption. Manmade threats include unauthorized access, explosions, disgruntled employee incidents, employee errors, accidents, vandalism, fraud, and theft. While terrorist attacks are caused by man and could therefore be considered a manmade attack, they are more often classified as politically motivated attacks because they are planned and carried out by terrorist organizations. Most manmade attacks are more limited in scope when considering the perpetuator.

What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures? A Common law B Criminal law C Administrative law D Civil law

Answer C is correct. Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Congress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch.

Which control provides continuous management of hardware, software, and information assets? A a physical control B a system control C an operational control D an environmental control

Answer C is correct. An operational control includes control over hardware, software, and information assets to provide a certain level of security. Operational controls include administrative management, accountability, management of security operations, change management, and adherence to the product evaluation criteria and standards. Examples of operational controls include control over access to all program libraries, version control and testing, and documentation and approval of hardware and software before they are deployed in a production environment. System controls restrict the execution of certain types of instructions that can only be executed when an operating system is running in the supervisor mode. System controls are built into the operating system architecture and are executed in the form of operating system instructions. Physical controls monitor the physical security aspects of a facility infrastructure and include perimeter security, fencing, guards, gates, locks, lighting, alarms, closed-circuit televisions (CCTVs), and intrusion detection systems. Physical security controls work in conjunction with operation security to achieve the security objectives of an organization. Environmental controls include countermeasures against physical security threats, fire, flood, static electricity, humidity, and man-made disasters.

Which of the following involves reading the exchanged materials and verifying them against standards and expectations? A Security policy B Regulatory policy C Documentation review D Procedure

Answer C is correct. Documentation review involves reading the exchanged materials and verifying them against standards and expectations. It is typically carried out before any on-site inspection takes place. An on-site review can focus on compliance with the stated documentation if the exchanged documentation is sufficient and meets expectations (or at least requirements). However, the on-site review is postponed until the documentation can be updated and corrected if the documentation is incomplete, inaccurate, or otherwise insufficient. Answer D is incorrect. A procedure is a detailed, step-by-step how-to document that specifies the exact actions required to implement a specific security mechanism, control, or solution. A procedure can discuss the complete system deployment operation or focus on a single product or aspect, such as deploying a firewall or updating virus definitions. Procedures are system and software specific in most cases. Answer A is incorrect. A security policy is a document that defines the scope of security required by an organization. Answer B is incorrect. A regulatory policy is used when industry or legal standards are applied to the organization. The policy contains the regulations that the organization must follow and defines the procedures that support compliance of the same.

Which of the following ensures that the subject of an activity or event cannot deny that the event occurred? A Confidentiality B Authentication C Non-repudiation D Integrity

Answer C is correct. Non-repudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event. Answer A is incorrect because confidentiality ensures that only authorized subjects can access objects. Answer D is incorrect because integrity ensures that data or system configurations are not modified without authorization. Answer B is incorrect because authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities.

Which of the following defines the expected behavior from a security mechanism? A Encapsulation B Provisioning C Security function D Instant messaging

Answer C is correct. Security function defines the expected behavior from a security mechanism. Answer B is incorrect. Provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. Answer A is incorrect. Encapsulation refers to the process where headers and trailers are added around some data. A TCP/IP host sends data by performing a process in which four layers encapsulate data (adds headers and trailers) before physically transmitting it. Answer D is incorrect. Instant messaging (IM) is a form of real-time direct text-based communication between two or more people using personal computers or other devices, along with shared software clients. The user's text is conveyed over a network, such as the Internet.

You are working with management and the human resources department to put a security policy and several personnel controls into place. To which access control category do the controls belong? A physical B technical C administrative D logical

Answer C is correct. Security policy and personnel controls belong to the administrative category of access control. Included in this category are policies and procedures, personnel controls, supervisory structure, security awareness training, and testing. Often, personnel controls are also thought of as operational controls. Logical access controls are the same as technical controls. Logical access controls include encryption, network architecture, and an access control matrix. The physical category of access control includes network segregation, perimeter security, computer controls, work area separation, data backups, and cabling. The technical category of access control includes system access, network architecture, network access, encryption and protocols, and auditing. Encryption and access control are considered preventative technical controls. There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access to systems, network architectures, control zones, auditing, and encryption and protocols. An administrative control is a control that dictates how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or purposes: Preventative - A preventative control prevents security breaches and avoids risks. Detective - A detective control detects security breaches as they occur. Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. Deterrent - A deterrent control deters potentials violations. Recovery - A recovery control restores resources. Compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. Directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that perform many functions. For example, a fence is both a deterrent physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.

