CISSP Exam Collection - Part 2

QUESTION 178 Which of the following is not a preventive login control? A. Last login message B. Password aging C. Minimum password length D. Account expiration

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The last login message displays the last login date and time, allowing a user to discover if their account was used by someone else. Hence, this is rather a detective control. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 63).

QUESTION 289 Which of the following is NOT a characteristic of a host-based intrusion detection system? A. A HIDS does not consume large amounts of system resources B. A HIDS can analyse system logs, processes and resources C. A HIDS looks for unauthorized changes to the system D. A HIDS can notify system administrators when unusual events are identified

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: A HIDS does not consume large amounts of system resources is the correct choice. HIDS can consume inordinate amounts of CPU and system resources in order to function effectively, especially during an event. All the other answers are characteristics of HIDSes A HIDS can: - scrutinize event logs, critical system files, and other auditable system resources; - look for unauthorized change or suspicious patterns of behavior or activity - can send alerts when unusual events are discovered Reference: Official guide to the CISSP CBK. Pages 197 to 198.

QUESTION 258 Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided? A. Data Link B. Transport C. Presentation D. Application

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised of three main components: 1 A method for encapsulating multi-protocol datagrams. 2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. 3 A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols.

QUESTION 238 When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the proper term to refer to a single unit of TCP data at the transport layer? A. TCP segment. B. TCP datagram. C. TCP frame. D. TCP packet.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: A TCP Segment is the group of TCP data tramsmitted at the Transport Layer. TCP is segment based network technology. The message is sent to the transport layer, where TCP does its magic on the data. The bundle of data is now a segment. If the message is being transmitted overTCP, it is referred to as a "segment." Protocol Data Unit Layers The following answers are incorrect: TCP datagram. Is incorrect because a TCP datagram is only a distractor, IP datagram would be the proper terminology. TCP is segment based network technology. TCP frame. Is incorrect because a TCP frame is only a distractor, Ethernet Frame would be the proper terminology. TCP is segment based network technology. TCP packet. Is incorrect because a TCP packet is only a distractor. TCP is segment based network technology. References(s) used for this question: Wikipedia http://en.wikipedia.org/wiki/Transport_layer Wikipedia http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure TCP/IP Illustrated, Volume 1: The Protocols, Addison-Wesley, 1994, ISBN 0-201-63346-9. http://www.infocellar.com/networks/osi-model.htm

QUESTION 298 A group of independent servers, which are managed as a single system, that provides higher availability, easier manageability, and greater scalability is: A. server cluster. B. client cluster. C. guest cluster. D. host cluster.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: A server cluster is a group of independent servers, which are managed as a single system, that provides higher availability, easier manageability, and greater scalability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 67.

QUESTION 250 Which one of the following authentication mechanisms creates a problem for mobile users? A. Mechanisms based on IP addresses B. Mechanism with reusable passwords C. one-time password mechanism. D. challenge response mechanism.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next. Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP. NOTE FROM CLEMENT: The term MOBILE in this case is synonymous with Road Warriors where a user is contantly traveling and changing location. With smartphone today that may not be an issue but it would be an issue for laptops or WIFI tablets. Within a carrier network the IP will tend to be the same and would change rarely. So this question is more applicable to devices that are not cellular devices but in some cases this issue could affect cellular devices as well. The following answers are incorrect: mechanism with reusable password. This is incorrect because reusable password mechanism would not present a problem for mobile users. They are the least secure and change only at specific interval. one-time password mechanism. This is incorrect because a one-time password mechanism would not present a problem for mobile users. Many are based on a clock and not on the IP address of the user. challenge response mechanism. This is incorrect because challenge response mechanism would not present a problem for mobile users.

QUESTION 220 A Differential backup process will: A. Backs up data labeled with archive bit 1 and leaves the data labeled as archive bit 1 B. Backs up data labeled with archive bit 1 and changes the data label to archive bit 0 C. Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0 D. Backs up data labeled with archive bit 0 and changes the data label to archive bit 1

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Archive bit 1 = On (the archive bit is set). Archive bit 0 = Off (the archive bit is NOT set). When the archive bit is set to ON, it indicates a file that has changed and needs to be backed up. Differential backups backup all files changed since the last full. To do this, they don't change the archive bit value when they backup a file. Instead the differential let's the full backup make that change. An incremental only backs up data since the last incremental backup. Thus is does change the archive bit from 1 (On) to 0 (Off). The following answers are incorrect: Backs up data labeled with archive bit 1 and changes the data label to archive bit 0 - This is the behavior of an incremental backup, not a differential backup. Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0 - If the archive bit is set to 0 (Off), it will only be backed up via a Full backup. Everything else will ignore it. Backs up data labeled with archive bit 0 and changes the data label to archive bit 1 - If the archive bit is set to 0 (Off), it will only be backed up via a Full backup. Everything else will ignore it. The following reference(s) were/was used to create this question: https://en.wikipedia.org/wiki/Archive_bit

QUESTION 235 Which of the following testing method examines the functionality of an application without peering into its internal structure or knowing the details of it's internals? A. Black-box testing B. Parallel Test C. Regression Testing D. Pilot Testing

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Black-box testing is a method of software testing that examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings (see white-box testing). This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. For your exam you should know the information below: Alpha and Beta Testing - An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically software goes to two stages testing before it consider finished.The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user. Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests usually over interim platform and with only basic functionalities. White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's specific logic path. However testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only. Black Box Testing - An integrity based form of testing associated with testing components of an information system's "functional" operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing. Function/validation testing It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements. Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data. Parallel Testing - This is the process of feeding test data into two systems the modified system and an alternative system and comparing the result. Sociability Testing - The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but , in a client server and web development, changes to the desktop environment. Multiple application may run on the users desktop, potentially simultaneously , so it is important to test the impact of installing new dynamic link libraries (DLLs), making operating system registry or configuration file modification, and possibly extra memory utilization. The following answers are incorrect: Parallel Testing - This is the process of feeding test data into two systems the modified system and an alternative system and comparing the result. Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data. Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests usually over interim platform and with only basic functionalities The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 167 Official ISC2 guide to CISSP CBK 3rd Edition Page number 176

QUESTION 262 Looking at the choices below, which ones would be the most suitable protocols/tools for securing e-mail? A. PGP and S/MIME B. IPsec and IKE C. TLS and SSL D. SSH

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Both PGP and S/MIME are protocol/tool used to secure internet emails. Today the de facto standard within email client is mostly S/MIME. Around year 1999 many people were using PGP to secure their emails. PGP was developed by Phil Zimmerman as a free product for noncommercial use that would enable all people to have access to state-of-the-art cryptographic algorithms to protect their privacy. PGP is also available as a commercial product that has received widespread acceptance by many organizations looking for a user-friendly, simple system of encryption of files, documents, and e-mail and the ability to wipe out old files through a process of overwriting them to protect old data from recovery. PGP also compresses data to save on bandwidth and storage needs. The Secure/Multipurpose Internet Mail Extension S/MIME is the security enhancement for the MIME Internet e-mail standard format. S/MIME provides several features, including signed and encrypted mail messages. As a hybrid cryptographic application, S/MIME, similar to IPSec and SSL, uses hash functions, symmetric and asymmetric cryptographies. There are a variety of bulk encryption algorithms defined the most popular being AES. Asymmetric encryption, such as RSA, is used for digital signatures. Secure hash algorithms, such as SHA-1, are used to provide data integrity of the message body and message attributes. The following are incorrect answers: IPSEC, TLS, SSL, SSH are all tunneling or VPN tools that could be used to secure email traffic over a public network but there were not build specifically to address and provide Email Security. IKE is a key exchange mechanism. Not an email encryption tool Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Location 16663). Auerbach Publications. Kindle Edition. OPPLIGER, Rolf, Secure Messaging with PGP and S/MIME, 2000, Artech House; The international PGP homepage, online at http://www.pgpi.org IETF S/MIME working group, online at http://www.ietf.org/html.charters/smime-charter.html HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 563; SMITH, Richard E., Internet Cryptography, 1997, Addison- Wesley Pub Co.

QUESTION 265 What is NOT an authentication method within IKE and IPSec? A. CHAP B. Pre shared key C. certificate based authentication D. Public key authentication

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password). After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer. The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3. The following were incorrect answers: Pre Shared Keys In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key cryptographic algorithms. The term PSK is used in WiFi encryption such as WEP or WPA, where both the wireless access points (AP) and all clients share the same key. The characteristics of this secret or key are determined by the system which uses it; some system designs require that such keys be in a particular format. It can be a password like 'bret13i', a passphrase like 'Idaho hung gear id gene', or a hexadecimal string like '65E4 E556 8622 EEE1'. The secret is used by all systems involved in the cryptographic processes used to secure the traffic between the systems. Certificat Based Authentication The most common form of trusted authentication between parties in the wide world of Web commerce is the exchange of certificates. A certificate is a digital document that at a minimum includes a Distinguished Name (DN) and an associated public key. The certificate is digitally signed by a trusted third party known as the Certificate Authority (CA). The CA vouches for the authenticity of the certificate holder. Each principal in the transaction presents certificate as its credentials. The recipient then validates the certificate's signature against its cache of known and trusted CA certificates. A "personal certificate" identifies an end user in a transaction; a "server certificate" identifies the service provider. Generally, certificate formats follow the X.509 Version 3 standard. X.509 is part of the Open Systems Interconnect (OSI) X.500 specification. Public Key Authentication Public key authentication is an alternative means of identifying yourself to a login server, instead of typing a password. It is more secure and more flexible, but more difficult to set up. In conventional password authentication, you prove you are who you claim to be by proving that you know the correct password. The only way to prove you know the password is to tell the server what you think the password is. This means that if the server has been hacked, or spoofed an attacker can learn your password. Public key authentication solves this problem. You generate a key pair, consisting of a public key (which everybody is allowed to know) and a private key (which you keep secret and do not give to anybody). The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have a copy of that private key; but anybody who has your public key can verify that a particular signature is genuine. So you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, you can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing. There is a problem with this: if your private key is stored unprotected on your own computer, then anybody who gains access to your computer will be able to generate signatures as if they were you. So they will be able to log in to your server under your account. For this reason, your private key is usually encrypted when it is stored on your local machine, using a passphrase of your choice. In order to generate a signature, you must decrypt the key, so you have to type your passphrase. References:RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR; SMITH, Richard E. Internet Cryptography, 1997, Addison-Wesley Pub Co.; HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 467. http://en.wikipedia.org/wiki/Pre-shared_key http://www.home.umk.pl/~mgw/LDAP/RS.C4.JUN.97.pdf http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.1

QUESTION 274 In which layer of the OSI Model are connection-oriented protocols located in the TCP/IP suite of protocols? A. Transport layer B. Application layer C. Physical layer D. Network layer

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Connection-oriented protocols such as TCP provides reliability. It is the responsibility of such protocols in the transport layer to ensure every byte is accounted for. The network layer does not provide reliability. It only privides the best route to get the traffic to the final destination address. For your exam you should know the information below about OSI model: The Open Systems Interconnection model (OSI) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers. The model is a product of the Open Systems Interconnection project at the International Organization for Standardization (ISO), maintained by the identification ISO/IEC 7498-1. The model groups communication functions into seven logical layers. A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of that path. Two instances at one layer are connected by a horizontal. OSI Model Image source: http://www.petri.co.il/images/osi_model.JPG PHYSICAL LAYER The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium. It describes the electrical/optical, mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher layers. It provides: Data encoding: modifies the simple digital signal pattern (1s and 0s) used by the PC to better accommodate the characteristics of the physical medium, and to aid in bit and frame synchronization. It determines: What signal state represents a binary 1 How the receiving station knows when a "bit-time" starts How the receiving station delimits a frame DATA LINK LAYER The data link layer provides error-free transfer of data frames from one node to another over the physical layer, allowing layers above it to assume virtually error- free transmission over the link. To do this, the data link layer provides: Link establishment and termination: establishes and terminates the logical link between two nodes.Frame traffic control: tells the transmitting node to "back-off" when no frame buffers are available. Frame sequencing: transmits/receives frames sequentially. Frame acknowledgment: provides/expects frame acknowledgments. Detects and recovers from errors that occur in the physical layer by retransmitting non- acknowledged frames and handling duplicate frame receipt. Frame delimiting: creates and recognizes frame boundaries. Frame error checking: checks received frames for integrity. Media access management: determines when the node "has the right" to use the physical medium. NETWORK LAYER The network layer controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors. It provides: Routing: routes frames among networks. Subnet traffic control: routers (network layer intermediate systems) can instruct a sending station to "throttle back" its frame transmission when the router's buffer fills up. Frame fragmentation: if it determines that a downstream router's maximum transmission unit (MTU) size is less than the frame size, a router can fragment a frame for transmission and re-assembly at the destination station. Logical-physical address mapping: translates logical addresses, or names, into physical addresses. Subnet usage accounting: has accounting functions to keep track of frames forwarded by subnet intermediate systems, to produce billing information. Communications Subnet The network layer software must build headers so that the network layer software residing in the subnet intermediate systems can recognize them and use them to route data to the destination address. This layer relieves the upper layers of the need to know anything about the data transmission and intermediate switching technologies used to connect systems. It establishes, maintains and terminates connections across the intervening communications facility (one or several intermediate systems in the communication subnet). In the network layer and the layers below, peer protocols exist between a node and its immediate neighbor, but the neighbor may be a node through which data is routed, not the destination station. The source and destination stations may be separated by many intermediate systems. TRANSPORT LAYER The transport layer ensures that messages are delivered error-free, in sequence, and with no losses or duplications. It relieves the higher layer protocols from any concern with the transfer of data between them and their peers. The size and complexity of a transport protocol depends on the type of service it can get from the network layer. For a reliable network layer with virtual circuit capability, a minimal transport layer is required. If the network layer is unreliable and/or only supports datagrams, the transport protocol should include extensive error detection and recovery. The transport layer provides: Message segmentation: accepts a message from the (session) layer above it, splits the message into smaller units (if not already small enough), and passes the smaller units down to the network layer. The transport layer at the destination station reassembles the message. Message acknowledgment: provides reliable end-to-end message delivery with acknowledgments. Message traffic control: tells the transmitting station to "back-off" when no message buffers are available. Session multiplexing: multiplexes several message streams, or sessions onto one logical link and keeps track of which messages belong to which sessions (see session layer). Typically, the transport layer can accept relatively large messages, but there are strict message size limits imposed by the network (or lower) layer. Consequently, the transport layer must break up the messages into smaller units, or frames, prepending a header to each frame. The transport layer header information must then include control information, such as message start and message end flags, to enable the transport layer on the other end to recognize message boundaries. In addition, if the lower layers do not maintain sequence, the transport header must contain sequence information to enable the transport layer on the receiving end to get the pieces back together in the right order before handing the received message up to the layer above. End-to-end layers Unlike the lower "subnet" layers whose protocol is between immediately adjacent nodes, the transport layer and the layers above are true "source to destination" or end-to-end layers, and are not concerned with the details of the underlying communications facility. Transport layer software (and software above it) on the source station carries on a conversation with similar software on the destination station by using message headers and control messages. SESSION LAYER The session layer allows session establishment between processes running on different stations. It provides: Session establishment, maintenance and termination: allows two application processes on different machines to establish, use and terminate a connection, called a session. Session support: performs the functions that allow these processes to communicate over the network, performing security, name recognition, logging, and so on. PRESENTATION LAYER The presentation layer formats the data to be presented to the application layer. It can be viewed as the translator for the network. This layer may translate data from a format used by the application layer into a common format at the sending station, then translate the common format to a format known to the application layer at the receiving station. The presentation layer provides: Character code translation: for example, ASCII to EBCDIC. Data conversion: bit order, CR-CR/LF, integer-floating point, and so on.Data compression: reduces the number of bits that need to be transmitted on the network. Data encryption: encrypt data for security purposes. For example, password encryption. APPLICATION LAYER The application layer serves as the window for users and application processes to access network services. This layer contains a variety of commonly needed functions: Resource sharing and device redirection Remote file access Remote printer access Inter-process communication Network management Directory services Electronic messaging (such as mail) Network virtual terminals The following were incorrect answers: Application Layer - The application layer serves as the window for users and application processes to access network services. Network layer - The network layer controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors. Physical Layer - The physical layer, the lowest layer of the OSI model, is concerned with the transmission and reception of the unstructured raw bit stream over a physical medium. It describes the electrical/optical, mechanical, and functional interfaces to the physical medium, and carries the signals for all of the higher layers. The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 260 and Official ISC2 guide to CISSP CBK 3rd Edition Page number 287 and http://en.wikipedia.org/wiki/Tcp_protocol

QUESTION 264 What is the role of IKE within the IPsec protocol? A. peer authentication and key exchange B. data encryption C. data signature D. enforcing quality of service

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Reference: RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan, Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, 1999, Prentice Hall PTR; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 225 Which access control method allows the data owner (the person who created the file) to control access to the information they own? A. DAC - Discretionary Access Control B. MAC - Mandatory Access Control C. RBAC - Role-Based Access Control D. NDAC - Non-Discretionary Access Control

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: DAC - Discretionary Access Control is where the user controls access to the data they create or manage. It is the least secure method of access control because of a few factors: - Employee changeover can lead to confusion of data ownership or abandoned data. - Employees are not traditionally experienced enough to manage data permissions and maintain them in a reliable fashion. - People in general are the least reliable component of any organization The following answers are incorrect: - MAC - Mandatory Access Control: This is incorrect because in the MAC model of access control, labels are used to identify the level of sensitivity of the data. If the user does not have privileges to such data he or she is denied access. - RBAC - Role-Based Access Control: Sorry, RBAC is Role-Based Access Control where the users' Role determines the access level to data they are given. - NDAC - Non-Discretionary Access Control: Sorry, this isn't a common term associated with access control methodologies. The following reference(s) was used to create this question: 2013 Official Security+ Curriculum.

QUESTION 229 You are a manager for a large international bank and periodically move employees between positions in your department. What is this process called? A. Job Rotation B. Separation of Duties C. Mandatory Rotations D. Dual Control

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Discussion: If a single employee were permitted to stay in one critical position for an extended period of time without close oversight he or she could carry out fraud undetected. For this reason it is important to rotate employees between jobs. Another good reason is to get employees experienced on their colleagues' jobs. This way, if an employee were for some reason unavailable to work, their position could be covered. The following answers are incorrect: Separation of Duties: This is similar to Job Rotation because critical functions are divided up between employees to avoid and detect fraud. It is incorrect because with Job Rotation, people move between positions to detect fraud or even get better at each position to provide some resiliency for the organization. Separation of Duties is more a preventative measure. Mandatory Rotations: This is incorrect because of the terminology. There are terms called Mandatory Vacations and Job Rotation but not mandatory rotations. Be familiar with these terms before trying to pass the exam. Dual Control: This term describes how a manager would require employees to work together (two or more) on critical actions so that no single employee can cause catastrophic damage. This isn't the correct answer but it is very similar to Job Rotation where an employee rotates between job duties. Dual Control requires employees to work together on critical tasks in hopes of limiting collusion to commit fraud. The following reference(s) was used to create this question: Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide Authorized Courseware: Exam CAS-001 (p. 245). Wiley. Kindle Edition.

QUESTION 221 When considering all the reasons that buffer overflow vulnerabilities exist what is the real reason? A. Human error B. The Windows Operating system C. Insecure programming languages D. Insecure Transport Protocols

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Discussion: Since computer program code is written by humans and there are proper and improper ways of writing software code it is clear that human errors create the conditions for buffer overflows to exist. Unfortunately as secure as any operating system is it becomes insecure when people install insecure code that can be host to buffer overflow attacks so it is human error that really causes these vulnerabilities. Mitigation: The best mitigation against buffer overflow attacks is to: - Be sure you keep your software updated with any patches released by the vendors. - Have sensible configurations for your software. (e.g,. lock it down) - Control access to your sensitive systems with network traffic normalizing systems like a filtering firewall or other devices that drops inappropriate network packets. - If you don't need the software or service on a system, remove it. If it is useless it can only be a threat. The following answers are incorrect: The Windows Operating system: This isn't the intended answer. Insecure programming languages: This isn't correct. Modern programming languages are capable of being used securely. It's only when humans make mistakes that any programming language becomes a threat. Insecure Transport Protocols: This is partially correct. If you send logon ID and passwords over the network in clear text, no programming language will protect you from sniffers. The following reference(s) were/was used to create this question: 2011 EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v71, Module 17, Page 806

QUESTION 248 In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class A network? A. The first bit of the IP address would be set to zero. B. The first bit of the IP address would be set to one and the second bit set to zero. C. The first two bits of the IP address would be set to one, and the third bit set to zero. D. The first three bits of the IP address would be set to one.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Each Class A network address has a 8-bit network prefix, with the first bit of the ipaddress set to zero. See the diagram below for more details. The following answers are incorrect: The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because this would be a Class B network address. The first two bits of the IP address would be set to one, and the third bit set to zero. Is incorrect because, this would be a Class C network address. The first three bits of the ipaddress would be set to one. Is incorrect because, this is a distractor. Class D & E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1. See diagram below from the 3COM tutorial on everything you ever wanted to know about IP addressing: Classful IP addressing format Classless Internet Domain Routing (CIDR) Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing Internet Protocol packets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet. Their goal was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses. For Class A, the addresses are 0.0.0.0 - 127.255.255.255. For Class B networks, the addresses are 128.0.0.0 - 191.255.255.255. For Class C, the addresses are 192.0.0.0 - 223.255.255.255. For Class D, the addresses are 224.0.0.0 - 239.255.255.255. For Class E, the addresses are 240.0.0.0 - 255.255.255.255. References: 3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf and AIOv3 Telecommunications and Networking Security (page 438) and https://secure.wikimedia.org/wikipedia/en/wiki/Classless_Inter-Domain_Routing

QUESTION 241 What is a limitation of TCP Wrappers? A. It cannot control access to running UDP services. B. It stops packets before they reach the application layer, thus confusing some proxy servers. C. The hosts.* access control system requires a complicated directory tree. D. They are too expensive.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: TCP Wrappers can control when a UDP server starts but has little control afterwards because UDP packets can be sent randomly. The following answers are incorrect: It stops packets before they reach the application layer, thus confusing some proxy servers. Is incorrect because the TCP Wrapper acts as an ACL restricting packets so would not confuse a proxy server because the packets would not arrive and would not be a limitation. The hosts.* access control system requires a complicated directory tree. Is incorrect because a simple directory tree is involved. They are too expensive. Is incorrect because TCP Wrapper is considered open source with a BSD licensing scheme.

QUESTION 301 Which backup method is used if backup time is critical and tape space is at an extreme premium? A. Incremental backup method. B. Differential backup method. C. Full backup method. D. Tape backup method.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Full Backup/Archival Backup - Complete/Full backup of every selected file on the system regardless of whether it has been backup recently.. This is the slowest of the backup methods since it backups all the data. It's however the fastest for restoring data. Incremental Backup - Any backup in which only the files that have been modified since last full back up are backed up. The archive attribute should be updated while backing up only modified files, which indicates that the file has been backed up. This is the fastest of the backup methods, but the slowest of the restore methods. Differential Backup - The backup of all data files that have been modified since the last incremental backup or archival/full backup. Uses the archive bit to determine what files have changed since last incremental backup or full backup. The files grows each day until the next full backup is performed clearing the archive attributes. This enables the user to restore all files changed since the last full backup in one pass. This is a more neutral method of backing up data since it's not faster nor slower than the other two Easy Way To Remember each of the backup type properties: Backup Speed Restore Speed Full 3 1 Differential 2 2 Incremental 1 3 Legend: 1 = Fastest 2 = Faster 3 = Slowest Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69. and http://www.proprofs.com/mwiki/index.php/Full_Backup,_Incremental_ %26_Differential_Backup66.

QUESTION 224 Which of the following answers best describes the type of penetration testing where the analyst has full knowledge of the network on which he is going to perform his test? A. White-Box Penetration Testing B. Black-Box Pen Testing C. Penetration Testing D. Gray-Box Pen Testing

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: In general there are three ways a pen tester can test a target system. - White-Box: The tester has full access and is testing from inside the system.- Gray-Box: The tester has some knowledge of the system he's testing. - Black-Box: The tester has no knowledge of the system. Each of these forms of testing has different benefits and can test different aspects of the system from different approaches. The following answers are incorrect: - Black-Box Pen Testing: This is where no prior knowledge is given about the target network. Only a domain name or business name may be given to the analyst. - Penetration Testing: This is half correct but more specifically it is white-box testing because the tester has full access. - Gray-Box Pen Testing: This answer is not right because Gray-Box testing you are given a little information about the target network. The following reference(s) was used to create this question: 2013 Official Security+ Curriculum. and tester is provided no information about the target's network or environment. The tester is simply left to his abilities Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4742-4743). Auerbach Publications. Kindle Edition.

QUESTION 271 Which layer deals with Media Access Control (MAC) addresses? A. Data link layer B. Physical layer C. Transport layer D. Network layer

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Layer 2 (Data Link layer) transfers information to the other end of the physical link. It handles physical addressing, network topology, error notification, delivery of frames and flow control.

QUESTION 295 What is the process that RAID Level 0 uses as it creates one large disk by using several disks? A. striping B. mirroring C. integrating D. clustering

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: RAID Level 0 creates one large disk by using several disks. This process is called striping. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 65.

QUESTION 296 RAID Level 1 mirrors the data from one disk or set of disks using which of the following techniques? A. duplicating the data onto another disk or set of disks. B. moving the data onto another disk or set of disks. C. establishing dual connectivity to another disk or set of disks. D. establishing dual addressing to another disk or set of disks.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: RAID Level 1 mirrors the data from one disk or set of disks by duplicating the data onto another disk or set of disks. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 65.

QUESTION 297 Which of the following stripes the data and the parity information at the block level across all the drives in the set? A. RAID Level 5 B. RAID Level 0 C. RAID Level 2 D. RAID Level 1

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: RAID Level 5 stripes the data and the parity information at the block level across all the drives in the set. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 66.

QUESTION 226 Suppose you are a domain administrator and are choosing an employee to carry out backups. Which access control method do you think would be best for this scenario? A. RBAC - Role-Based Access Control B. MAC - Mandatory Access Control C. DAC - Discretionary Access Control D. RBAC - Rule-Based Access Control

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: RBAC - Role-Based Access Control permissions would fit best for a backup job for the employee because the permissions correlate tightly with permissions granted to a backup operator. A role-based access control (RBAC) model, bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. The determination of what roles have access to a resource can be governed by the owner of the data, as with DACs, or applied based on policy, as with MACs. Access control decisions are based on job function, previously defined and governed by policy, and each role (job function) will have its own access capabilities. Objects associated with a role will inherit privileges assigned to that role. This is also true for groups of users, allowing administrators to simplify access control strategies by assigning users to groups and groups to roles. Specifically, in the Microsoft Windows world there is a security group called "Backup Operators" in which you can place the users to carry out the duties. This way you could assign the backup privilege without the need to grant the Restore privilege. This would prevent errors or a malicious person from overwriting the current data with an old copy for example. The following answers are incorrect: - MAC - Mandatory Access Control: This isn't the right answer. The role of Backup administrator fits perfectly with the access control Role-Based access control. - DAC - Discretionary Access Control: This isn't the correct answer because DAC relies on data owner/creators to determine who has access to information. - RBAC - Rule-Based Access Control: If you got this wrong it may be because you didn't read past the RBAC part. Be very careful to read the entire question and answers before proceeding.The following reference(s) was used to create this question: 2013 Official Security+ Curriculum. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1936-1943). Auerbach Publications. Kindle Edition.

QUESTION 260 Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)? A. TCP is connection-oriented, UDP is not. B. UDP provides for Error Correction, TCP does not. C. UDP is useful for longer messages, rather than TCP. D. TCP does not guarantee delivery of data, while UDP does guarantee data delivery.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: TCP is a reliable connection-oriented transport for guaranteed delivery of data. Protocols represent certain rules and regulations that are essential in order to have data communication between two entities. Internet Protocols work in sending and receiving data packets. This type of communication may be either connection-less or connection-oriented. In a connection-oriented scenario, an acknowledgement is being received by the sender from the receiver in support of a perfect transfer. Transmission ControlProtocol or TCP is such a protocol. On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback is being forwarded to the sender after delivery and the data transfer have taken place or not. Though, it's not a guaranteed method, but, once a connection is established, UDP works much faster than TCP as TCP has to rely on a feedback and accordingly, the entire 3-way handshaking takes place. The following answers are incorrect: UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while TCP does. UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its connectionless nature. TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is true. References Used for this question: http://www.cyberciti.biz/faq/key-differences-between-tcp-and-udp-protocols/ http://www.skullbox.net/tcpudp.php James's TCP-IP FAQ - Understanding Port Numbers.

QUESTION 300 Which of the following backup methods is primarily run when time and tape space permits, and is used for the system archive or baselined tape sets? A. full backup method. B. incremental backup method. C. differential backup method. D. tape backup method.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The Full Backup Method is primarily run when time and tape space permits, and is used for the system archive or baselined tape sets. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 69.

QUESTION 222 Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? A. LCL and MAC; IEEE 8022 and 8023 B. LCL and MAC; IEEE 8021 and 8023 C. Network and MAC; IEEE 8021 and 8023

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network technology binary format for proper line transmission. Layer 2 is divided into two functional sublayers. The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 8022 specification. It communicates with the network layer, which is immediately above the data link layer. Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol requirements of the physical layer. Thus, the specification for this layer depends on the technology of the physical layer. The IEEE MAC specification for Ethernet is 8023, Token Ring is 8025, wireless LAN is 80211, and so on. When you see a reference to an IEEE standard, such as 80211 or 80216, it refers to the protocol working at the MAC sublayer of the data link layer of the protocol stack. The following answers are incorrect: LCL and MAC; IEEE 8022 and 8023 is incorrect because LCL is a distracter. The correct acronym for the upper sublayer of the data link layer is LLC. It stands for the Logical Link Control. By providing multiplexing and flow control mechanisms, the LLC enables the coexistence of network protocols within a multipoint network and their transportation over the same network media. LCL and MAC; IEEE 8021 and 8023 is incorrect because LCL is a distracter. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). Furthermore, the LLC is defined in the IEEE 8022 specification, not 8021 The IEEE 8021 specifications are concerned with protocol layers above the MAC and LLC layers. It addresses LAN/MAN architecture, network management, internetworking between LANs and WANs, and link security, etc. Network and MAC; IEEE 8021 and 8023 is incorrect because network is not a sublayer of the data link layer. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC sits between the network layer (the layer immediately above the data link layer) and the MAC sublayer. Also, the LLC is defined in the IEEE 8022 specification,not IEEE 8021 As just explained, 8021 standards address areas of LAN/MAN architecture, network management, internetworking between LANs and WANs, and link security.The IEEE 8021 group's four active task groups are Internetworking, Security, Audio/Video Bridging, and Data Center Bridging. The following reference(s) were/was used to create this question: http://en.wikipedia.org/wiki/OSI_model

QUESTION 259 In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided? A. Transport B. Network C. Presentation D. Application

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The following answers are incorrect: Network. The Network layer moves information between hosts that are not physically connected. It deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not reside at the Layer 3 Network Layer in the OSI Reference Model. Presentation. The Presentation Layer is concerned with the formatting of data into a standard presentation such as ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model. Application. The Application Layer is a service for applications and Operating Systems data transmission, for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the OSI Reference Model. The following reference(s) were/was used to create this question: ISC2 OIG, 2007 p. 411 Shon Harris AIO v.3 p. 424

QUESTION 256 Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer in a network. Within which OSI/ISO layer is RPC implemented? A. Session layer B. Transport layer C. Data link layer D. Network layer

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The following answers are incorrect: Transport layer: The Transport layer handles computer-to computer communications, rather than application-to-application communications like RPC. Data link Layer: The Data Link layer protocols can be divided into either Logical Link Control (LLC) or Media Access Control (MAC) sublayers. Protocols like SLIP, PPP, RARP and L2TP are at this layer. An application-to-application protocol like RPC would not be addressed at this layer. Network layer: The Network Layer is mostly concerned with routing and addressing of information, not application-to-application communication calls such as an RPC call. The following reference(s) were/was used to create this question: The Remote Procedure Call (RPC) protocol is implemented at the Session layer, which establishes, maintains and manages sessions as well as synchronization of the data flow. Source: Jason Robinett's CISSP Cram Sheet: domain2. Source: Shon Harris AIO v3 pg. 423

QUESTION 252 Which of the following is a tool often used to reduce the risk to a local area network (LAN) that has external connections by filtering Ingress and Egress traffic? A. a firewall. B. dial-up. C. passwords. D. fiber optics.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The use of a firewall is a requirement to protect a local area network (LAN) that has external connections without that you have no real protection from fraudsters. The following answers are incorrect: dial-up. This is incorrect because this offers little protection once the connection has been established. passwords. This is incorrect because there are tools to crack passwords and once a user has been authenticated and connects to the external connections, passwords do not offer protection against incoming TCP packets. fiber optics. This is incorrect because this offers no protection from the external connection.

QUESTION 227 Of the seven types of Access Control Categories, which is described as such? Designed to specify rules of acceptable behavior in the organization. Example: Policy stating that employees may not spend time on social media websites A. Directive Access Control B. Deterrent Access Control C. Preventive Access Control D. Detective Access Control

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: There are seven access control categories. Below you have the Access Control Types and Categories. - Access Control Types: - Administrative - Policies, data classification and labeling and security awareness training - Technical - Hardare - MAC FIltering or perimeter devices like - Software controls like account logons and encryption, file perms - Physical - Guard, fences and locks - Access Control Categories: Directive: specify rules of acceptable behavior - Policy stating users may not use facebook Deterrent: - Designed to discourage people from violating security directives - Logon banner reminding users about being subject to monitoring Preventive: - Implemented to prevent a security incident or information breach - Like a fence or file permissions Detective: - Used to mitigate the loss. - Example: Logging, IDS with a Firewall Compensating: - To subsititute for the loss of a primary control of add additinoal mitigation - Example: Logging, IDS inline with firewall Corrective: - To remedy circumstance, mitigate damage or restore control - Example: Fire extinguisher, firing an employee Recovery: - To restore conditions to normal after a security incident - Restore files from backup All these are designed to shape employee behavior to better maintain an environment that supports the business objectives and protects corporate assets. The following answers are incorrect: - Deterrent Access Control: This is not right because a deterrent access control discourages people from violating security directives. - Preventive Access Control: This is incorrect because a preventive access control category is used to simply stop or block unwanted behavior. Users don't have a choice about whether to violate the behavior rules. - Detective Access Control: Sorry, this isn't a access control category.The following reference(s) was used to create this question: 2013 Official Security+ Curriculum. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Location 1162). Auerbach Publications. Kindle Edition.

QUESTION 249 Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)? A. 10.0.42.5 B. 11.0.42.5 C. 12.0.42.5 D. 13.0.42.5

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: This is a valid Class A reserved address. For Class A, the reserved addresses are 10.0.0.0 - 10.255.255.255. The following answers are incorrect: 11.0.42.5 Is incorrect because it is not a Class A reserved address.12.0.42.5 Is incorrect because it is not a Class A reserved address. 13.0.42.5 Is incorrect because it is not a Class A reserved address. The private IP address ranges are defined within RFC 1918: RFC 1918 private ip address range References: 3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf AIOv3 Telecommunications and Networking Security (page 438)

QUESTION 236 Which of the following testing method examines internal structure or working of an application? A. White-box testing B. Parallel Test C. Regression Testing D. Pilot Testing

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. For your exam you should know the information below: Alpha and Beta Testing - An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically software goes to two stages testing before it consider finished.The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the betaversion of the product to independent beta test sites or offering it free to interested user. Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests usually over interim platform and with only basic functionalities. White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's specific logic path. However testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only. Black Box Testing - An integrity based form of testing associated with testing components of an information system's "functional" operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing. Function/validation testing It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements. Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data. Parallel Testing - This is the process of feeding test data into two systems the modified system and an alternative system and comparing the result. Sociability Testing - The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but , in a client server and web development, changes to the desktop environment. Multiple application may run on the users desktop, potentially simultaneously , so it is important to test the impact of installing new dynamic link libraries (DLLs), making operating system registry or configuration file modification, and possibly extra memory utilization. The following answers are incorrect: Parallel Testing - This is the process of feeding test data into two systems the modified system and an alternative system and comparing the result. Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data. Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests usually over interim platform and with only basic functionalities The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 167 Official ISC2 guide to CISSP CBK 3rd Edition Page number 176

QUESTION 247 Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)? A. 192.168.42.5 B. 192.166.42.5 C. 192.175.42.5 D. 192.1.42.5

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference:This is a valid Class C reserved address. For Class C, the reserved addresses are 192.168.0.0 - 192.168.255.255. The private IP address ranges are defined within RFC 1918: RFC 1918 private ip address range The following answers are incorrect: 192.166.42.5 Is incorrect because it is not a Class C reserved address. 192.175.42.5 Is incorrect because it is not a Class C reserved address. 192.1.42.5 Is incorrect because it is not a Class C reserved address.