You have implemented several software controls in your organization. Which category of access controls have you implemented? A physical controls B preventative controls C technical controls D administrative controls

Answer C is correct. Software controls are technical controls. Technical controls include software-based tools that restrict access to objects. Software controls include employing anti-virus management and tools, implementing a formal application upgrade process, and routinely testing the backup data for accuracy. Administrative tools are policies and procedures that are developed by management to ensure that the organization is secure. Physical controls work with technical controls and administrative controls to actually implement the actual security mechanisms.

Which statement is true of physical access controls? A The CCTVs in physical access control do not need a recording capability. B Only combination locks are part of the physical access control systems. C Surveillance devices offer more protection than fences in the facility. D Passwords provide the best form of physical access control in a facility.

Answer C is correct. Surveillance devices offer more protection than fences in the facility because they actually record activity for traffic areas. This provides a mechanism whereby tapes can be replayed to investigate security breaches. Passwords do NOT provide the best form of physical access facility control. Closed-circuit televisions (CCTVs) should always have a recording capability. All types of locks are part of the physical access control systems. The physical access controls can include the following as security measures: guards to protect the perimeter of the facility fences around the facility to prevent unauthorized access by the intruders badges for the employees for easy identification locks (combination, cipher, mechanical and others) within the facility to deter intruders surveillance devices, such as CCTVs, to continuously monitor the facility for suspicious activity and record each activity for future use It is important to note that though passwords are a commonly used way of protecting data and information systems; they are not a part of the physical access controls in a facility. Passwords are a part of user authentication mechanism.

Which statement is true of the 1991 U.S. Federal Sentencing Guidelines? A The guidelines deal with individuals acting as plaintiffs in civil lawsuits. B The guidelines deal with individuals acting as defendants in criminal lawsuits. C The guidelines deal with white-collar crimes that take place within the organization. D The guidelines deal with individuals working outside the organization.

Answer C is correct. The 1991 U.S. Federal Sentencing Guidelines apply to the following white-collar crimes that take place within an organization: Antitrust Federal securities Mail and wire fraud Bribery Contracts Money laundering The principles underlined in the 1991 U.S. Federal Sentencing Guidelines provide a course of action to the law enforcement agencies dealing with white-collar corporate criminals. According to the guidelines, if a company's senior management is found guilty of corporate misconduct, criminal penalties can be imposed on them. A fine of up to $290 million dollars can be imposed on the senior officials of the company for noncompliance. The 1991 U.S. Federal Sentencing Guidelines are meant for the senior management of the company and not for individuals working outside the organization. The 1991 U.S. Federal Sentencing Guidelines do not deal with criminal lawsuits. Criminal lawsuits are dealt with by the criminal law. The 1991 U.S. Federal Sentencing Guidelines do not deal with civil lawsuits against individuals. Civil lawsuits are handled by a civil law referred to as tort.

What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities? A Gramm-Leach-Bliley Act B Second Amendment C Fourth Amendment D Privacy Act

Answer C is correct. The Fourth Amendment to the U.S. Constitution sets the "probable cause" standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property.

When designing the security awareness training, what should be the primary basis for developing different levels of training? A risks covered B controls implemented C audience D cost

Answer C is correct. When designing the security awareness training, the primary basis for developing different levels of training should be on the audience. High-level management should receive training that provides understanding of risks and threats and the effect they have on organization's reputation and finances. Middle management should receive training that covers policies, standards, baselines, guidelines, and procedures to understand how they help to protect security. Technical staff should receive technical training on security controls and industry security certifications. Regular staff should receive training to help them understand their responsibilities while performing their day-to-day tasks. The cost, risks covered, or controls implemented are not the basis for developing different levels of training.