QUESTION 299 If any server in the cluster crashes, processing continues transparently, however, the cluster suffers some performance degradation. This implementation is sometimes called a: A. server farm B. client farm C. cluster farm D. host farm

Correct Answer: A Section: Communication and Network Security ExplanationExplanation/Reference: If any server in the cluster crashes, processing continues transparently, however, the cluster suffers some performance degradation. This implementation is sometimes called a "server farm." Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 67.

QUESTION 294 Which of the following defines when RAID separates the data into multiple units and stores it on multiple disks? A. striping B. scanning C. screening D. shadowing

Correct Answer: A Section: Communication and Network SecurityExplanation Explanation/Reference: Basically, RAID separates the data into multiple units and stores it on multiple disks by using a process called "striping". Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 65.

QUESTION 173 A network-based vulnerability assessment is a type of test also referred to as: A. An active vulnerability assessment. B. A routing vulnerability assessment. C. A host-based vulnerability assessment. D. A passive vulnerability assessment.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets to infer weaknesses from their responses. Since the assessment is actively attacking or scanning targeted systems, network-based vulnerability assessment systems are also called active vulnerability systems. There are mostly two main types of test: PASSIVE: You don't send any packet or interact with the remote target. You make use of public database and other techniques to gather information about your target. ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in gathering information about hosts that are alive, services runnings, port state, and more. See example below of both types of attacks: Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to detect and stop them. Altering messages , modifying system files, and masquerading as another individual are acts that are considered active attacks because the attacker is actually doing something instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to carrying out an active attack.IMPORTANT NOTE: On the commercial vendors will sometimes use different names for different types of scans. However, the exam is product agnostic. They do not use vendor terms but general terms. Experience could trick you into selecting the wrong choice sometimes. See feedback from Jason below: "I am a system security analyst. It is my daily duty to perform system vulnerability analysis. We use Nessus and Retina (among other tools) to perform our network based vulnerability scanning. Both commercially available tools refer to a network based vulnerability scan as a "credentialed" scan. Without credentials, the scan tool cannot login to the system being scanned, and as such will only receive a port scan to see what ports are open and exploitable" Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 865). McGraw-Hill. Kindle Edition. and DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002 (page 97).

QUESTION 204 Which of the following term best describes a weakness that could potentially be exploited? A. Vulnerability B. Risk C. Threat D. Target of evaluation (TOE)

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A vulnerability is mostly a weakness, it could be a weakness in a piece of sotware, it could be a weakness in your physical security, it could take many forms. It is a weakness that could be exploited by a Threat. For example an open firewall port, a password that is never changed, or a flammable carpet. A missing Control is also considered to be a Vulnerability. The following answers are incorrect: Risk: It is the combination of a threat exploiting some vulnerability that could cause harm to some asset. Management is concerned with many types of risk. Information Technology (IT) security risk management addresses risks that arise from an organization's use of information technology. Usually a threat agent will give rise to the threat which will attempt to take advantage of one of your vulnerability. Risk is a function of the likelihood that a threat scenario will materialize, its resulting impact (consequences) and the existence/effectiveness of safeguards. If the evaluation of the risk meets the risk deemed acceptable by management, nothing needs to be done. Situations where evaluation of the risk exceeds the accepted risk (target risk) will necessitate a risk management decision such as implementing a safeguard to bring the risk down to an acceptable level. Threat: Possibility that vulnerability may be exploited to cause harm to a system, environment, or personnel. Any potential danger. The risk level associated with a threat is evaluated by looking at the likelihood which is how often it could happen and the impact (which is how much exposure or lost you would suffer) it would have on the asset. A low impact threat that repeats itself multiple times would have to be addressed. A high impact threat that happen not very often would have to be addressed as well. Target of evaluation: The term Target of evaluation is a term used under the common criteria evaluation scheme. It defines the product being evaluated. It was only a detractor in this case and it is not directly related to risk management. Risk management info Risk Management is an iterative process, which ensures that reasonable and cost-effective steps are taken to protect the: Confidentiality of information stored, processed, or transmitted electronically Integrity of the information and related processes Availability of the information, systems and services against accidental and deliberate threats Value of the asset and the cost of its replacement if it is compromised You can manage risk by: Confirming the appropriateness of minimum standards Supplementing the standards when necessary Eliminating unnecessary expenditures and administrative barriers Managing risk therefore, means defining: What is at risk Magnitude of the risk Causal factors What to do about the risk The following reference(s) were/was used to create this question: http://www.cse-cst.gc.ca/tutorials/english/section2/m2/index_e.htm and The official CEH courseware Version 6 Module 1

QUESTION 217 Which answer best describes a computer software attack that takes advantage of a previously unpublished vulnerability? A. Zero-Day Attack B. Exploit Attack C. Vulnerability Attack D. Software Crack

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A zero-day (or zero-hour, or Oday, or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. The term derives from the age of the exploit. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software. Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability is first exploited and when software developers start todevelop a counter to that threat. For viruses, Trojans and other zero-day attacks, the vulnerability window follows this time line: The developer creates software containing an unknown vulnerability The attacker finds the vulnerability before the developer does The attacker writes and distributes an exploit while the vulnerability is not known to the developer The developer becomes aware of the vulnerability and starts developing a fix. The following answers are incorrect: Exploit Attack An exploit (from the verb to exploit, in the meaning of using something to one's own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial-of- service attack. Vulnerability Attack There is no such thing as the term Vulnerability Attack. However a vulnerability is synonyous with a weakness, it could be bad quality of software, a weakness within your physical security, or a weakness in your policies and procedures. An attacker will take advantage of a weakness and usually use an exploit to gain access to your systems without proper authorization or privilege. Software Crack Software cracking is the modification of software to remove or disable features which are considered undesirable by the person cracking the software, usually related to protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag screens and adware. A crack is the software tool used to remove the need to insert a serial number or activation key. The following reference(s) were/was used to create this question: 2011, Ethical Hacking and Countermeasures, EC-Council Official Curriculum, Book 1, Page 9 https://en.wikipedia.org/wiki/Zero_day_attack https://en.wikipedia.org/wiki/Exploit_%28computer_security%29 https://en.wikipedia.org/wiki/Software_cracking

QUESTION 169 Which of the following biometric devices has the lowest user acceptance level? A. Retina Scan B. Fingerprint scan C. Hand geometry D. Signature recognition

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: According to the cited reference, of the given options, the Retina scan has the lowest user acceptance level as it is needed for the user to get his eye close to a device and it is not user friendly and very intrusive. However, retina scan is the most precise with about one error per 10 millions usage. Look at the 2 tables below. If necessary right click on the image and save it on your desktop for a larger view or visit the web site directly at https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy . Biometric Comparison Chart Biometric Aspect Descriptions Reference(s) used for this question: RHODES, Keith A., Chief Technologist, United States General Accounting Office, National Preparedness, Technologies to Secure Federal Buildings, April 2002 (page 10). and https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy

QUESTION 231 During an IS audit, auditor has observed that authentication and authorization steps are split into two functions and there is a possibility to force the authorization step to be completed before the authentication step. Which of the following technique an attacker could user to force authorization step before authentication? A. Eavesdropping B. Traffic analysis C. Masquerading D. Race Condition

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: A race condition is when processes carry out their tasks on a shared resource in an incorrect order. A race condition is possible when two or more processes use a shared resource, as in data within a variable. It is important that the processes carry out their functionality in the correct sequence. If process 2 carried out its taskon the data before process 1, the result will be much different than if process1 carried out its tasks on the data before process 2 In software, when the authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step. This would be a flaw in the software that the attacker has figured out how to exploit. A race condition occurs when two or more processes use the same resource and the sequences of steps within the software can be carried out in an improper order, something that can drastically affect the output. So, an attacker can force the authorization step to take place before the authentication step and gain unauthorized access to a resource. The following answers are incorrect: Eavesdropping - is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage that "eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to matters that concern them." Traffic analysis - is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security. Masquerading - A masquerade attack is an attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification. If an authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack. Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process. The attack can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network. The amount of access masquerade attackers get depends on the level of authorization they've managed to attain. As such, masquerade attackers can have a full smorgasbord of cyber crime opportunities if they've gained the highest access authority to a business organization. Personal attacks, although less common, can also be harmful. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 324 Official ISC2 guide to CISSP CBK 3rd Edition Page number 66 CISSP All-In-One Exam guide 6th Edition Page Number 161

QUESTION 218 Data which is properly secured and can be described with terms like genuine or not corrupted from the original refers to data that has a high level of what? A. Authenticity B. Authorization C. Availability D. Non-Repudiation

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Authenticity refers to the characteristic of a communication, document or any data that ensures the quality of being genuine or not corrupted from the original. The following answers are incorrect: Authorization is wrong because this refers to a users ability to access data based upon a set of credentials. Availability is wrong because this refers to systems which deliver data are accessible when and where required by users. Non-Repudiation is wrong because this is where a user cannot deny their actions on data they processed. Classic example is a legal document you signed either manually with a pen or digitally with a signing certificate. If it is signed then you cannot proclaim you did not send the document or do a transaction. The following reference(s) were/was used to create this question: 2011 EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, Volume 1, Module 1, Page. 11

QUESTION 160 Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished: A. through access control mechanisms that require identification and authentication and through the audit function. B. through logical or technical controls involving the restriction of access to systems and the protection of information. C. through logical or technical controls but not involving the restriction of access to systems and the protection of information. D. through access control mechanisms that do not require identification and authentication and do not operate through the audit function.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization's security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 164 Detective/Technical measures: A. include intrusion detection systems and automatically-generated violation reports from audit trail information. B. do not include intrusion detection systems and automatically-generated violation reports from audit trail information.C. include intrusion detection systems but do not include automatically-generated violation reports from audit trail information. D. include intrusion detection systems and customised-generated violation reports from audit trail information.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Detective/Technical measures include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can indicate variations from "normal" operation or detect known signatures of unauthorized access episodes. In order to limit the amount of audit information flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 207 An employee ensures all cables are shielded, builds concrete walls that extend from the true floor to the true ceiling and installs a white noise generator. What attack is the employee trying to protect against? A. Emanation Attacks B. Social Engineering C. Object reuse D. Wiretaping

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Explanation : Emanation attacks are the act of intercepting electrical signals that radiate from computing equipment. There are several countermeasures including shielding cabling, white noise, control zones, and TEMPEST equipment (this is a Faraday cage around the equipment) The following answers were incorrect: Social Engineering: Social Engineering does not involve hardware. A person make use of his/her social skills in order to trick someone into revealing information they should not disclose. Object Reuse: It is related to the reuse of storage medias. One must ensure that the storage media has been sanitized properly before it would be reuse for other usage. This is very important when computer equipment is discarded or given to a local charity organization. Ensure there is no sensitive data left by degaussing the device or overwriting it multiple times. Wiretapping: It consist of legally or illegally taping into someone else phone line to eavesdrop on their communication. The following reference(s) were/was used to create this question: Shon Harris AIO 4th Edition

QUESTION 163 Another type of access control is lattice-based access control. In this type of control a lattice model is applied. How is this type of access control concept applied? A. The pair of elements is the subject and object, and the subject has an upper bound equal or higher than the upper bound of the object being accessed. B. The pair of elements is the subject and object, and the subject has an upper bound lower then the upper bound of the object being accessed. C. The pair of elements is the subject and object, and the subject has no special upper or lower bound needed within the lattice. D. The pair of elements is the subject and object, and the subject has no access rights in relation to an object.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: In this type of control, a lattice model is applied. To apply this concept to access control, the pair of elements is the subject and object, and the subject has to have an upper bound equal or higher than the object being accessed. WIKIPEDIA has a great explanation as well: In computer security, lattice-based access control (LBAC) is a complex access control based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). In this type of label-based mandatory access control model, a lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34 and http://en.wikipedia.org/wiki/Lattice-based_access_control

QUESTION 275 Which of the following transmission media would NOT be affected by cross talk or interference? A. Copper cable B. Radio System C. Satellite radiolink D. Fiber optic cables

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: Only fiber optic cables are not affected by crosstalk or interference. For your exam you should know the information about transmission media: Copper Cable Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports voice and data. Copper has been used in electric wiring since the invention of the electromagnet and the telegraph in the 1820s.The invention of the telephone in 1876 created further demand for copper wire as an electrical conductor. Copper is the electrical conductor in many categories of electrical wiring. Copper wire is used in power generation, power transmission, power distribution, telecommunications, electronics circuitry, and countless types of electrical equipment. Copper and its alloys are also used to make electrical contacts. Electrical wiring in buildings is the most important market for the copper industry. Roughly half of all copper mined is used to manufacture electrical wire and cable conductors. Copper Cable Image Source - http://i00.i.aliimg.com/photo/v0/570456138/FRLS_HR_PVC_Copper_Cable.jpg Coaxial cable Coaxial cable, or coax (pronounced 'ko.aks), is a type of cable that has an inner conductor surrounded by a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the outer shield sharing a geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver Heaviside, who patented the design in 1880.Coaxial cable differs from other shielded cable used for carrying lower-frequency signals, such as audio signals, in that the dimensions of the cable are controlled to give a precise, constant conductor spacing, which is needed for it to function efficiently as a radio frequency transmission line. Coaxial cable are expensive and does not support many LAN's. It supports data and video Coaxial Cable Image Source - http://www.tlc-direct.co.uk/Images/Products/size_3/CARG59.JPG Fiber optics An optical fiber cable is a cable containing one or more optical fibers that are used to carry light. The optical fiber elements are typically individually coated withplastic layers and contained in a protective tube suitable for the environment where the cable will be deployed. Different types of cable are used for different applications, for example long distance telecommunication, or providing a high-speed data connection between different parts of a building. Fiber optics used for long distance, hard to splice, not vulnerable to cross talk and difficult to tap. It supports voice data, image and video. Radio System Radio systems are used for short distance,cheap and easy to tap. Radio is the radiation (wireless transmission) of electromagnetic signals through the atmosphere or free space. Information, such as sound, is carried by systematically changing (modulating) some property of the radiated waves, such as their amplitude, frequency, phase, or pulse width. When radio waves strike an electrical conductor, the oscillating fields induce an alternating current in the conductor. The information in the waves can be extracted and transformed back into its original form. Fiber Optics Image Source - http://aboveinfranet.com/wp-content/uploads/2014/04/fiber-optic-cables- above-infranet-solutions.jpg Microwave radio system Microwave transmission refers to the technology of transmitting information or energy by the use of radio waves whose wavelengths are conveniently measured in small numbers of centimetre; these are called microwaves. Microwaves are widely used for point-to-point communications because their small wavelength allows conveniently-sized antennas to direct them in narrow beams, which can be pointed directly at the receiving antenna. This allows nearby microwave equipment to use the same frequencies without interfering with each other, as lower frequency radio waves do. Another advantage is that the high frequency of microwaves gives the microwave band a very large information-carrying capacity; the microwave band has a bandwidth 30 times that of all the rest of the radio spectrum below it. A disadvantage is that microwaves are limited to line of sight propagation; they cannot pass around hills or mountains as lower frequency radio waves can. Microwave radio transmission is commonly used in point-to-point communication systems on the surface of the Earth, in satellite communications, and in deep space radio communications. Other parts of the microwave radio band are used for radars, radio navigation systems, sensor systems, and radio astronomy. Microwave radio systems are carriers for voice data signal, cheap and easy to tap. Microwave Radio System Image Source - http://www.valiantcom.com/images/applications/e1_digital_microwave_radio.gif Satellite Radio Link Satellite radio is a radio service broadcast from satellites primarily to cars, with the signal broadcast nationwide, across a much wider geographical area than terrestrial radio stations. It is available by subscription, mostly commercial free, and offers subscribers more stations and a wider variety of programming options than terrestrial radio. Satellite radio link uses transponder to send information and easy to tap. The following answers are incorrect: Copper Cable - Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports voice and data. Radio System - Radio systems are used for short distance,cheap and easy to tap. Satellite Radio Link - Satellite radio link uses transponder to send information and easy to tap. The following reference(s) were/was used to create this question: CISA review manual 2014 page number 265 & Official ISC2 guide to CISSP CBK 3rd Edition Page number 233

QUESTION 166 When submitting a passphrase for authentication, the passphrase is converted into ... A. a virtual password by the system. B. a new passphrase by the system. C. a new passphrase by the encryption technology D. a real password by the system which can be used forever.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password's frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. It is recommended to use a passphrase instead of a password. A passphrase is more resistant to attacks. The passphrase is converted into a virtual password by the system. Often time the passphrase will exceed the maximum length supported by the system and it must be trucated into a Virtual Password. Reference(s) used for this question: http://www.itl.nist.gov/fipspubs/fip112htm and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37

QUESTION 195 Which of the following can be defined as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences? A. Extensible Authentication Protocol B. Challenge Handshake Authentication Protocol C. Remote Authentication Dial-In User Service D. Multilevel Authentication Protocol.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: RFC 2828 (Internet Security Glossary) defines the Extensible Authentication Protocol as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. It is intended for use primarily by a host or router that connects to a PPP network server via switched circuits or dial- up lines. The Remote Authentication Dial-In User Service (RADIUS) is defined as an Internet protocol for carrying dial-in user's authentication information and configuration information between a shared, centralized authentication server and a network access server that needs to authenticate the users of its network access ports. The other option is a distracter. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000

QUESTION 213 You have been approached by one of your clients . They are interested in doing some security re-engineering . The client is looking at various information securitymodels. It is a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications . Of primary concern to them, is the identification of potential covert channel. As an Information Security Professional , which model would you recommend to the client? A. Information Flow Model combined with Bell Lapadula B. Bell Lapadula C. Biba D. Information Flow Model