You have been asked to design and implement a security awareness program for your organization. Which option is NOT an objective of this program? A to communicate ramifications of violating the security policy B to enforce compliance to the information security program C to promote acceptable use and behavior D to ensure non-violation of the security policy

Answer D is correct. A security awareness program does NOT ensure non-violation of the security policy. A security awareness program promotes acceptable use and behavior, enforces compliance to the information security program, and communicates ramifications of violating the security policy. The main objective of security-awareness training is to make employees aware of their security responsibilities and of the expected ethical conduct and acceptable activities. The user must understand the acceptable and unacceptable activities and the implication of violating the security policy. A security awareness program focuses on compliance and the acceptable use of resources and ethical conduct in the organization. Users can either be penalized through disciplinary action or terminated for noncompliance to the security policy. The implementation of the security policy should be routinely monitored to trace security policy violations and attempted violations to ensure that appropriate personnel can be held responsible.

Which policy discusses activities and behaviors that are acceptable and defines consequences of violations, within an organization? A Regulatory B Acceptable use C Informative D Advisory

Answer D is correct. An advisory policy discusses activities and behaviors that are acceptable and defines consequences of violations, in an organization. It describes senior management's aspirations for security and compliance within an organization. Answer A is incorrect. The regulated policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance. It is required whenever industry or legal standards are applicable within an organization. Answer C is incorrect. An informative policy provides knowledge about a specific subject, such as mission statements, company goals, or how the organization interacts with partners and customers. Answer B is incorrect. An acceptable use policy is a document that exists as a part of the overall security documentation infrastructure. It assigns security roles within an organization and ensures the associated responsibilities.

During a meeting, you present management with a list of the access controls used on your network. You explain that these controls include preventative, detective, and corrective controls. Which control is an example of a corrective control? A router B intrusion detection system (IDS) C audit log D antivirus software

Answer D is correct. Antivirus software is an example of a corrective technical control because it attempts to correct any damage that was inflicted during a security breach. Antivirus software can also be considered a compensative technical control. Routers are examples of preventative technical controls because they prevent security breaches. Routers are a compensatory technical control. IDSs are a detective technical control and a compensative technical control. Audit logs are examples of detective technical controls because they detect security breaches. Audit logs are also a compensative technical control.

Your organization has asked that you work with a team to develop a business continuity plan for your organization. The members of the team have suggested many events that should be considered as part of the business continuity plan. Which events should be considered? natural disaster hardware failure server relocation employee resignation A point d B points c and d C all of these D points a and b E point a F point b G point c

Answer D is correct. As part of the business continuity plan, natural disasters should be considered. Natural disasters include tornadoes, floods, hurricanes, and earthquakes. A business continuity strategy needs to be defined to preserve computing elements, such as the hardware, software, and networking elements. The strategy needs to address facility use during a disruptive event and define personnel roles in implementing continuity. Hardware failure should also be considered. This hardware can be limited a single computer component, but can include network link or communications line failures. The majority of the unplanned downtime experienced by a company is usually due to hardware failure. The business continuity plan should only include those events that interrupt services. Normally, server relocation is planned in such a way as to ensure either no interruption or minimal interruption of services. As such, it is usually no part of the business continuity plan. Employee resignation, even the resignation of a high-level IT manager, should not be considered as part of the business plan. Employee resignation is a normal part of doing business. However, employee strikes and the actions of disgruntled employees should be considered as part of the business continuity plan. At the incipient stage of a disaster, emergency actions should be taken to prevent injuries and loss of life. You should attempt to diminish damage to corporate function to avoid the need for recovery. The purpose of initiating emergency actions right after a disaster takes place is to prevent loss of life and injuries and to mitigate further damage.

Which of the following was developed to meet information resource management requirements for the federal government? A the Gramm-Leach-Bliley Act (GLBA) of 1999 B the Health Insurance Portability and Accountability Act (HIPAA) C the Sarbanes-Oxley (SOX) Act D OMB Circular A-130

Answer D is correct. OMB Circular A-130 was developed to meet information resource management requirements for the federal government. According to this circular, independent audit should be performed every three years. The Sarbanes-Oxley Act (SOX) was developed to ensure that financial information on publicly traded companies is accurate. The Health Insurance Portability and Accountability Act (HIPAA) was developed to establish national standards for the storage, use, and transmission of health care data. The Gramm-Leach-Bliley Act (GLBA) of 1999 was developed to ensure that financial institutions protect customer information and provide customers with a privacy notice.