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Securing the data manipulated by computing systems has been a challenge in the past years. Several methods to limit the information disclosure exist today, such as access control lists, firewalls, and cryptography. However, although these methods do impose limits on the information that is released by a system, they provide no guarantees about information propagation. For example, access control lists of file systems prevent unauthorized file access, but they do not control how the data is used afterwards. Similarly, cryptography provides a means to exchange information privately across a non-secure channel, but no guarantees about the confidentiality of the data are given once it is decrypted. In low level information flow analysis, each variable is usually assigned a security level. The basic model comprises two distinct levels: low and high, meaning, respectively, publicly observable information, and secret information. To ensure confidentiality, flowing information from high to low variables should not be allowed. On the other hand, to ensure integrity, flows to high variables should be restricted. More generally, the security levels can be viewed as a lattice with information flowing only upwards in the lattice. Noninterference Models This could have been another good answer as it would help in minimizing the damage from covert channels. The goal of a noninterference model is to help ensure that high-level actions (inputs) do not determine what low-level user s can see (outputs ) . Most of the security models presented are secured by permitting restricted flows between high- and low-level users. The noninterference model maintains activities at different security levels to separate these levels from each other. In this way, it minimizes leakages that may happen through covert channels, because there is complete separation (noninterference) between security levels. Because a user at a higher security level has no way to interfere with the activities at a lower level, the lower- level user cannot get any information from the higher leve. The following answers are incorrect: Bell Lapadula The Bell-LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public"). The BellLaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects. The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system satisfies the security objectives of the model. The BellLaPadula model is built on the concept of a state machine with a set of allowable states in a computer network system. The transition from one state to another state is defined by transition functions. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties: The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up). The -property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The -property is also known as the Confinement property. The Discretionary Security Property - use of an access matrix to specify the discretionary access control. The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the BellLaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the -property. Untrusted subjects are. Trusted Subjects must be shown to be trustworthy with regard to the security policy. This security model is directed toward access control and is characterized by the phrase: "no read up, no write down." With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not create public files; no write-down). Conversely, users can view content only at or below their own security level (i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up). The BellLaPadula model explicitly defined its scope. It did not treat the following extensively: Covert channels. Passing information via pre-arranged actions was described briefly. Networks of systems. Later modeling work did address this topic. Policies outside multilevel security. Work in the early 1990s showed that MLS is one version of boolean policies, as are all other published policies. Biba The Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt objects in a level ranked higher than the subject, or be corrupted by objects from a lower level than the subject. In general the model was developed to circumvent a weakness in the BellLaPadula model which only addresses data confidentiality. In general, preservation of data integrity has three goals: Prevent data modification by unauthorized parties Prevent unauthorized data modification by authorized parties Maintain internal and external consistency (i.e. data reflects the real world)Note: Biba address only the first goal of integrity while Clark-Wilson addresses all three This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: "no read down, no write up". This is in contrast to the Bell- LaPadula model which is characterized by the phrase "no write down, no read up". In the Biba model, users can only create content at or below their own integrity level (a monk may write a prayer book that can be read by commoners, but not one to be read by a high priest). Conversely, users can only view content at or above their own integrity level (a monk may read a book written by the high priest, but may not read a pamphlet written by a lowly commoner). Another analogy to consider is that of the military chain of command. A General may write orders to a Colonel, who can issue these orders to a Major. In this fashion, the General's original orders are kept intact and the mission of the military is protected (thus, "no read down" integrity). Conversely, a Private can never issue orders to his Sergeant, who may never issue orders to a Lieutenant, also protecting the integrity of the mission ("no write up"). The Biba model defines a set of security rules similar to the Bell-LaPadula model. These rules are the reverse of the Bell-LaPadula rules: The Simple Integrity Axiom states that a subject at a given level of integrity must not read an object at a lower integrity level (no read down). The * (star) Integrity Axiom states that a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up). Lattice Model In computer security, lattice-based access control (LBAC) is a complex access control model based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). In this type of label-based mandatory access control model, a lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object. Mathematically, the security level access may also be expressed in terms of the lattice (a partial order set) where each object and subject have a greatest lower bound (meet) and least upper bound (join) of access rights. For example, if two subjects A and B need access to an object, the security level is defined as the meet of the levels of A and B. In another example, if two objects X and Y are combined, they form another object Z, which is assigned the security level formed by the join of the levels of X and Y. The following reference(s) were/was used to create this question: ISC2 Review Seminar Student Manual V800 page 255 Dorothy Denning developed the information flow model to address convert channels . and The ISC2 Official Study Guide, Second Edition, on page 683-685 and https://secure.wikimedia.org/wikipedia/en/wiki/Biba_security_model and https://secure.wikimedia.org/wikipedia/en/wiki/Bell%E2%80%93LaPadula_model and https://secure.wikimedia.org/wikipedia/en/wiki/Lattice-based_access_control

QUESTION 185 How would nonrepudiation be best classified as? A. A preventive control B. A logical control C. A corrective control. D. A compensating control

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control. Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security, National Institute of Standards and Technology, December 2001, page 7

QUESTION 154 Which access control model was proposed for enforcing access control in government and military applications? A. Bell-LaPadula model B. Biba model C. Sutherland model D. Brewer-Nash model

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The Bell-LaPadula model, mostly concerned with confidentiality, was proposed for enforcing access control in government and military applications. It supports mandatory access control by determining the access rights from the security levels associated with subjects and objects. It also supports discretionary access control by checking access rights from an access matrix. The Biba model, introduced in 1977, the Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are concerned with integrity. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 11).

QUESTION 155 Which access control model achieves data integrity through well-formed transactions and separation of duties? A. Clark-Wilson model B. Biba model C. Non-interference model D. Sutherland model

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The Clark-Wilson model differs from other models that are subject- and object- oriented by introducing a third access element programs resulting in what is called an access triple, which prevents unauthorized users from modifying data or programs. The Biba model uses objects and subjects and addresses integrity based on a hierarchical lattice of integrity levels. The non- interference model is related to the information flow model with restrictions on the information flow. The Sutherland model approaches integrity by focusing on the problem of inference. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 12). And: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security Management, CRC Press, 1997, Domain 1: Access Control.

QUESTION 211 Tim is a network administrator of Acme inc. He is responsible for configuring the network devices. John the new security manager reviews the configuration of the Firewall configured by Tim and identifies an issue. This specific firewall is configured in failover mode with another firewall. A sniffer on a PC connected to the same switch as the firewalls can decipher the credentials, used by Tim while configuring the firewalls. Which of the following should be used by Tim to ensure a that no one can eavesdrop on the communication? A. SSH B. SFTP C. SCP D. RSH

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The SSH protocol provides an encrypted terminal session to the remote firewalls. By encrypting the data, it prevents sniffing attacks using a protocol analyzer also called a sniffer. With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes. As long as these strings are transmitted as plain text, they could be intercepted and misused to gain access to that user account without the authorized user even knowing about it. Apart from the fact that this would open all the user's files to an attacker, the illegal account could be used to obtain administrator or root access or to penetrate other systems. In the past, remote connections were established with telnet, which offers no guards against eavesdropping in the form of encryption or other security mechanisms. There are other unprotected communication channels, like the traditional FTP protocol and some remote copying programs. The SSH suite provides the necessary protection by encrypting the authentication strings (usually a login name and a password) and all the other data exchanged between the hosts. With SSH, the data flow could still be recorded by a third party, but the contents are encrypted and cannot be reverted to plain text unless the encryption key is known. So SSH enables secure communications over insecure networks such as the Internet. The following answers are incorrect: SCP and SFTP The SCP protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port 22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. SCP might not even be considered a protocol itself, but merely a combination of RCP and SSH. The RCP protocol performs the file transfer and the SSH protocol performs authentication and encryption. SCP protects the authenticity and confidentiality of the data in transit. It hinders the ability for packet sniffers to extract usable information from the data packets.The SCP protocol has been superseded by the more comprehensive SFTP protocol, which is also based on SSH. RSH RSH© allows a user to execute commands on a remote system without having to log in to the system. For example, RSH can be used to remotely examine the status of a number of access servers without connecting to each communication server, executing the command, and then disconnecting from the communication server. As described in the rlogin article, the rsh protocol is not secure for network use, because it sends unencrypted information over the network, among other things. Some implementations also authenticate by sending unencrypted passwords over the network. rsh has largely been replaced by the very similar SSH (secure shell) program on untrusted networks like the internet. As an example of RSH use, the following executes the command mkdir testdir as user remote user on the computer remote computer: rsh -l remote user remote computer "mkdir testdir" After the command has finished RSH terminates. If no command is specified then rsh will log in on the remote system using rlogin. The following reference(s) were/was used to create this question: http://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19s02html and http://en.wikipedia.org/wiki/Remote_Shell and http://en.wikipedia.org/wiki/Secure_copy

QUESTION 151 Which of the following biometric parameters are better suited for authentication use over a long period of time? A. Iris pattern B. Voice pattern C. Signature dynamics D. Retina pattern

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The iris pattern is considered lifelong. Unique features of the iris are: freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas. Voice, signature and retina patterns are more likely to change over time, thus are not as suitable for authentication over a long period of time without needing re- enrollment. Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1 (derived from the Information Security Management Handbook, 4th Ed., by Tipton & Krause).

QUESTION 188 Most access violations are: A. Caused by internal untrained employees B. Caused by internal hackers C. Caused by external hackers D. Related to Internet

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The most likely source of exposure is from the uninformed, accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent. Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 4: Protection of Information Assets (page 192).

QUESTION 210 You wish to make use of "port knocking" technologies. How can you BEST explain this? A. Port knocking is where the client will attempt to connect to a predefined set of ports to identify him as an authorized client. B. Port knocking is where the user calls the server operator to have him start the service he wants to connect to. C. This is where all the ports are open on the server and the connecting client scans the open port to which he wants to connect to see if it's open and running. D. Port knocking is where the port sequence is encrypted with 3DES and only the server has the other key to decrypt the port sequence.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The other answers are incorrect The following reference(s) were/was used to create this question: http://www.portknocking.org/

QUESTION 167 In the context of Biometric authentication, what is a quick way to compare the accuracy of devices. In general, the device that have the lowest value would be the most accurate. Which of the following would be used to compare accuracy of devices? A. the CER is used. B. the FRR is used C. the FAR is used D. The FER is used

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate. In the context of Biometric Authentication almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher False Reject Rate (FRR). Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase. Thus, to have a valid measure of the system performance, the CrossOver Error Rate (CER) is used. The following are used as performance metrics for biometric systems:false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. In case of similarity scale, if the person is imposter in real, but the matching score is higher than the threshold, then he is treated as genuine that increase the FAR and hence performance also depends upon the selection of threshold value. false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs. failure to capture rate (FTC): Within automatic systems, the probability that the system fails to detect a biometric input when presented correctly. template capacity: the maximum number of sets of data which can be stored in the system. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37 and Wikipedia at: https://en.wikipedia.org/wiki/Biometrics

QUESTION 276 What is called an attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victim's system, in order to flood it with REPLY packets? A. SYN Flood attack B. Smurf attack C. Ping of Death attack D. Denial of Service (DOS) attack

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: Although it may cause a denial of service to the victim's system, this type of attack is a Smurf attack. A SYN Flood attack uses up all of a system's resources by setting up a number of bogus communication sockets on the victim's system. A Ping of Death attack is done by sending IP packets that exceed the maximum legal length (65535 octets). Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 11: Application and System Development (page 789).

QUESTION 269 Which of the following is true of network security? A. A firewall is a not a necessity in today's connected world. B. A firewall is a necessity in today's connected world. C. A whitewall is a necessity in today's connected world. D. A black firewall is a necessity in today's connected world.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: Commercial firewalls are a dime-a-dozen in todays world. Black firewall and whitewall are just distracters.

QUESTION 292 An area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability can be defined as: A. Netware availability B. Network availability C. Network acceptability D. Network accountability

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: Details: The Answer: Network availability Network availability can be defined as an area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 64.

QUESTION 261 The standard server port number for HTTP is which of the following? A. 81 B. 80 C. 8080 D. 8180

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: HTTP is Port 80. Reference: MAIWALD, Eric, Network Security: A Beginner's Guide, McGraw-Hill/Osborne Media, 2001, page 135.

QUESTION 279 The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers does NOT have which of the following characteristics? A. Standard model for network communications B. Used to gain information from network devices such as count of packets received and routing tables C. Enables dissimilar networks to communicate D. Defines 7 protocol layers (a.k.a. protocol stack)

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and Characteristics Standard model for network communications enables dissimilar networks to communicate, Defines 7 protocol layers (a.k.a. protocol stack) Each layer on one workstation communicates with its respective layer on another workstation using protocols (i.e. agreed- upon communication formats) "Mapping" each protocol to the model is useful for comparing protocols. Mnemonics: Please Do Not Throw Sausage Pizza Away (bottom to top layer) All People Seem To Need Data Processing (top to bottom layer). Source: STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 12.

QUESTION 244 What is the proper term to refer to a single unit of IP data? A. IP segment. B. IP datagram. C. IP frame. D. IP fragment.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: IP is a datagram based technology. DIFFERENCE BETWEEN PACKETS AND DATAGRAM As specified at: http://en.wikipedia.org/wiki/Packet_(information_technology) In general, the term packet applies to any message formatted as a packet, while the term datagram is generally reserved for packets of an "unreliable" service. A "reliable" service is one that notifies the user if delivery fails, while an "unreliable" one does not notify the user if delivery fails. For example, IP provides an unreliable service. Together, TCP and IP provide a reliable service, whereas UDP and IP provide an unreliable one. All these protocols use packets, but UDP packets are generally called datagrams. If a network does not guarantee packet delivery, then it becomes the host's responsibility to provide reliability by detecting and retransmitting lost packets. Subsequent experience on the ARPANET indicated that the network itself could not reliably detect all packet delivery failures, and this pushed responsibility for error detection onto the sending host in any case. This led to the development of the end-to-end principle, which is one of the Internet's fundamental design assumptions. The following answers are incorrect: IP segment. Is incorrect because IP segment is a detractor, the correct terminology is TCP segment. IP is a datagram based technology. IP frame. Is incorrect because IP frame is a detractor, the correct terminology is Ethernet frame. IP is a datagram based technology. IP fragment. Is incorrect because IP fragment is a detractor. References: Wikipedia http://en.wikipedia.org/wiki/Internet_Protocol

QUESTION 242 The IP header contains a protocol field. If this field contains the value of 1, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: If the protocol field has a value of 1 then it would indicate it was ICMP. The following answers are incorrect: TCP. Is incorrect because the value for a TCP protocol would be 6. UDP. Is incorrect because the value for an UDP protocol would be 17. IGMP. Is incorrect because the value for an IGMP protocol would be 2.

QUESTION 280 The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers 6 is which of the following? A. Application Layer B. Presentation Layer C. Data Link Layer D. Network Layer

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and Characteristics: Layers: 1. Physical Layer 2. Data Link Layer 3. Network Layer 4. Transport Layer 5. Session Layer 6. Presentation Layer 7. Applications Layer Here's a great mnemonicfor the OSI model: "Please Do Not Throw Sausage Pizza Away".Source: STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 12.

QUESTION 266 What is NOT true with pre shared key authentication within IKE / IPsec protocol? A. Pre shared key authentication is normally based on simple passwords B. Needs a Public Key Infrastructure (PKI) to work C. IKE is used to setup Security Associations D. IKE builds upon the Oakley protocol and the ISAKMP protocol.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication which are either pre-shared or distributed using DNS (preferably with DNSSEC) and a DiffieHellman key exchange to set up a shared session secret from which cryptographic keys are derived. Internet Key Exchange (IKE) Internet key exchange allows communicating partners to prove their identity to each other and establish a secure communication channel, and is applied as an authentication component of IPSec. IKE uses two phases: Phase 1: In this phase, the partners authenticate with each other, using one of the following: Shared Secret: A key that is exchanged by humans via telephone, fax, encrypted e-mail, etc. Public Key Encryption: Digital certificates are exchanged. Revised mode of Public Key Encryption: To reduce the overhead of public key encryption, a nonce (a Cryptographic function that refers to a number or bit string used only once, in security engineering) is encrypted with the communicating partner's public key, and the peer's identity is encrypted with symmetric encryption using the nonce as the key. Next, IKE establishes a temporary security association and secure tunnel to protect the rest of the key exchange. Phase 2: The peers' security associations are established, using the secure tunnel and temporary SA created at the end of phase 1. The following reference(s) were used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7032-7048). Auerbach Publications. Kindle Edition. and RFC 2409 at http://tools.ietf.org/html/rfc2409 and http://en.wikipedia.org/wiki/Internet_Key_Exchange

QUESTION 278 The International Organization for Standardization / Open Systems Interconnection (ISO/OSI) Layer 7 does NOT include which of the following? A. SMTP (Simple Mail Transfer Protocol) B. TCP (Transmission Control Protocol ) C. SNMP (Simple Network Management Protocol D. HTTP (Hypertext Transfer Protocol)

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: Layer 7 Applications Layer Provides specific services for applications such as: FTP (File Transfer Protocol) TFTP (Trivial File Transfer Protocol)Used by some X-Terminal systems HTTP (Hypertext Transfer Protocol) SNMP (Simple Network Management Protocol Helps network managers locate and correct problems in a TCP/IP network Used to gain information from network devices such as count of packets received and routing tables SMTP (Simple Mail Transfer Protocol)Used by many email applications. Source: STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 12.

QUESTION 254 Which of the following DoD Model layer provides non-repudiation services? A. network layer. B. application layer. C. transport layer. D. data link layer.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The Application Layer determines the identity of the communication partners and this is where Non-Repudiation service would be provided as well. See the layers below: DOD Model DoD Model The following answers are incorrect: network layer. Is incorrect because the Network Layer mostly has routing protocols, ICMP, IP, and IPSEC. It it not a layer in the DoD Model. It is called the Internet Layer within the DoD model. transport layer. Is incorrect because the Transport layer provides transparent transfer of data between end users. This is called Host-to-Host on the DoD model but sometimes some books will call it Transport as well on the DoD model. data link layer. Is incorrect because the Data Link Layer defines the protocols that computers must follow to access the network for transmitting and receiving messages. It is part of the OSI Model. This does not exist on the DoD model, it is called the Link Layer on the DoD model.

QUESTION 283 One of the following assertions is NOT a characteristic of Internet Protocol Security (IPsec) A. Data cannot be read by unauthorized parties B. The identity of all IPsec endpoints are confirmed by other endpoints C. Data is delivered in the exact order in which it is sent D. The number of packets being exchanged can be counted.

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: IPSec provide replay protection that ensures data is not delivered multiple times, however IPsec does not ensure that data is delivered in the exact order in which it is sent. IPSEC uses TCP and packets may be delivered out of order to the receiving side depending which route was taken by the packet. Internet Protocol Security (IPsec) has emerged as the most commonly used network layer security control for protecting communications. IPsec is a framework of open standards for ensuring private communications over IP networks. Depending on how IPsec is implemented and configured, it can provide any combination of the following types of protection: Confidentiality. IPsec can ensure that data cannot be read by unauthorized parties. This is accomplished by encrypting data using a cryptographic algorithm and a secret key a value known only to the two parties exchanging data. The data can only be decrypted by someone who has the secret key. Integrity. IPsec can determine if data has been changed (intentionally or unintentionally) during transit. The integrity of data can be assured by generating a message authentication code (MAC) value, which is a cryptographic checksum of the data. If the data is altered and the MAC is recalculated, the old and new MACs will differ.Peer Authentication. Each IPsec endpoint confirms the identity of the other IPsec endpoint with which it wishes to communicate, ensuring that the network traffic and data is being sent from the expected host. Replay Protection. The same data is not delivered multiple times, and data is not delivered grossly out of order. However, IPsec does not ensure that data is delivered in the exact order in which it is sent. Traffic Analysis Protection. A person monitoring network traffic does not know which parties are communicating, how often communications are occurring, or how much data is being exchanged. However, the number of packets being exchanged can be counted. Access Control. IPsec endpoints can perform filtering to ensure that only authorized IPsec users can access particular network resources. IPsec endpoints can also allow or block certain types of network traffic, such as allowing Web server access but denying file sharing. The following are incorrect answers because they are all features provided by IPSEC: "Data cannot be read by unauthorized parties" is wrong because IPsec provides confidentiality through the usage of the Encapsulating Security Protocol (ESP), once encrypted the data cannot be read by unauthorized parties because they have access only to the ciphertext. This is accomplished by encrypting data using a cryptographic algorithm and a session key, a value known only to the two parties exchanging data. The data can only be decrypted by someone who has a copy of the session key. "The identity of all IPsec endpoints are confirmed by other endpoints" is wrong because IPsec provides peer authentication: Each IPsec endpoint confirms the identity of the other IPsec endpoint with which it wishes to communicate, ensuring that the network traffic and data is being sent from the expected host. "The number of packets being exchanged can be counted" is wrong because although IPsec provides traffic protection where a person monitoring network traffic does not know which parties are communicating, how often communications are occurring, or how much data is being exchanged, the number of packets being exchanged still can be counted. Reference(s) used for this question: NIST 800-77 Guide to IPsec VPNs . Pages 2-3 to 2-4

QUESTION 234 During an IS audit, one of your auditor has observed that some of the critical servers in your organization can be accessed ONLY by using shared/common user name and password. What should be the auditor's PRIMARY concern be with this approach? A. Password sharing B. Accountability C. Shared account management D. Difficulty in auditing shared account

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The keyword PRIMARY is used in the question. Accountability should be the primary concern if critical servers can be accessed only by using shared user id and password. It would be very difficult to track the changes done by employee on critical server. For your exam you should know the information below: Accountability Ultimately one of the drivers behind strong identification, authentication, auditing and session management is accountability. Accountability is fundamentally about being able to determine who or what is responsible for an action and can be held responsible. A closely related information assurance topic is non-repudiation. Repudiation is the ability to deny an action, event, impact or result. Non-repudiation is the process of ensuring a user may not deny an action. Accountability relies heavily on non-repudiation to ensure users, processes and actions may be held responsible for impacts. The following contribute to ensuring accountability of actions: Strong identification Strong authentication User training and awareness Comprehensive, timely and thorough monitoring Accurate and consistent audit logs Independent audits Policies enforcing accountability Organizational behaviour supporting accountability The following answers are incorrect: The other options are also valid concern. But the primary concern should be accountability. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 328 and 329Official ISC2 guide to CISSP CBK 3rd Edition Page number 114

QUESTION 240 ICMP and IGMP belong to which layer of the OSI model? A. Datagram Layer. B. Network Layer. C. Transport Layer. D. Data Link Layer.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The network layer contains the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP) The following answers are incorrect: Datagram Layer. Is incorrect as a distractor as there is no Datagram Layer. Transport Layer. Is incorrect because it is used to data between applications and uses the TCP and UDP protocols. Data Link Layer. Is incorrect because this layer deals with addressing hardware.

QUESTION 237 Which of the following type of traffic can easily be filtered with a stateful packet filter by enforcing the context or state of the request? A. ICMP B. TCP C. UDP D. IP

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The question is explict in asking *easily*. With TCP connection establishment there is a distinct state or sequence that can be expected. Consult the references for further details. ICMP, IP and UDP don't have any concept of a session; i.e. each packet or datagram is handled individually, with no reference to the contents of the previous one. With no sessions, these protocols usually cannot be filtered on the state of the session. Some newer firewalls, however, simulate the concept of state for these protocols, and filter out unexpected packets based upon normal usage. Although these are commonly treated like normal stateful filters, they are more complex to program, and hence more prone to errors. A stateful packet filter or stateful inspection inspects each packet and only allows known connection states through. So, if a SYN/ACK packet was recieved and there was not a prior SYN packet sent it would filter that packet and not let it in. The correct sequence of steps are known and if the sequence or state is incorrect then it is dropped. The incorrect answers are: ICMP. ICMP is basically stateless so you could not *easily* filter them based on the state or sequence. UDP. UDP has no real state so you could only partially filter them based on the state or sequence. The question was explicit in asking *easily*. While it is possible, UDP is not the best answer. IP. IP would refer to the Internet Protocol and as such is stateless so you would not be able to filter it out *easily*. The following reference(s) were used for this question: http://www.nwo.net/ipf/ipf-howto.pdf

QUESTION 253 Which one of the following is usually not a benefit resulting from the use of firewalls? A. reduces the risks of external threats from malicious hackers. B. prevents the spread of viruses. C. reduces the threat level on internal system. D. allows centralized management and control of services.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: This is not a benefit of a firewall. Most firewalls are limited when it comes to preventing the spread of viruses. This question is testing your knowledge of Malware and Firewalls. The keywords within the questions are "usually" and "virus". Once again to come up with the correct answer, you must stay within the context of the question and really ask yourself which of the 4 choices is NOT usually done by a firewall. Some of the latest Appliances such as Unified Threat Management (UTM) devices does have the ability to do virus scanning but most first and second generation firewalls would not have such ability. Remember, the questions is not asking about all possible scenarios that could exist but only about which of the 4 choices presented is the BEST. For the exam you must know your general classes of Malware. There are generally four major classes of malicious code that fall under the general definition of malware: 1. Virus: Parasitic code that requires human action or insertion, or which attaches itself to another program to facilitate replication and distribution. Virus-infected containers can range from e-mail, documents, and data file macros to boot sectors, partitions, and memory fobs. Viruses were the first iteration of malware and were typically transferred by floppy disks (also known as "sneakernet") and injected into memory when the disk was accessed or infected files were transferred from system to system. 2. Worm: Self-propagating code that exploits system or application vulnerabilities to replicate. Once on a system, it may execute embedded routines to alter, destroy, or monitor the system on which it is running, then move on to the next system. A worm is effectively a virus that does not require human interaction or other programs to infect systems. 3. Trojan Horse: Named after the Trojan horse of Greek mythology (and serving a very similar function), a Trojan horse is a general term referring to programs that appear desirable, but actually contain something harmful. A Trojan horse purports to do one thing that the user wants while secretly performing other potentially malicious actions. For example, a user may download a game file, install it, and begin playing the game. Unbeknownst to the user, the application may also install a virus, launch a worm, or install a utility allowing an attacker to gain unauthorized access to the system remotely, all without the user's knowledge. 4. Spyware: Prior to its use in malicious activity, spyware was typically a hidden application injected through poor browser security by companies seeking to gain more information about a user's Internet activity. Today, those methods are used to deploy other malware, collect private data, send advertising or commercial messages to a system, or monitor system input, such as keystrokes or mouse clicks. The following answers are incorrect: reduces the risks of external threats from malicious hackers. This is incorrect because a firewall can reduce the risks of external threats from malicious hackers. reduces the threat level on internal system. This is incorrect because a firewall can reduce the threat level on internal system. allows centralized management and control of services. This is incorrect because a firewall can allow centralize management and control of services. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3989-4009). Auerbach Publications. Kindle Edition.

QUESTION 281 In telephony different types of connections are being used. The connection from the phone company's branch office to local customers is referred to as which of the following choices? A. new loop B. local loop C. loopback D. indigenous loop

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: Transmission on fiber optic wire requires repeating at distance intervals. The glass fiber requires more protection within an outer cable than copper. For these reasons and because the installation of any new wiring is labor-intensive, few communities yet have fiber optic wires or cables from the phone company's branch office to local customers (local loop). In telephony, a local loop is the wired connection from a telephone company's central office in a locality to its customers' telephones at homes and businesses. This connection is usually on a pair of copper wires called twisted pair. The system was originally designed for voice transmission only using analog transmission technology on a single voice channel. Today, your computer's modem makes the conversion between analog signals and digital signals. With Integrated Services Digital Network (ISDN) or Digital Subscriber Line (DSL), the local loop can carry digital signals directly and at a much higher bandwidth than they do for voice only. Local Loop diagram Image from: http://www.thenetworkencyclopedia.com/entry/local-loop/ The following are incorrect answers: New loop This is only a detractor and does not exist Loopback In telephone systems, a loopback is a test signal sent to a network destination that is returned as received to the originator. The returned signal may help diagnose a problem. Ingenious loop This is only a detractor and does not exist Reference(s) used for this question: http://searchnetworking.techtarget.com/definition/local-loop and STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 14.

QUESTION 223 Which of the following is NOT part of user provisioning? A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. User provisioning software may include one or more of the following components: change propagation, self-service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers, or other recipients of a service. Services may include electronic mail, access to a database, access to a file server or mainframe, and so on The following answers are all incorrect answers: Creation and deactivation of user accounts Maintenance and deactivation of user objects and attributes Delegating user administration The following reference(s) were/was used to create this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 179). McGraw-Hill . Kindle Edition.

QUESTION 277 Why are coaxial cables called "coaxial"? A. it includes two physical channels that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running along the same axis. B. it includes one physical channel that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running along the same axis C. it includes two physical channels that carries the signal surrounded (after a layer of insulation) by another two concentric physical channels, both running along the same axis. D. it includes one physical channel that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running perpendicular and along the different axis

Correct Answer: B Section: Communication and Network SecurityExplanation Explanation/Reference: Coaxial cable is called "coaxial" because it includes one physical channel that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running along the same axis. The outer channel serves as a ground. Many of these cables or pairs of coaxial tubes can be placed in a single outer sheathing and, with repeaters, can carry information for a great distance. Source: STEINER, Kurt, Telecommunications and Network Security, Version 1, May 2002, CISSP Open Study Group (Domain Leader: skottikus), Page 14.

QUESTION 182 Which authentication technique best protects against hijacking? A. Static authentication B. Continuous authentication C. Robust authentication D. Strong authentication

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: A continuous authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. This is the best protection against hijacking. Static authentication is the type of authentication provided by traditional password schemes and the strength of the authentication is highly dependent on the difficulty of guessing passwords. The robust authentication mechanism relies on dynamic authentication data that changes with each authenticated session between a claimant and a verifier, and it does not protect against hijacking. Strong authentication refers to a two-factor authentication (like something a user knows and something a user is). Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 3: Secured Connections to External Networks (page 51).

QUESTION 157 Which of the following are additional access control objectives? A. Consistency and utility B. Reliability and utility C. Usefulness and utility D. Convenience and utility

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Availability assures that a system's authorized users have timely and uninterrupted access to the information in the system. The additional access controlobjectives are reliability and utility. These and other related objectives flow from the organizational security policy. This policy is a high-level statement of management intent regarding the control of access to information and the personnel who are authorized to receive that information. Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system's vulnerability to these threats, and the risk that the threat may materialize Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32

QUESTION 209 Business Impact Analysis (BIA) is about A. Technology B. Supporting the mission of the organization C. Due Care D. Risk Assessment

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Business impact analysis is not about technology ; it is about supporting the mission of the organization. The following answers are incorrect: Technololgy Due Care Risk Assessment The following reference(s) were/was used to create this question: Information Security Management Handbook , Sixth Edition by Tipton & Al page 321

QUESTION 186 What are cognitive passwords? A. Passwords that can be used only once. B. Fact or opinion-based information used to verify an individual's identity. C. Password generators that use a challenge response scheme. D. Passphrases.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Cognitive passwords are fact or opinion-based information used to verify an individual's identity. Passwords that can be used only once are one-time or dynamic passwords. Password generators that use a challenge response scheme refer to token devices. A passphrase is a sequence of characters that is longer than a password and is transformed into a virtual password. Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 2), /Documents/CISSP_Summary_2002/ index.html.

QUESTION 192 Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector? A. Using a TACACS+ server. B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall. C. Setting modem ring count to at least 5 D. Only attaching modems to non-networked hosts.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Containing the dial-up problem is conceptually easy: by installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet. The use of a TACACS+ Server by itself cannot eliminate hacking. Setting a modem ring count to 5 may help in defeating war-dialing hackers who look for modem by dialing long series of numbers. Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from being hacked. Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2: Hackers.

QUESTION 176 Which of the following is NOT a form of detective technical control? A. Audit trails B. Access control software C. Honeypot D. Intrusion detection system

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Detective technical controls warn of technical access control violations. Access control software is a rather an example of a preventive technical control. Other choices represent detective technical controls. Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 10 (march 2002).

QUESTION 175 Ensuring least privilege does not require: A. Identifying what the user's job is. B. Ensuring that the user alone does not have sufficient rights to subvert an important process. C. Ensuring that the user alone does not have sufficient rights to subvert an important process. D. Restricting the user to required privileges and nothing more.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Ensuring that the user alone does not have sufficient rights to subvert an important process is a concern of the separation of duties principle and it does not concern the least privilege principle. Source: DUPUIS, Clément, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002 (page 33).

QUESTION 161 In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on: A. The societies role in the organization B. The individual's role in the organization C. The group-dynamics as they relate to the individual's role in the organization D. The group-dynamics as they relate to the master-slave role in the organization

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individual's role in the organization. Reference(S) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 172 What is an error called that causes a system to be vulnerable because of the environment in which it is installed? A. Configuration error B. Environmental error C. Access validation error D. Exceptional condition handling error

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In an environmental error, the environment in which a system is installed somehow causes the system to be vulnerable. This may be due, for example, to an unexpected interaction between an application and the operating system or between two applications on the same host. A configuration error occurs when user controllable settings in a system are set such that the system is vulnerable. In an access validation error, the system is vulnerable because the access control mechanism is faulty. In an exceptional condition handling error, the system somehow becomes vulnerable due to an exceptional condition that has arisen. Source: DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002 (page 106).

QUESTION 162 In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because: A. people need not use discretion B. the access controls are based on the individual's role or title within the organization. C. the access controls are not based on the individual's role or title within the organization D. the access controls are often based on the individual's role or title within the organization

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In an organization where there are frequent personnel changes, non-discretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual's role or title within the organization. You can easily configure a new employee acces by assigning the user to a role that has been predefine. The user will implicitly inherit the permissions of the role by being a member of that role. These access permissions defined within the role do not need to be changed whenever a new person takes over the role. Another type of non-discretionary access control model is the Rule Based Access Control (RBAC or RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good example of RuBAC would be a firewall. This question is a sneaky one, one of the choice has only one added word to it which is often. Reading questions and their choices very carefully is a must for the real exam. Reading it twice if needed is recommended. Shon Harris in her book list the following ways of managing RBAC: Role-based access control can be managed in the following ways: Non-RBAC Users are mapped directly to applications and no roles are used. (No roles being used) Limited RBAC Users are mapped to multiple roles and mapped directly to other types of applications that do not have role-based access functionality. (A mix of roles for applications that supports roles and explicit access control would be used for applications that do not support roles) Hybrid RBAC Users are mapped to multiapplication roles with only selected rights assigned to those roles. Full RBAC Users are mapped to enterprise roles. (Roles are used for all access being granted) NIST defines RBAC as: Security administration can be costly and prone to error because administrators usually specify access control lists for each user on the system individually. With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32 and Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition McGraw-Hill. and http://csrc.nist.gov/groups/SNS/rbac/

QUESTION 200 Pin, Password, Passphrases, Tokens, smart cards, and biometric devices are all items that can be used for Authentication. When one of these item listed above in conjunction with a second factor to validate authentication, it provides robust authentication of the individual by practicing which of the following? A. Multi-party authentication B. Two-factor authentication C. Mandatory authentication D. Discretionary authentication

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Once an identity is established it must be authenticated. There exist numerous technologies and implementation of authentication methods however they almost all fall under three major areas. There are three fundamental types of authentication: Authentication by knowledge--something a person knows Authentication by possession--something a person has Authentication by characteristic--something a person is Logical controls related to these types are called "factors." Something you know can be a password or PIN, something you have can be a token fob or smart card, and something you are is usually some form of biometrics. Single-factor authentication is the employment of one of these factors, two-factor authentication is using two of the three factors, and three-factor authentication is the combination of all three factors. The general term for the use of more than one factor during authentication is multifactor authentication or strong authentication. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 2367-2379). Auerbach Publications. Kindle Edition.