You are the security analyst for a United States financial institution that is publicly traded. All of the following laws affect your organization, EXCEPT: A SOX B Basel II C GLBA D HIPAA

Answer D is correct. The Health Insurance Portability and Accountability Act (HIPAA) does not affect a financial institution that is publicly traded. All of the other laws will affect the financial institution. The Sarbanes-Oxley (SOX) Act of 2002 was written to prevent companies from committing fraud by knowingly providing inaccurate financial reports to shareholders and the public. It is mainly concerned with corporate accounting practices. Section 404 of this act specifically addresses information technology. The Basel II Accord is built on three main pillars: minimum capital requirements, supervision, and market discipline. These pillars apply to financial institutions. The Gramm-Leach-Bliley Act (GLBA) of 1999 was written to ensure that financial institutions develop privacy notices and allow their customers to prevent the financial institutions from sharing information with third parties. The Health Insurance Portability and Accountability Act (HIPAA) was written to prevent medical organizations (including health insurance companies, hospitals, and doctors' offices) from sharing patient health care information without consent. It is primarily concerned with the security, integrity, and privacy of patient information.

What compliance obligation relates to the processing of credit card information? A FERPA B SOX C HIPAA D PCI DSS

Answer D is correct. The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in storing, transmitting, and processing credit card information.

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches? A 270,000 B 135,000 C 3,000,000 D 2,700,000

Answer D is correct. The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on the fact that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

What is the designation of an employee who is responsible for maintaining and protecting information? A Data owner B System owner C Information user D Data custodian

Answer D is correct. The data custodian is directly responsible for maintaining and protecting the data, and is a role typically delegated to the IT department staff. Responsibilities include implementing and maintaining security controls. The data custodian's role includes the following tasks: Maintaining activity records Verifying data accuracy and reliability Backing up and restoring data regularly The data owner controls the process of defining IT service levels, providing information during the review of controls, and authorizing the enforcement of security controls to protect the information assets of the organization. A data owner is typically a part of management. For example, a business unit manager has the primary responsibility of protecting the information assets by exercising due diligence and due care practices. A system owner is responsible for maintaining and protecting one or more data processing systems. The role primarily includes the integration of the required security features into the applications and involves a purchase decision of the applications. The system owner also ensures that the remote access, password management, and operating system configurations provide the necessary security. An information user is an individual who uses the data regularly to fulfil the job responsibilities. Users should be able to access the information based on the concept of least privilege and only on a need-to-know basis to achieve the security objectives of the organization.

What is the term used for the percentage of loss an organization would experience in the event of violation of a specific threat by a realized risk? A Annualized loss expectancy B Annualized rate of occurrence C Single loss expectancy D Exposure factor

Answer D is correct. The exposure factor (EF) refers to the percentage of loss an organization would experience in the event of violation of a specific threat by a realized risk. It is also known as loss potential and is expressed as a percentage. Answer A is incorrect. The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset. Answer B is incorrect. The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat will occur within a year. Answer C is incorrect. The single loss expectancy (SLE) is the cost related to a single realized risk against a specific asset. It specifies the exact amount of loss an organization would experience if an asset were harmed by a specific threat.

What is the term used for the percentage of loss an organization would experience in the event of violation of a specific threat by a realized risk? A Single loss expectancy B Annualized rate of occurrence C Annualized loss expectancy D Exposure factor

Answer D is correct. The exposure factor (EF) refers to the percentage of loss an organization would experience in the event of violation of a specific threat by a realized risk. It is also known as loss potential and is expressed as a percentage. Answer C is incorrect. The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset. Answer B is incorrect. The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat will occur within a year. Answer A is incorrect. The single loss expectancy (SLE) is the cost related to a single realized risk against a specific asset. It specifies the exact amount of loss an organization would experience if an asset were harmed by a specific threat.