QUESTION 165 Passwords can be required to change monthly, quarterly, or at other intervals: A. depending on the criticality of the information needing protection B. depending on the criticality of the information needing protection and the password's frequency of use. C. depending on the password's frequency of use. not depending on the criticality of the information D. needing protection but depending on the password's frequency of use.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password's frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37q

QUESTION 216 You are a security consultant who is required to perform penetration testing on a client's network. During penetration testing, you are required to use a compromised system to attack other systems on the network to avoid network restrictions like firewalls. Which method would you use in this scenario: A. Black box Method B. Pivoting method C. White Box Method. D. Grey Box Method

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Pivoting refers to method used by penetration testers that uses compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multi-layered attacks. Pivoting is also known as island hopping. Pivoting can further be distinguished into proxy pivoting and VPN pivoting: Proxy pivoting generally describes the practice channeling traffic through a compromised target using a proxy payload on the machine and launching attacks from this computer.[1] This type of pivoting is restricted to certain TCP and UDP ports that are supported by the proxy. VPN pivoting enables the attacker to create an encrypted layer 2 tunnel into the compromised machine to route any network traffic through that target machine, for example to run a vulnerability scan on the internal network through the compromised machine, effectively giving the attacker full network access as if they were behind the firewall. Typically, the proxy or VPN applications enabling pivoting are executed on the target computer as the payload (software) of an exploit. The following answers are incorrect: Black Box Method Black-box testing is a method of software testing that tests the functionality of an application as opposed to its internal structures or workings (see white-box testing). Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is only aware of what the software is supposed to do, but not how i.e. when he enters a certain input, he gets a certain output; without being aware of how the output was produced in the first place. Test cases are built around specifications and requirements, i.e., what the application is supposed to do. It uses external descriptions of the software, including specifications, requirements, and designs to derive test cases. These tests can be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs and determines the correct output. There is no knowledge of the test object's internal structure. For Penetration testing it means that you have no knowledge of the target. You may only get an IP address or a Domain Name and from that very limited amount of knowledge you must attempt to find all that you can. White Box Method In penetration testing, white-box testing refers to a methodology where a white hat hacker has full knowledge of the system being attacked. The goal of a white-box penetration test is to simulate a malicious insider who has some knowledge and possibly basic credentials to the target system. Grey Box Method Gray-box testing is a combination of white-box testing and black-box testing. Aim of this testing is to search for the defects if any due to improper structure or improper usage of applications. In the context of the CEH this also means an internal test of company networks. The following reference(s) were/was used to create this question: https://en.wikipedia.org/wiki/Exploit_%28computer_security%29#Pivoting https://en.wikipedia.org/wiki/Black-box_testing Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4656-4657). Auerbach Publications. Kindle Edition.

QUESTION 194 An attack initiated by an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization is known as a(n): A. active attack. B. outside attack. C. inside attack. D. passive attack.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: An inside attack is an attack initiated by an entity inside the security perimeter, an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization whereas an outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system. An active attack attempts to alter system resources to affect their operation and a passive attack attempts to learn or make use of the information from the system but does not affect system resources. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000

QUESTION 190 Which of following is not a service provided by AAA servers (Radius, TACACS and DIAMETER)? A. Authentication B. Administration C. Accounting D. Authorization

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Radius, TACACS and DIAMETER are classified as authentication, authorization, and accounting (AAA) servers. Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 33 also see: The term "AAA" is often used, describing cornerstone concepts [of the AIC triad] Authentication, Authorization, and Accountability. Left out of the AAA acronym is Identification which is required before the three "A's" can follow. Identity is a claim, Authentication proves an identity, Authorization describes the action you can perform on a system once you have been identified and authenticated, and accountability holds users accountable for their actions. Reference: CISSP Study Guide, Conrad Misenar, Feldman p. 10-11, (c) 2010 Elsevier.

QUESTION 208 The best technique to authenticate to a system is to: A. Establish biometric access through a secured server or Web site. B. Ensure the person is authenticated by something he knows and something he has. C. Maintain correct and accurate ACLs (access control lists) to allow access to applications. D. Allow access only through user ID and password.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Something you know and something you have is two authentication factors and is better than a single authentication factor. Strong Authentication or Two Factor Authentication is widely accepted as the best practice for authentication. There are three type of authentication factors: Type 1 - Something you know (password, pin) Type 2 - Something you have (token, smart card, magnetic card) Type 3 - Something you are (biometics) Whenever two of the three types of factors are used together, this is called strong authentication or two factors authentication The following answers are incorrect: Establish biometric access through a secured server or Web site: This is a single factor authentication and it could be weaker than two factors, in most cases it is . Biometric devices can be tricked or circumvented in some cases, this is why they MUST be supplemented with a second factor of authentication. Multiple attacks have been done on different types of biometric devices. Two factors is always the best to authenticate a user.Maintain correct and accurate ACLs (access control lists) to allow access to applications: ACL are attached to objects. They are used within the access control matrix to define what level of access each of the subjects have on the object. It is a column within the Access Control matrix. This is related to authorization and not authentication. Allow access only through user ID and password: This is once again a single factor of authentication because both are something the person knows.

QUESTION 199 An access system that grants users only those rights necessary for them to perform their work is operating on which security principle? A. Discretionary Access B. Least Privilege C. Mandatory Access D. Separation of Duties

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 205 Which of the following best describes an exploit? A. An intentional hidden message or feature in an object such as a piece of software or a movie. B. A chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software C. An anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer D. A condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: The following answers are incorrect: An intentional hidden message or feature in an object such as a piece of software or a movie. This is the definition of an "Easter Egg" which is code within code. A good example of this was a small flight simulator that was hidden within Microsoft Excel. If you know which cell to go to on your spreadsheet and the special code to type in that cell, you were able to run the flight simulator. An anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer This is the definition of a "Buffer Overflow". Many pieces of exploit code may contain some buffer overflow code but considering all the choices presented this was not the best choice. It is one of the vulnerability that the exploit would take care of if no data input validation is taking place within the software that you are targeting. A condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system This is the definition of a "System Crash". Such behavior might be the result of exploit code being launched against the target. The following reference(s) were/was used to create this question: http://en.wikipedia.org/wiki/Main_Page and The official CEH courseware Version 6 Module 1 The Official CEH Courseware Version 7 Module 1

QUESTION 214 Which of the following is a reasonable response from the Intrusion Detection System (IDS) when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port? A. Allow the packet to be processed by the network and record the event B. Record selected information about the packets and drop the packets C. Resolve the destination address and process the packet D. Translate the source address and resend the packet

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: This question refers specificly to the LAND Attack. This question is testing your ability to recognize common attacks such as the Land Attack and also your understanding of what would be an acceptable action taken by your Intrusion Detection System. You must remember what is a LAND ATTACK for the purpose of the exam. You must also remember that an IDS is not only a passive device. In the context of the exam it is considered an active device that is MOSTLY passive. It can take some blocking actions such as changing a rule on a router or firewall for example. In the case of the Land Attack and this specific question. It must be understand that most Operating System TCP/IP stack today would not be vulnerable to such attack. Many of the common firewall could also drop any traffic with same Source IP/Port as the Destination IP/Port as well. So there is multiple layers where such an attack could be stopped. The downfall of IDS compared with IPS is the fact they are usually reacting after the packets have been sent over the network. A single packet attack should as the Land Attack could be detected but would still complete and affect the destination target. This is where IPS could come into play and stop the attack before it completes. Techtarget on their SearchSecurity website has the following definition for this type of attack: A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port. This is a rather old attack and current patches should stop them for most systems. This is one of the attacks you are expected to know within the CBK. This question mention specifically what would the reaction of the IDS be? The choices presented and the question itself DOES NOT talk about IPS, WIDS, or other monitoring tools. It only mentions IDS. Restrict yourself to the context of the question. MISCONCEPTIONS Many people have the misconception that an IDS can only record events and has no ability to take active response. This is NOT true. An IDS could reset a connection when an attack is detected. An IDS could change a rule on the firewall to block the attacker. An IDS could change a rule on a router to block offending traffic. IDS do have the ability to take active response and this is not reserved only for IPS.The second misconception is that within the ISC2 CBK an IDS is always a passive only system and does not take any blocking actions, this is not true. The IDS is a lot more limited than IPS as we are mentioning below but they do have the ability to block some of the attacks or traffic. Here is a quote from the latest ISC2 on this subject: Intrusion detection and prevention systems are used to identify and respond to suspected security-related events in real-time or near-real-time. Intrusion Detection Systems (IDS) will use available information to determine if an attack is underway, send alerts, and provide limited response capabilities. Intrusion Prevention Systems (IPS) will use available information to determine if an attack is underway, send alerts but also block the attack from reaching its intended target. SANS GIAC HAS A GREAT PAPER ON THIS TOPIC What does Limited response mean? It usually means active response in the context of IDS. There is a nice paper in the SANS library on this topic, you can find it at http://www.sans.org/security-resources/idfaq/active.php See a small extract below: Active Response is a mechanism in intrusion detection systems (IDS) that provides the IDS with capability to respond to an attack when it has been detected. There are two methods that the IDS can take to circumvent an attack. The first method of circumventing attacks would be Session disruption, and the second is Filter rule manipulation. The specific feature varies with each IDS product and each countermeasure method possesses its own strengths and weaknesses. (See paper above for more details of these techniques) See reference below for more info if your into this type of stuff, else just keep it simple as described below. Do not get too deep into this topic The discussion about what is an IDS and what is an IPS has been ongoing for the past decade at least. Just do a quick Google search of "IDS versus IPS" and you will see what I mean. Old timers like me will remember doing blocking with their IDS when such tool just came out. At that time the term IPS did not even exist. For the purpose of the exam, keep it simple. If the Instrusion Detection system is inline doing blocking of attacks it is an IPS. If the Instrusion Detection System only monitors traffic and activity without blocking it is an IDS. An IPS could be configure to act like an IDS where it will not block anything if the administrator of the device did not configure any blocking rules on the IPS. However, the opposite is not true, you cannot configure an IDS to act as an IPS, it does not have the smarts that an IPS would have. IPS are usually deployed inline and IDS are not deployed inline. The following answers are incorrect: Allow the packet to be processed by the network and record the event A spoofed packet is almost sure to be malicious and should be dropped. Note that some students may argue that an IDS itself does not drop the packets but it could terminate the connection by sending Reset (RST) packets to the sender pretending to the be target. The IDS could also change an ACL or Rule on the router or firewall to block the connections from the source IP. Resolve the destination address and process the packet The 'correct' destination address could not be determined by the IDS Translate the source address and resend the packet The 'correct' source address could not be reliably determined by the IDS The following reference(s) were/was used to create this question: Official (ISC)2 Guide to the CISSP CBK , Second Edition, Network Intrusion Detection, Page 129 and Corporate; (Isc)2 (2010-04-20). Official (ISC)2 Guide to the CISSP CBK , Second Edition ((ISC)2 Press) (Kindle Locations 12545-12548). Taylor & Francis. Kindle Edition. and Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Security Operations (Kindle Locations 704-707). . Kindle Edition. and http://searchsecurity.techtarget.com/answer/What-is-a-land-attack and http://www.symantec.com/connect/articles/understanding-ids-active-response-mechanisms and http://www.sans.org/security-resources/idfaq/active.php

QUESTION 171 Which of the following tools is less likely to be used by a hacker? A. l0phtcrack B. Tripwire C. OphCrack D. John the Ripper

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Tripwire is an integrity checking product, triggering alarms when important files (e.g. system or configuration files) are modified. This is a tool that is not likely to be used by hackers, other than for studying its workings in order to circumvent it. Other programs are password-cracking programs and are likely to be used by security administrators as well as by hackers. More info regarding Tripwire available on the Tripwire, Inc. Web Site. NOTE: The biggest competitor to the commercial version of Tripwire is the freeware version of Tripwire. You can get the Open Source version of Tripwire at the following URL: http://sourceforge.net/projects/tripwire/

QUESTION 180 What is considered the most important type of error to avoid for a biometric access control system? A. Type I Error B. Type II Error C. Combined Error Rate D. Crossover Error Rate

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: When a biometric system is used for access control, the most important error is the false accept or false acceptance rate, or Type II error, where the system would accept an impostor. A Type I error is known as the false reject or false rejection rate and is not as important in the security context as a type II error rate. A type one is when a valid company employee is rejected by the system and he cannot get access even thou it is a valid user. The Crossover Error Rate (CER) is the point at which the false rejection rate equals the false acceptance rate if your would create a graph of Type I and Type II errors. The lower the CER the better the device would be. The Combined Error Rate is a distracter and does not exist. Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 10).

QUESTION 285 One of the following statements about the differences between PPTP and L2TP is NOT true A. PPTP can run only on top of IP networks. B. PPTP is an encryption protocol and L2TP is not. C. L2TP works well with all firewalls and network devices that perform NAT. D. L2TP supports AAA servers

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: L2TP is affected by packet header modification and cannot cope with firewalls and network devices that perform NAT. "PPTP can run only on top of IP networks." is correct as PPTP encapsulates datagrams into an IP packet, allowing PPTP to route many network protocols across an IP network. "PPTP is an encryption protocol and L2TP is not." is correct. When using PPTP, the PPP payload is encrypted with Microsoft Point-to-Point Encryption (MPPE) using MSCHAP or EAP-TLS."L2TP supports AAA servers" is correct as L2TP supports TACACS+ and RADIUS. NOTE: L2TP does work over NAT. It is possible to use a tunneled mode that wraps every packet into a UDP packet. Port 4500 is used for this purpose. However this is not true of PPTP and it is not true as well that it works well with all firewalls and NAT devices. References: All in One Third Edition page 545 Official Guide to the CISSP Exam page 124-126

QUESTION 255 What is the 802.11 standard related to? A. Public Key Infrastructure (PKI) B. Wireless network communications C. Packet-switching technology D. The OSI/ISO model

Correct Answer: BSection: Communication and Network Security Explanation Explanation/Reference: The 802.11 standard outlines how wireless clients and APs communicate, lays out the specifications of their interfaces, dictates how signal transmission should take place, and describes how authentication, association, and security should be implemeted. The following answers are incorrect: Public Key Infrastructure (PKI) Public Key Infrastructure is a supporting infrastructure to manage public keys. It is not part of the IEEE 802 Working Group standard. Packet-switching technology A packet-switching technology is not included in the IEEE 802 Working Group standard. It is a technology where-in messages are broken up into packets, which then travel along different routes to the destination. The OSI/ISO model The Open System Interconnect model is a sevel-layer model defined as an international standard describing network communications. The following reference(s) were/was used to create this question: Source: Shon Harris - "All-in-One CISSP Exam Guide" Fourth Edition; Chapter 7 - Telecommunications and Network Security: pg. 624. 802.11 refers to a family of specifications developed by the IEEE for Wireless LAN technology. 802.11 specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. The IEEE accepted the specification in 1997. There are several specifications in the 802.11 family: 802.11 # applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS). 802.11a # an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS. 802.11b (also referred to as 802.11 High Rate or Wi-Fi) # an extension to 802.11 that applies to wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing wireless functionality comparable to Ethernet. 802.11g # applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band. Source: 802.11 Planet's web site.

QUESTION 245 A packet containing a long string of NOP's followed by a command is usually indicative of what? A. A syn scan. B. A half-port scan. C. A buffer overflow attack. D. A packet destined for the network's broadcast address.

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: A series of the same control, hexidecimal, characters imbedded in the string is usually an indicator of a buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal equivalent is 0x90) The following answers are incorrect: A syn scan. This is incorrect because a SYN scan is when a SYN packet is sent to a specific port and the results are then analyzed. A half-port scan. This is incorrect because the port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed. Also known as a Half Open Port scan. A packet destined for the network's broadcast address. This is incorrect because this type of packet would not contain a long string of NOP characters.

QUESTION 284 One of these statements about the key elements of a good configuration process is NOT true A. Accommodate the reuse of proven standards and best practices B. Ensure that all requirements remain clear, concise, and valid C. Control modifications to system hardware in order to prevent resource changes D. Ensure changes, standards, and requirements are communicated promptly and precisely

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Configuration management isn't about preventing change but ensuring the integrity of IT resources by preventing unauthorised or improper changes. According to the Official ISC2 guide to the CISSP exam, a good CM process is one that can: (1) accommodate change; (2) accommodate the reuse of proven standards and best practices; (3) ensure that all requirements remain clear, concise, and valid; (4) ensure changes, standards, and requirements are communicated promptly and precisely; and (5) ensure that the results conform to each instance of the product. Configuration management Configuration management (CM) is the detailed recording and updating of information that describes an enterprise's computer systems and networks, including all hardware and software components. Such information typically includes the versions and updates that have been applied to installed software packages and the locations and network addresses of hardware devices. Special configuration management software is available. When a system needs a hardware or software upgrade, a computer technician can accesses the configuration management program and database to see what is currently installed. The technician can then make a more informed decision about the upgrade needed. An advantage of a configuration management application is that the entire collection of systems can be reviewed to make sure any changes made to one system do not adversely affect any of the other systems Configuration management is also used in software development, where it is called Unified Configuration Management (UCM). Using UCM, developers can keep track of the source code, documentation, problems, changes requested, and changes made. Change management In a computer system environment, change management refers to a systematic approach to keeping track of the details of the system (for example, what operating system release is running on each computer and which fixes have been applied).

QUESTION 246 In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class C network? A. The first bit of the IP address would be set to zero. B. The first bit of the IP address would be set to one and the second bit set to zero. C. The first two bits of the IP address would be set to one, and the third bit set to zero. D. The first three bits of the IP address would be set to one.

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Each Class C network address has a 24-bit network prefix, with the three highest order bits set to 1-1-0 The following answers are incorrect: The first bit of the IP address would be set to zero. Is incorrect because, this would be a Class A network address. The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because, this would be a Class B network address . The first three bits of the IP address would be set to one. Is incorrect because, this is a distractor. Class D & E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1. Classless Internet Domain Routing (CIDR) High Order bits are shown in bold below. For Class A, the addresses are 0.0.0.0 - 127.255.255.255 The lowest Class A address is represented in binary as 00000000.00000000.0000000.00000000 For Class B networks, the addresses are 128.0.0.0 - 191.255.255.255. The lowest Class B address is represented in binary as 10000000.00000000.00000000.00000000 For Class C, the addresses are 192.0.0.0 - 223.255.255.255 The lowest Class C address is represented in binary as 11000000.00000000.00000000.00000000 For Class D, the addresses are 224.0.0.0 - 239.255.255.255 (Multicast) The lowest Class D address is represented in binary as 11100000.00000000.00000000.00000000 For Class E, the addresses are 240.0.0.0 - 255.255.255.255 (Reserved for future usage) The lowest Class E address is represented in binary as 11110000.00000000.00000000.00000000 Classful IP Address Format References: 3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf AIOv3 Telecommunications and Networking Security (page 438)

QUESTION 257 Frame relay and X.25 networks are part of which of the following? A. Circuit-switched services B. Cell-switched services C. Packet-switched services D. Dedicated digital services

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Frame relay and X.25 are both examples of packet-switching technologies. In packet-switched networks there are no dedicated connections between endpoints, and data is divided into packets and reassembled on the receiving end. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. The following two techniques are used in packet-switching technology: Variable-length packets Statistical multiplexing Variable-length packets are used for more efficient and flexible data transfers. These packets are switched between the various segments in the network until the destination is reached. Statistical multiplexing techniques control network access in a packet-switched network. The advantage of this technique is that it accommodates more flexibility and more efficient use of bandwidth. Most of today's popular LANs, such as Ethernet and Token Ring, are packet-switched networks.Frame Relay often is described as a streamlined version of X.25, offering fewer of the robust capabilities, such as windowing and retransmission of last data that are offered in X.25. This is because Frame Relay typically operates over WAN facilities that offer more reliable connection services and a higher degree of reliability than the facilities available during the late 1970s and early 1980s that served as the common platforms for X.25 WANs. As mentioned earlier, Frame Relay is strictly a Layer 2 protocol suite, whereas X.25 provides services at Layer 3 (the network layer) as well. This enables Frame Relay to offer higher performance and greater transmission efficiency than X.25, and makes Frame Relay suitable for current WAN applications, such as LAN interconnection. The following answers are incorrect: Circuit-switched services. An example of a circuit-switched service are Integrated Services Digital Network (ISDN) and Point-to-Point Protocol (PPP). Frame Relay and X.25 do not use circuit switching technology. Cell-switched services. This is a distractor. Dedicated digital services. A packet switched network is commonly via a digital method, but is not dedicated. Examples of a Dedicated digital service might be a Permanent Virtual Circuit (PVC), which does not use packet switching. The following reference(s) were/was used to create this question: The CISCO Wiki on Frame Relay

QUESTION 270 Which of the following best describes signature-based detection? A. Compare source code, looking for events or sets of events that could cause damage to a system or network. B. Compare system activity for the behaviour patterns of new attacks. C. Compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack. D. Compare network nodes looking for objects or sets of objects that match a predefined pattern of objects that may describe a known attack.

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Misuse detectors compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack. As the patterns corresponding to known attacks are called signatures, misuse detection is sometimes called "signature-based detection." The most common form of misuse detection used in commercial products specifies each pattern of events corresponding to an attack as a separate signature. However, there are more sophisticated approaches to doing misuse detection (called "state-based" analysis techniques) that can leverage a single signature to detect groups of attacks. Reference: Old Document: BACE, Rebecca & MELL, Peter, NIST Special Publication 800-31 on Intrusion Detection Systems, Page 16. The publication above has been replaced by 800-94 on page 2-4 The Updated URL is: http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

QUESTION 267 In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session between a client and a server? A. Peer-to-peer authentication B. Only server authentication (optional) C. Server authentication (mandatory) and client authentication (optional) D. Role based authentication scheme

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Reference: RESCORLA, Eric, SSL and TLS: Designing and Building Secure Systems, 2000, Addison Wesley Professional; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 268 What kind of encryption is realized in the S/MIME-standard? A. Asymmetric encryption scheme B. Password based encryption scheme C. Public key based, hybrid encryption scheme D. Elliptic curve based encryption

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail exchanges that makes it possible to guarantee the confidentiality and non- repudiation of electronic messages. S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text files to electronic messages. The MIME standardtherefore makes it possible to attach all types of files to e-mails. S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633. How S/MIME works The S/MIME standard is based on the principle of public-key encryption. S/MIME therefore makes it possible to encrypt the content of messages but does not encrypt the communication. The various sections of an electronic message, encoded according to the MIME standard, are each encrypted using a session key. The session key is inserted in each section's header, and is encrypted using the recipient's public key. Only the recipient can open the message's body, using his private key, which guarantees the confidentiality and integrity of the received message. In addition, the message's signature is encrypted with the sender's private key. Anyone intercepting the communication can read the content of the message's signature, but this ensures the recipient of the sender's identity, since only the sender is capable of encrypting a message (with his private key) that can be decrypted with his public key. Reference(s) used for this question: http://en.kioskea.net/contents/139-cryptography-s-mime RFC 2630: Cryptographic Message Syntax; OPPLIGER, Rolf, Secure Messaging with PGP and S/MIME, 2000, Artech House; HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 570; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 288 Which of the following assertions is NOT true about pattern matching and anomaly detection in intrusion detection? A. Anomaly detection tends to produce more data B. A pattern matching IDS can only identify known attacks C. Stateful matching scans for attack signatures by analyzing individual packets instead of traffic streams D. An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: This is wrong which makes this the correct choice. This statement is not true as stateful matching scans for attack signatures by analyzing traffic streams rather than individual packets. Stateful matching intrusion detection takes pattern matching to the next level.As networks become faster there is an emerging need for security analysis techniques that can keep up with the increased network throughput. Existing network- based intrusion detection sensors can barely keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers. The following answers are all incorrect: Anomaly detection tends to produce more data is true as an anomaly-based IDS produces a lot of data as any activity outside of expected behavior is recorded. A pattern matching IDS can only identify known attacks is true as a pattern matching IDS works by comparing traffic streams against signatures. These signatures are created for known attacks. An anomaly-based engine develops baselines of normal traffic activity and throughput, and alerts on deviations from these baselines is true as the assertion is a characteristic of a statistical anomaly-based IDS. Reference: Official guide to the CISSP CBK. Pages 198 to 201 http://cs.ucsb.edu/~vigna/publications/2003_vigna_robertson_kher_kemmerer_ACSAC03.pdf

QUESTION 293 Which of the following is the correct set of assurance requirements for EAL 5? A. Semiformally verified design and tested B. Semiformally tested and checked C. Semiformally designed and tested D. Semiformally verified tested and checked

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Under the Common Criteria model, an evaluation is carried out on a product and is assigned an Evaluation Assurance Level (EAL). The thorough and stringent testing increases in detailed- oriented tasks as the assurance levels increase. The Common Criteria has seven assurance levels. The range is from EAL1, where functionality testing takes place, to EAL7, where thorough testing is performed and the system design is verified. The Orange Book and the Rainbow Series provide evaluation schemes that are too rigid and narrowly defined for the business world. ITSEC attempted to provide a more flexible approach by separating the functionality and assurance attributes and considering the evaluation of entire systems. However, this flexibility added complexity because evaluators could mix and match functionality and assurance ratings, which resulted in too many classifications to keep straight. Because we are a species that continues to try to get it right, the next attempt for an effective and usable evaluation criteria was the Common Criteria. In 1990, the International Organization for Standardization (ISO) identified the need for international standard evaluation criteria to be used globally. The Common Criteria project started in 1993 when several organizations came together to combine and align existing and emerging evaluation criteria (TCSEC, ITSEC, Canadian Trusted Computer Product Evaluation Criteria [CTCPEC], and the Federal Criteria). The Common Criteria was developed through a collaboration among national security standards organizations within the United States, Canada, France, Germany, the United Kingdom, and the Netherlands. The benefit of having a globally recognized and accepted set of criteria is that it helps consumers by reducing the complexity of the ratings and eliminating the need to understand the definition and meaning of different ratings within various evaluation schemes. This also helps vendors, because now they can build to one specific set of requirements if they want to sell their products internationally, instead of having to meet several different ratings with varying rules and requirements. The full list of assurance requirements for the Evaluation Assurance Levels is provided below: EAL 1: The product is functionally tested; this is sought when some assurance in accurate operation is necessary, but the threats to security are not seen as serious. EAL 2: Structurally tested; this is sought when developers or users need a low to moderate level of independently guaranteed security. EAL 3: Methodically tested and checked; this is sought when there is a need for a moderate level of independently ensured security. EAL 4: Methodically designed, tested, and reviewed; this is sought when developers or users require a moderate to high level of independently ensured security. EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured security. EAL 6: Semiformally verified, designed, and tested; this is sought when developing specialized TOEs for high-risk situations. EAL 7: Formally verified, designed, and tested; this is sought when developing a security TOE for application in extremely high-risk situations. EALs are frequently misunderstood to provide a simple means to compare security products with similar levels. In fact, products may be very different even if they are assigned the same EAL level, since functionality may have little in common. Reference(s) used for this question: Corporate; (Isc)2 (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press) (Kindle Locations 15157-15169). Taylor & Francis. Kindle Edition. and Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 8730- 8742). McGraw-Hill. Kindle Edition.

QUESTION 263 Which of the following are suitable protocols for securing VPN connections at the lower layers of the OSI model? A. S/MIME and SSH B. TLS and SSL C. IPsec and L2TP D. PKCS#10 and X.509

Correct Answer: C Section: Communication and Network Security ExplanationExplanation/Reference: Reference: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw- Hill/Osborne, page 467; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 179 What is the most critical characteristic of a biometric identifying system? A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Scalability

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Accuracy is the most critical characteristic of a biometric identifying verification system. Accuracy is measured in terms of false rejection rate (FRR, or type I errors) and false acceptance rate (FAR or type II errors). The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy. Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 9).

QUESTION 232 Which of the following attack is also known as Time of Check(TOC)/Time of Use(TOU)? A. Eavesdropping B. Traffic analysis C. Masquerading D. Race Condition

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: A Race Condition attack is also known as Time of Check(TOC)/Time of Use(TOU). A race condition is when processes carry out their tasks on a shared resource in an incorrect order. A race condition is possible when two or more processes use a shared resource, as in data within a variable. It is important that the processes carry out their functionality in the correct sequence. If process 2 carried out its task on the data before process 1, the result will be much different than if process1 carried out its tasks on the data before process 2 In software, when the authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step. This would be a flaw in the software that the attacker has figured out how to exploit. A race condition occurs when two or more processes use the same resource and the sequences of steps within the software can be carried out in an improper order, something that can drastically affect the output. So, an attacker can force the authorization step to take place before the authentication step and gain unauthorized access to a resource. The following answers are incorrect: Eavesdropping - is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage that "eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to matters that concern them." Traffic analysis - is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security. Masquerading - A masquerade attack is an attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification. If an authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack. Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process. The attack can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network. The amount of access masquerade attackers get depends on the level of authorization they've managed to attain. As such, masquerade attackers can have a full smorgasbord of cyber crime opportunities if they've gained the highest access authority to a business organization. Personal attacks, although less common, can also be harmful. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 324 Official ISC2 guide to CISSP CBK 3rd Edition Page number 66 CISSP All-In-One Exam guide 6th Edition Page Number 161

QUESTION 273 Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI Model? A. Bridge B. Repeater C. Router D. Gateway

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be at the highest level of the protocol stack. Important Note: For the purpose of the exam, you have to remember that a gateway is not synonymous to the term firewall. The second thing you must remembers is the fact that a gateway act as a translation device. It could be used to translate from IPX to TCP/IP for example. It could be used to convert different types of applications protocols and allow them to communicate together. A gateway could be at any of the OSI layers but usually tend to be higher up in the stack. For your exam you should know the information below: Repeaters A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel. Repeaters can also work as line conditioners by actually cleaning up the signals. This works much better when amplifying digital signals than when amplifying analog signals, because digital signals are discrete units, which makes extraction of background noise from them much easier for the amplifier. If the device is amplifying analog signals, any accompanying noise often is amplified as well, which may further distort the signal. A hub is a multi-port repeater. A hub is often referred to as a concentrator because it is the physical communication device that allows several computers and devices to communicate with each other. A hub does not understand or work with IP or MAC addresses. When one system sends a signal to go to another system connected to it, the signal is broadcast to all the ports, and thus to all the systems connected to the concentrator. Repeater Image Reference- http://www.erg.abdn.ac.uk/~gorry/course/images/repeater.gif Bridges A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment. Bridge Image Reference- http://www.oreillynet.com/network/2001/01/30/graphics/bridge.jpg RoutersRouters are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary. Because routers have more network-level knowledge, they can perform higher-level functions, such as calculating the shortest and most economical path between the sending and receiving hosts. Router and Switch Image Reference- http://www.computer-networking-success.com/images/router-switch.jpg Switches Switches combine the functionality of a repeater and the functionality of a bridge. A switch amplifies the electrical signal, like a repeater, and has the built-in circuitry and intelligence of a bridge. It is a multi-port connection device that provides connections for individual computers or other hubs and switches. Gateways Gateway is a general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is needed when one environment speaks a different language, meaning it uses a certain protocol that the other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX) protocol packets to IP packets, accept mail from one type of mail server and format it so another type of mail server can accept and understand it, or connect and translate different data link technologies such as FDDI to Ethernet. Gateway Server Image Reference- http://static.howtoforge.com/images/screenshots/556af08d5e43aa768260f9e589dc547f- 3024.jpg The following answers are incorrect: Repeater - A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel. Bridges - A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment. Routers - Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 263 Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 and 230

QUESTION 158 Controls are implemented to: A. eliminate risk and reduce the potential for loss B. mitigate risk and eliminate the potential for loss C. mitigate risk and reduce the potential for loss D. eliminate risk and eliminate the potential for loss

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks. It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32

QUESTION 159 Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct? A. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks but do not include a review of vacation history, and also do not include increased supervision. B. Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols. C. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. D. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 203 Which of the following describes the sequence of steps required for a Kerberos session to be established between a user (Principal P1), and an application server (Principal P2)? A. Principals P1 and Principals P2 authenticate to the Key Distribution Center (KDC), B. Principal P1 receives a Ticket Granting Ticket (TGT), and then Principal P2 requests a service ticket from the KDC. C. Principal P1 authenticates to the Key Distribution Center(KDC), Principal P1 receives a Ticket Granting Ticket (TGT), and Principal P1 requests a service ticket from the Ticket Granting Service (TGS) in order to access the application server P2 D. Principal P1 authenticates to the Key Distribution Center (KDC), E. Principal P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and then Principal P1 requests a service ticket from the application server P2 F. Principals P1 and P2 authenticate to the Key Distribution Center (KDC), Principal P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and application server P2 requests a service ticket from P1

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Principles P1 and P2 authenticate to the Key Distribution Center (KDC), principle P1 receives a Ticket Granting Ticket (TGT), and principle P2 requests a service ticket from the KDC. The principle P2 does not request a service ticket. P1 would request a service ticket. Principles P1 and P2 authenticate to the Key Distribution Center (KDC), principle P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and application server P2 requests a service ticket from P1 A request by P1 to access P2 will fail without a service ticket, but this is not the best answer.Principle P1 authenticates to the Key Distribution Center (KDC), principle P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and principle P1 requests a service ticket from the application server P2 The request for a service ticket is made to the KDC, not to P2 P2 does not proxy authentication requests for the principle P1 The following reference(s) were/was used to create this question: Sybex CISSP Study Guide, Third Edition. pg 21 Kerberos logon process: User types in username and password, a symmetric key is derive from the password, the user sends a Kerberos Authentication requrest to KDC, which returns a TGT showing the user was identified. "1) The client sends its TGT back to Ticket Granting Service (TGS) on the KDC with request for access to a server or service" "3) A service ticket (ST) is granted and sent to the client. The service ticket includes a session key encrypted with the client symmetric key and also encrypted with the service or server symmetric key" "4) The client sends the ST to the server or service host."

QUESTION 153 Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure? A. Access control lists B. Discretionary access control C. Role-based access control D. Non-mandatory access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An access control list (ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access control, administration is decentralized and owners of resources control other users' access. Non- mandatory access control is not a defined access control technique. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 9).

QUESTION 212 Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high traffic passing through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets? A. UDP B. SNMP V1 C. SNMP V3 D. SNMP V2

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). SNMP V3 Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks much different due to new textual conventions, concepts, and terminology. SNMPv3 primarily added security and remote configuration enhancements to SNMP. Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used. SNMPv3 provides important security features: Confidentiality - Encryption of packets to prevent snooping by an unauthorized source. Integrity - Message integrity to ensure that a packet has not been tampered with in transit including an optional packet replay protection mechanism. Authentication - to verify that the message is from a valid source. The following answers are incorrect: UDP SNMP can make use of the User Datagram Protocol (UDP) protocol but the UDP protocol by itself is not use for network monitoring. SNMP V1 SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. SNMPv1 operates over protocols such as User Datagram Protocol (UDP), Internet Protocol (IP), OSI Connectionless Network Service (CLNS), AppleTalk Datagram-Delivery Protocol (DDP), and Novell Internet Packet Exchange (IPX). SNMPv1 is widely used and is the de facto network-management protocol in the Internet community. SNMP V2 SNMPv2 (RFC 1441RFC 1452), revises version 1 and includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. It introduced GetBulkRequest, an alternative to iterative GetNextRequests for retrieving large amounts of management data in a single request. However, the new party-based security system in SNMPv2, viewed by many as overly complex, was not widely accepted. The following reference(s) were/was used to create this question: http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 587). McGraw-Hill. Kindle Edition. Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7434-7436). Auerbach Publications. Kindle Edition.

QUESTION 197 What is the PRIMARY use of a password? A. Allow access to files. B. Identify the user. C. Authenticate the user. D. Segregate various user's accesses.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 198 The three classic ways of authenticating yourself to the computer security software are: something you know, something you have, and something: A. you need. B. you read. C. you are. D. you do.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 193 In the Bell-LaPadula model, the Star-property is also called: A. The simple security property B. The confidentiality property C. The confinement property D. The tranquility property

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects. The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby proving that the system satisfies the security objectives of the model. The Bell-LaPadula model is built on the concept of a state machine with a set of allowable states in a system. The transition from one state to another state is defined by transition functions. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties: The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up). The *-property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The *-property is also known as the Confinement property. The Discretionary Security Property - use an access control matrix to specify the discretionary access control. The transfer of information from a high-sensitivity document to a lower-sensitivity document may happen in the Bell-LaPadula model via the concept of trusted subjects. Trusted Subjects are not restricted by the *-property. Untrusted subjects are. Trusted Subjects must be shown to be trustworthy with regard to the security policy. This security model is directed toward access control and is characterized by the phrase: "no read up, no write down." Compare the Biba model, the Clark-Wilson model and the Chinese Wall. With Bell-LaPadula, users can create content only at or above their own security level (i.e. secret researchers can create secret or top-secret files but may not create public files; no write-down). Conversely, users can view content only at or below their own security level (i.e. secret researchers can view public or secret files, but may not view top-secret files; no read-up). Strong * PropertyThe Strong * Property is an alternative to the *-Property in which subjects may write to objects with only a matching security level. Thus, the write-up operation permitted in the usual *- Property is not present, only a write-to-same level operation. The Strong * Property is usually discussed in the context of multilevel database management systems and is motivated by integrity concerns. Tranquility principle The tranquility principle of the Bell-LaPadula model states that the classification of a subject or object does not change while it is being referenced. There are two forms to the tranquility principle: the "principle of strong tranquility" states that security levels do not change during the normal operation of the system and the "principle of weak tranquility" states that security levels do not change in a way that violates the rules of a given security policy. Another interpretation of the tranquility principles is that they both apply only to the period of time during which an operation involving an object or subject is occurring. That is, the strong tranquility principle means that an object's security level/label will not change during an operation (such as read or write); the weak tranquility principle means that an object's security level/label may change in a way that does not violate the security policy during an operation. Reference(s) used for this question: http://en.wikipedia.org/wiki/Biba_Model http://en.wikipedia.org/wiki/Mandatory_access_control http://en.wikipedia.org/wiki/Discretionary_access_control http://en.wikipedia.org/wiki/Clark-Wilson_model http://en.wikipedia.org/wiki/Brewer_and_Nash_model

QUESTION 189 Which of the following biometrics devices has the highest Crossover Error Rate (CER)? A. Iris scan B. Hand geometry C. Voice pattern D. Fingerprints

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The Crossover Error Rate (CER) is the point where false rejection rate (type I error) equals the false acceptance rate (type II error). The lower the CER, the better the accuracy of the device. At the time if this writing, response times and accuracy of some devices are: System type Response time Accuracy (CER) Fingerprints 5-7 secs. 5% Hand Geometry 3-5 secs. 2% Voice Pattern 10-14 secs. 10% Retina Scan 4-7 secs. 15% Iris Scan 25-4 secs. 05% The term EER which means Equal Error Rate is sometimes use instead of the term CER. It has the same meaning. Source: Chris Hare's CISSP Study Notes on Physical Security, based on ISC2 CBK document. Available at http://www.ccure.org.