Which of the following statements are true of quantitative risk analysis? Each correct answer represents a complete solution. Choose all that apply. A A quantitative risk analysis requires less time and effort. B A quantitative analysis requires subjective input from the user. C A purely quantitative risk analysis cannot be performed since qualitative aspects cannot be quantified. D A qualitative analysis assigns real dollar figures to the loss of an asset.

Answers C and D are correct. A purely quantitative risk analysis cannot be performed since qualitative, subjective, or intangible aspects cannot be quantified. It assigns real dollar figures to the loss of an asset. It involves asset valuation and threat identification and then estimates the potential and frequency of each risk resulting in a cost/benefit analysis of safeguards. Answers A and B are incorrect. A quantitative analysis requires objective input from user and significant time and effort.

Which statement is true of the staff members of an organization in the context of information security? A They require extensive understanding of security. B They are responsible for protecting and backing up confidential data. C They must be trained to handle internal violations of the security policy. D They pose more threat than external hackers.

Answer D is correct. The staff members of an organization pose more threat than external hackers. Disgruntled employees typically attempt the security breaches in an organization. Existing employees can accidentally commit a security breach and may put the security of the organization at risk. User accounts should be immediately deleted and the associated privileges should be revoked for employees who have been terminated or have left the organization. It is not the job of the staff member to handle and respond to issues of information security violation. Staff members should report the incident to the department manager. The department manager will take the necessary steps as a part of incident response. Typically, it is the job of the IT department to ensure that critical data is duly backed up on a periodical basis and that only identified employees with necessary privileges have access to confidential information. Only those staff members with a direct role in the security function of an organization need extensive security knowledge. Most staff members will need security awareness training on security policies, security practices, acceptable resource usage, and noncompliance implications.

The business continuity team has determined that a demilitarized zone (DMZ) should be implemented to ensure that public users only access certain servers. Which step of the business continuity process is the team completing? A Develop the contingency plan. B Develop recovery strategies. C Develop the continuity planning policy statement. D Identify preventative controls.

Answer D is correct. The team is identifying preventative controls. During this step, the team mitigates risk by identifying preventative controls, such as a DMZ or a firewall. None of the other steps is being completed. The steps of business continuity are as follows: Develop the continuity planning policy statement. Conduct the BIA. Identify preventative controls. Develop recovery strategies. Develop the contingency plan. Test the plan, and conduct training and exercises. Maintain the plan.

Which of the following is utilized when redundant communications links are installed? A Parameter check B Penetration test C Port scan D Alternative system

Answer D is correct. This is an example of an alternative system. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable. Answer A is incorrect. Parameter check is used to prevent the possibility of buffer overflow attacks. Answer B is incorrect. Penetration test is the attempt to bypass security controls to test overall system security. Answer C is incorrect. Port scan reveals the ports associated with services running on a machine and available to the public.

Which of the following is considered an activity that has the potential to cause harm to information systems or networks? A Vulnerability B Safeguard C Asset D Threat

Answer D is correct. Threat is considered an activity that has the potential to cause harm to information systems or networks. Answer A is incorrect. Vulnerability refers to a software, hardware, or procedural weakness that may provide an open door to an attacker. Answer C is incorrect. Asset can be anything within the environment that is required to be protected. It can be a computer file, a network service, a system resource, a process, a program, and so on. Answer B is incorrect. Safeguard eliminates vulnerability or protects the system against particular threats.

Which of the following should you deploy to meet management's requirements for the digital content? A an issue-specific policy B group policy C copyright D DRM

Answer D is correct. You should deploy digital rights management (DRM) to meet management's requirements for the digital content. DRM will control the opening, editing, printing, and copying of digital content. A copyright ensures that a copyrighted work is protected from any form of reproduction or use without consent from the copyright holder. A group policy can be used to implement certain restrictions on a server or network. However, it is not used to limit access to digital content. An issue-specific policy can be used to provide guidance on protecting the digital content. However, the policy itself will not prevent the opening, editing, printing, and copying of digital content.

When configuring a new network, you decide to use routers and encryption to improve security. Of which type of technical control is this an example? A recovery B detective C deterrent D directive E corrective F compensative G preventative

Answer G is correct. Routers and encryption are examples of preventative technical controls. A technical control is a control that restricts access. A preventative control prevents security breaches. Routers and encryption are also compensative technical controls. Preventative technical controls are most often configured using access control lists (ACLs) built into the operating system. They protect the operating system from unauthorized access, modification, and manipulation. They protect system integrity and availability by limiting the number of users and processes that are allowed to access the system or network. A recovery technical control can restore system capabilities. Data backups are included in this category. A detective technical control can detect when a security breach occurs. Audit logs and intrusion detection systems (IDSs) are included in this category. A deterrent technical control is one that discourages security breaches. A firewall is the best example of this type of control. A corrective technical control is one that corrects any issues that arise because of security breaches. Antivirus software and server images are included in this category as well. A compensative technical control is one that is considered as an alternative to other controls. There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative control is developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or purposes: Preventative - A preventative control prevents security breaches and avoids risks. Detective - A detective control detects security breaches as they occur. Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. Deterrent - A deterrent control deters potentials violations. Recovery - A recovery control restores resources. Compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. Directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.

A security policy is defined as the document that describes the scope of an organization's security requirements. Which of the following statements are true of a security policy? A It provides security solutions to provide necessary protection against security threats. B It facilitates slave DNS servers to transfer records from the master server to a slave server. C It uses public key cryptography to digitally sign records for a DNS lookup. D It includes assets that are to be protected.

Answers A and D are correct. A security policy is defined as the document that describes the scope of an organization's security requirements. Information security policies are usually documented in one or more information security policy documents. The policy includes the assets that are to be protected. It also provides security solutions to provide necessary protection against the security threats. Answer B is incorrect. Zone transfers facilitate slave DNS servers to transfer records from the master server to a slave server. Answer C is incorrect. Domain Name System Security Extensions (DNSSEC) use public key cryptography to digitally sign records for a DNS lookup.

What are the important aspects of an exit interview? Each correct answer represents a complete solution. Choose all that apply. A Requesting the return of all access badges, keys, and company equipment B Allowing IT staff to disable system access C Revoking a parking pass D Disabling a network account E Returning personal property

Answers A, B, C, and D are correct. The following are the important aspects of an exit interview: Allowing IT staff to disable system access Requesting the return of all access badges, keys, and company equipment Distributing a company reorganization chart Disabling a network account Blocking a person's PIN or smartcard for building entrance Positioning a new employee in the cubicle Revoking a parking pass Answer E is incorrect. Returning personal property is not an aspect of an exit interview.

The exposure factor is defined as the percentage of loss experienced by an organization when a specific asset is violated by a realized risk. Which of the following statements are true of the exposure factor? Each correct answer represents a complete solution. Choose all that apply. A Its value is small for assets that can be easily replaced, for example hardware. B Its value is large for assets that cannot be replaced, for example product designs, or a database of customers. C It is the expected frequency of occurrence of a particular threat or risk in a single year. D It is also known as the loss potential.

Answers A, B, and D are correct. The exposure factor is defined as the percentage of loss experienced by an organization when a specific asset is violated by a realized risk. It is also known as the loss potential. Its value is small for assets that can be easily replaced, for example hardware. Its value is large for assets that cannot be replaced, for example product designs, or a database of customers. Answer C is incorrect. This statement is true for annualized rate of occurrence (ARO).

Which of the following are the cost functions that are related to quantitative risk analysis? Each correct answer represents a complete solution. Choose all that apply. A Annualized loss expectancy B Annualized rate of occurrence C Double profit gain D Single loss expectancy

Answers A, B, and D are correct. The following cost functions are related to quantitative risk analysis: Exposure factor (EF): It is defined as the percentage of loss experienced by an organization when a particular asset is violated by a realized risk. Single loss expectancy (SLE): It is defined as the cost related to a single realized risk against a particular asset. The following formula is used to calculate the SLE:SLE = asset value (AV) * exposure factor (EF) Annualized rate of occurrence (ARO): It is defined as the expected frequency of occurrence of a particular threat or risk in a single year. Annualized loss expectancy (ALE): It is defined as the yearly cost of all instances of a particular threat against a particular asset. The following formula is used to calculate the ALE:ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO) Answer C is incorrect. This is an invalid answer.

Which of the following approaches should you consider while preparing and conducting a risk assessment? A Identify a consistent risk assessment methodology. B Create a regulatory policy. C Create a business continuity plan. D Perform the risk and vulnerability assessment as per the defined standard.

Answers A, C, and D are correct. While preparing and conducting a risk assessment, consider the following approaches: Create a risk assessment policy. Define risk assessment goals and objectives in line with the organizational business drivers. Create a business continuity plan to ensure that critical processes and activities can continue in case of a disaster or emergency. Identify a consistent risk assessment methodology and approach for an organization. Conduct an asset valuation or asset criticality valuation as per a standard definition for the organization. Perform the risk and vulnerability assessment as per the defined standard. Answer B is incorrect because a regulatory policy discusses the regulations that must be followed and outlines procedures that should be used to elicit compliance.

Which of the following information does a business case include? A Testing strategies B Recommendations C Methods and assumptions D Risks and contingencies

Answers B, C, and D are correct. A business case is a formal document written to convince a decision maker for approving an action. A business case includes: Introduction: Provides business objectives address Methods and assumptions: Specifies the boundaries of the business case Business impacts: Provides financial and non-financial business case results Risks and contingencies: Represents the systematic attempt for evaluating the sensitivity of outcomes to change in specific assumptions Recommendations: Specifies specific actions

Qualitative risk analysis enables an individual to identify potential risks, and assets and resources which are susceptible to these risks. Which of the following statements are true of qualitative risk analysis? Each correct answer represents a complete solution. Choose all that apply. A It supports automation. B It includes judgment, intuition, and experience. C It depends more on scenarios rather than calculations. D It provides useful and meaningful results.

Answers B, C, and D are correct. Qualitative risk analysis includes judgment, intuition, and experience. It enables an individual to identify the potential risks, and assets and resources which are vulnerable to these risks. It depends more on scenarios rather than calculations. It requires guesswork, makes use of opinions, and provides useful and meaningful results. Answer A is incorrect. Qualitative risk analysis does not support automation; it is supported by quantitative risk analysis.

The following cost functions are related to quantitative risk analysis:

Exposure factor (EF): It is defined as the percentage of loss experienced by an organization when a particular asset is violated by a realized risk. Single loss expectancy (SLE): It is defined as the cost related to a single realized risk against a particular asset. The following formula is used to calculate the SLE:SLE = asset value (AV) * exposure factor (EF) Annualized rate of occurrence (ARO): It is defined as the expected frequency of occurrence of a particular threat or risk in a single year. Annualized loss expectancy (ALE): It is defined as the yearly cost of all instances of a particular threat against a particular asset. The following formula is used to calculate the ALE:ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)

Qualitative decision-making:

Qualitative decision-making takes non-numerical factors, such as reputation, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low).quantitative measure that the team must develop is the maximum tolerable downtime (MTD), sometimes also known as maximum tolerable outage (MTO). The MTD is the maximum length of time a business function can be inoperable without causing irreparable harm to the business. The MTD provides valuable information when you're performing both BCP and DRP planning

Quantitative decision-making:

Quantitative decision-making involves the use of numbers and formulas to reach a decision. This type of data often expresses options in terms of the dollar value to the business. To begin the quantitative assessment, the BCP team should sit down and draw up a list of organization assets and then assign an asset value (AV) in monetary terms to each asset. These numbers will be used in the remaining BIA steps to develop a financially based BIA.

What should be the role of the management in developing an information security program? A It is mandatory. B It is limited to the sanctioning of funds. C It is not required at all. D It should be minimal.

The role of the management in developing an information security program is mandatory. The primary purpose of security management is to protect the information assets of the organization.


Ensembles d'études connexes

Mental Health Exam 1 : Evolve Questions

View Set

Introduction to Medical Surgical Nursing

View Set

Grade 10 - Principles of Accounts - Revision for End of Term Examination January 2021

View Set

(6) Johnson vs. Republican Radicals

View Set