QUESTION 187 Which of the following Kerberos components holds all users' and services' cryptographic keys? A. The Key Distribution Service B. The Authentication Service C. The Key Distribution Center D. The Key Granting Service

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The Key Distribution Center (KDC) holds all users' and services' cryptographic keys. It provides authentication services, as well as key distribution functionality. The Authentication Service is the part of the KDC that authenticates a principal. The Key Distribution Service and Key Granting Service are distracters and are not defined Kerberos components. Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 3), /Documents/CISSP_Summary_2002/ index.html.

QUESTION 191 Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access Control System TACACS for communication between clients and servers? A. TCP B. SSL C. UDP D. SSH

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The original TACACS, developed in the early ARPANet days, had very limited functionality and used the UDP transport. In the early 1990s, the protocol was extended to include additional functionality and the transport changed to TCP. TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on port 49 It would determine whether to accept or deny the authentication request and send a response back. TACACS+ TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and isnot compatible with TACACS or XTACACS. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Since TCP is connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout etc. since it rides on UDP which is connectionless. RADIUS encrypts only the users' password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol. RADIUS and TACACS + are client/ server protocols, which means the server portion cannot send unsolicited commands to the client portion. The server portion can only speak when spoken to. Diameter is a peer-based protocol that allows either end to initiate communication. This functionality allows the Diameter server to send a message to the access server to request the user to provide another authentication credential if she is attempting to access a secure resource. Reference(s) used for this question: http://en.wikipedia.org/wiki/TACACS and Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 239). McGraw-Hill. Kindle Edition.

QUESTION 168 The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of: A. 100 subjects per minute. B. 25 subjects per minute. C. 10 subjects per minute. D. 50 subjects per minute.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of 10 subjects per minute. Things that may impact the throughput rate for some types of biometric systems may include: A concern with retina scanning systems may be the exchange of body fluids on the eyepiece. Another concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or high blood pressure. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 206 A smart Card that has two chips with the Capability of utilizing both Contact and Contactless formats is called: A. Contact Smart Cards B. Contactless Smart Cards C. Hybrid Cards D. Combi Cards

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: This is a contactless smart card that has two chips with the capability of utilizing both contact and contactless formats. Two additional categories of cards are dual-interface cards and hybrid cards which is mentioned above. Hybrid Card A hybrid card has two chips, one with a contact interface and one with a contactless interface. The two chips are not interconnected. Dual-Interface card Do not confuse this card with the Hybrid Card. This one has only one chip. A dual-interface card has a single chip with both contact and contactless interfaces. With dual-interface cards, it is possible to access the same chip using either a contact or contactless interface with a very high level of security. Inner working of the cards The chips used in all of these cards fall into two categories as well: microcontroller chips and memory chips. A memory chip is like a small floppy disk with optional security. Memory chips are less expensive than microcontrollers but with a corresponding decrease in data management security. Cards that use memory chips depend on the security of the card reader for processing and are ideal for situations that require low or medium security. A microcontroller chip can add, delete, and otherwise manipulate information in its memory. A microcontroller is like a miniature computer, with an input/output port, operating system, and hard disk. Smart cards with an embedded microcontroller have the unique ability to store large amounts of data, carry out their own on-card functions (e.g., encryption and digital signatures) and interact intelligently with a smart card reader. The selection of a particular card technology is driven by a variety of issues, including: Application dynamics Prevailing market infrastructure Economics of the business model Strategy for shared application cards Smart cards are used in many applications worldwide, including: Secure identity applications - employee ID badges, citizen ID documents, electronic passports, driver's licenses, online authentication devicesHealthcare applications - citizen health ID cards, physician ID cards, portable medical records cards Payment applications - contact and contactless credit/debit cards, transit payment cards Telecommunications applications - GSM Subscriber Identity Modules, pay telephone payment cards The following answers are incorrect: Contact Smart Cards A contact smart card must be inserted into a smart card reader with a direct connection to a conductive contact plate on the surface of the card (typically gold plated). Transmission of commands, data, and card status takes place over these physical contact points. Contactless Smart Cards A contactless card requires only close proximity to a reader. Both the reader and the card have antennae, and the two communicate using radio frequencies (RF) over this contactless link. Most contactless cards also derive power for the internal chip from this electromagnetic signal. The range is typically one-half to three inches for non-battery-powered cards, ideal for applications such as building entry and payment that require a very fast card interface. Combi Card Are similar to Hybrid cards only they contain only one set of circuitry as apposed to two. The following reference(s) were/was used to create this question: Smart Card Primer at: http://www.smartcardalliance.org/pages/smart-cards-intro-primer

QUESTION 177 Which of the following does not apply to system-generated passwords? A. Passwords are harder to remember for users. B. If the password-generating algorithm gets to be known, the entire system is in jeopardy. C. Passwords are more vulnerable to brute force and dictionary attacks. D. Passwords are harder to guess for attackers.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Users tend to choose easier to remember passwords. System-generated passwords can provide stronger, harder to guess passwords. Since they are based on rules provided by the administrator, they can include combinations of uppercase/lowercase letters, numbers and special characters, making them less vulnerable to brute force and dictionary attacks. One danger is that they are also harder to remember for users, who will tend to write them down, making them more vulnerable to anyone having access to the user's desk. Another danger with system-generated passwords is that if the password-generating algorithm gets to be known, the entire system is in jeopardy. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 64).

QUESTION 201 Legacy single sign on (SSO) is: A. Technology to allow users to authenticate to every application by entering the same user ID and password each time, thus having to remember only a single password. B. Technology to manage passwords consistently across multiple platforms, enforcing policies such as password change intervals. C. A mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications. D. Another way of referring to SESAME and KryptoKnight, now that Kerberos is the de-facto industry standard single sign on mechanism.

Correct Answer: C Section: Identity and Access ManagementExplanation Explanation/Reference: A mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications. The following answers are incorrect: Technology to allow users to authenticate to every application by entering the same user ID and password each time, thus having to remember only a single password. This is a detractor. Note that it is not even a descripton of SSO, because the user is entering user ID and password for EACH access attempt. Technology to manage passwords consistently across multiple platforms, enforcing policies such as password change intervals. This is a good description for Identity Management Password Management system, but not for Legacy SSO. Another way of referring to SESAME and KryptoKnight, now that Kerberos is the de-facto industry standard single sign on mechanism. This is a detractor. The following reference(s) were/was used to create this question: Official (ISC)2 Guide to the CISSP CBK 2007, pg 176: "many legacy systems do not support an external means to identify and authenticate users. Therefore, it is possible to store the credentials outside of the various applications and have them automatically entered on behalf of the user when an application is launched."

QUESTION 170 Which of the following would be an example of the best password? A. golf001 B. Elizabeth C. T1me4g0lF D. password

Correct Answer: CSection: Identity and Access Management Explanation Explanation/Reference: The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn't be used: common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults. Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 1

QUESTION 286 You have been tasked to develop an effective information classification program. Which one of the following steps should be performed first? A. Establish procedures for periodically reviewing the classification and ownership B. Specify the security controls required for each classification level C. Identify the data custodian who will be responsible for maintaining the security level of data D. Specify the criteria that will determine how data is classified

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: According to the AIO 3rd edition, these are the necessary steps for a proper classification program: 1. Define classification levels. 2. Specify the criteria that will determine how data is classified. 3. Have the data owner indicate the classification of the data she is responsible for. 4. Identify the data custodian who will be responsible for maintaining data and its security level. 5. Indicate the security controls, or protection mechanisms, that are required for each classification level. 6. Document any exceptions to the previous classification issues. 7. Indicate the methods that can be used to transfer custody of the information to a different data owner. 8. Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian. 9. Indicate termination procedures for declassifying the data. 10. Integrate these issues into the security-awareness program so that all employees understand how to handle data at different classification levels. Domain: Information security and risk management Reference: AIO 3rd edition page 50

QUESTION 291 Another example of Computer Incident Response Team (CIRT) activities is: A. Management of the netware logs, including collection, retention, review, and analysis of data B. Management of the network logs, including collection and analysis of data C. Management of the network logs, including review and analysis of data D. Management of the network logs, including collection, retention, review, and analysis of data

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: Additional examples of CIRT activities are: - Management of the network logs, including collection, retention, review, and analysis of data - Management of the resolution of an incident, management of the remediation of a vulnerability, and post-event reporting to the appropriate parties. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 64.

QUESTION 272 What is a decrease in amplitude as a signal propagates along a transmission medium best known as? A. Crosstalk B. Noise C. Delay distortion D. Attenuation

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: Attenuation is the loss of signal strength as it travels. The longer a cable, the more at tenuation occurs, which causes the signal carrying the data to deteriorate. This is why standards include suggested cable-run lengths. If a networking cable is too long, attenuation may occur. Basically, the data are in the form of electrons, and these electrons have to "swim" through a copper wire. However, this is more like swimming upstream, because there is a lot of resistance on the electrons working in this media. After a certain distance, the electrons start to slow down and their encoding format loses form. If the form gets too degraded, the receiving system cannot interpret them any longer. If a network administrator needs to run a cable longer than its recommended segment length, she needs to insert a repeater or some type of device that will amplify the signal and ensure it gets to its destination in the right encoding format. Attenuation can also be caused by cable breaks and malfunctions. This is why cables should be tested. If a cable is suspected of attenuation problems, cable testers can inject signals into the cable and read the results at the end of the cable. The following answers are incorrect: Crosstalk - Crosstalk is one example of noise where unwanted electrical coupling between adjacent lines causes the signal in one wire to be picked up by the signal in an adjacent wire. Noise - Noise is also a signal degradation but it refers to a large amount of electrical fluctuation that can interfere with the interpretation of the signal by the receiver. Delay distortion - Delay distortion can result in a misinterpretation of a signal that results from transmitting a digital signal with varying frequency components. The various components arrive at the receiver with varying delays. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 265 Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 & CISSP All-In-One Exam guide 6th Edition Page Number 561

QUESTION 251 Which of the following media is MOST resistant to tapping? A. microwave. B. twisted pair. C. coaxial cable. D. fiber optic.

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: Fiber Optic is the most resistant to tapping because Fiber Optic uses a light to transmit the signal. While there are some technologies that will allow to monitor the line passively, it is very difficult to tap into without detection sot this technology would be the MOST resistent to tapping. The following answers are in correct: microwave. Is incorrect because microwave transmissions can be intercepted if in the path of the broadcast without detection. twisted pair. Is incorrect because it is easy to tap into a twisted pair line. coaxial cable. Is incorrect because it is easy to tap into a coaxial cable line.

QUESTION 282 Communications and network security relates to transmission of which of the following? A. voice B. voice and multimedia C. data and multimedia D. voice, data and multimedia

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: From the published (ISC)2 goals for the Certified Information Systems Security Professional candidate: The CISSP candidate should be familiar to communications and network security as it relates to voice, data, multimedia, and facsimile transmissions in terms of local area, wide area, and remote access. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 57.

QUESTION 243 The IP header contains a protocol field. If this field contains the value of 2, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP.

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: If the protocol field has a value of 2 then it would indicate it was IGMP. The following answers are incorrect: TCP. Is incorrect because the value for a TCP protocol would be 6. UDP. Is incorrect because the value for an UDP protocol would be 17. ICMP. Is incorrect because the value for an ICMP protocol would be 1.

QUESTION 287 In the course of responding to and handling an incident, you work on determining the root cause of the incident. In which step are you in? A. Recovery B. Containment C. Triage D. Analysis and tracking

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident. Recovery is incorrect as recovery is about resuming operations or bringing affected systems back into production Containment is incorrect as containment is about reducing the potential impact of an incident. Triage is incorrect as triage is about determining the seriousness of the incident and filtering out false positives Reference: Official Guide to the CISSP CBK, pages 700-704

QUESTION 228 Which of the following is NOT a disadvantage of Single Sign On (SSO)? A. Support for all major operating system environment is difficult B. The cost associated with SSO development can be significant C. SSO could be single point of failure and total compromise of an organization asset D. SSO improves an administrator's ability to manage user's account and authorization to all associated system

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: Single sign-on (SSO)is a Session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. SSO Advantages include - Multiple passwords are no longer required - It improves an administrator's ability to manage user's accounts and authorization to all associated systems - It reduces administrative overhead in resetting forgotten password over multiple platforms and applications - It reduces time taken by users to logon into multiple application and platform SSO Disadvantages include - Support for all major operating system is difficult - The cost associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary - The centralize nature of SSO presents the possibility of a single point of failure and total compromise of an organization's information asset. The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 332

QUESTION 239 How do you distinguish between a bridge and a router? A. A bridge simply connects multiple networks, a router examines each packet to determine which network to forward it to. B. "Bridge" and "router" are synonyms for equipment used to join two networks. C. The bridge is a specific type of router used to connect a LAN to the global Internet. D. The bridge connects multiple networks at the data link layer, while router connects multiple networks at the network layer.

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: The following answers are incorrect: A bridge simply connects multiple networks, a router examines each packet to determine which network to forward it to. Is incorrect because both forward packets this is not distinctive enough. "Bridge" and "router" are synonyms for equipment used to join two networks. Is incorrect because the two are unique and operate at different layers of the OSI model. The bridge is a specific type of router used to connect a LAN to the global Internet. Is incorrect because a bridge does not connect a LAN to the global internet, but connects networks together creating a LAN.

QUESTION 230 Which of the following is NOT an example of a detective control? A. System Monitor B. IDS C. Monitor detector D. Backup data restore

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: The word NOT is used as a keyword in the question. You need to find out a security control from an given options which in not detective control. Backup data restore is a corrective control and not a detective control. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the control's implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Detective Controls Detective controls warn when something has happened, and are the earliest point in the post- incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with. Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions.The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identification and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy specifies that an employee installing an unauthorized wireless access point will be fired, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to find a flaw in the control's implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Detective Controls Detective controls warn when something has happened, and are the earliest point in the post- incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide significant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprise's assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a file and that file is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any deficiencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or notification, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with. Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system files or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and financial data. In all of these cases, an undesirable situation must be rectified as quickly as possible and controls returned to normal operations. The following answers are incorrect: The other examples are belongs to detective control. The following reference(s) were/was used to create this question: CISA Review Manual 2014 Page number 44 and Official ISC2 CISSP guide 3rd edition Page number 50 and 51

QUESTION 219 Which of the following is most appropriate to notify an internal user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: This is a tricky question, the keyword in the question is Internal users. There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous/external users. Internal users should always have a written agreement first, then logon banners serve as a constant reminder. Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system, who is authorized and unauthorized, and if it is an unauthorized user then he is fully aware of trespassing. Anonymous/External users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner.References used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 50 and Shon Harris, CISSP All-in-one, 5th edition, pg 873

QUESTION 290 Which of the following is NOT a correct notation for an IPv6 address? A. 2001:0db8:0:0:0:0:1428:57ab B. ABCD:EF01:2345:6789: C. ABCD:EF01:2345:6789::1 D. 2001:DB8::8:800::417A

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: This is not a correct notation for an IPv6 address because the "::" can only appear once in an address. The use of "::" is a shortcut notation that indicates one or more groups of 16 bits of zeros. ::1 is the loopback address using the special notation Reference: IP Version 6 Addressing Architecture http://tools.ietf.org/html/rfc4291#section-2.1

QUESTION 152 Which of the following is required in order to provide accountability? A. Authentication B. Integrity C. Confidentiality D. Audit trails

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Accountability can actually be seen in two different ways: 1) Although audit trails are also needed for accountability, no user can be accountable for their actions unless properly authenticated. 2) Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails that record events on the system and network. Audit trails can be used for intrusion detection and for the reconstruction of past events. Monitoring individual activities, such as keystroke monitoring, should be accomplished in accordance with the company policy and appropriate laws. Banners at the log-on time should notify the user of any monitoring that is being conducted. The point is that unless you employ an appropriate auditing mechanism, you don't have accountability. Authorization only gives a user certain permissions on the network. Accountability is far more complex because it also includes intrusion detection, unauthorized actions by both unauthorized users and authorized users, and system faults. The audit trail provides the proof that unauthorized modifications by both authorized and unauthorized users took place. No proof, No accountability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 50 The Shon Harris AIO book, 4th Edition, on Page 243 also states: Auditing Capabilities ensures users are accountable for their actions, verify that the secutiy policies are enforced, and can be used as investigation tools. Accountability is tracked by recording user, system, and application activities. This recording is done through auditing functions and mechanisms within an operating sytem or application. Audit trail contain information about operating System activities, application events, and user actions.

QUESTION 183 Which of the following is not a security goal for remote access? A. Reliable authentication of users and systems B. Protection of confidential data C. Easy to manage access control to systems and network resources D. Automated login for remote users

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: An automated login function for remote users would imply a weak authentication, thus certainly not a security goal. Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition, volume 2, 2001, CRC Press, Chapter 5: An Introduction to Secure Remote Access (page 100).

QUESTION 202 Identity Management solutions include such technologies as Directories services, Single Sign-On and Web Access management. There are many reasons for management to choose an identity management solution. Which of the following is a key management challenge regarding identity management solutions? A. Increasing the number of points of failures. B. Users will no longer be able to "recycle" their password for different applications. C. Costs increase as identity management technologies require significant resources. D. It must be able to scale to support high volumes of data and peak transaction rates.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Any identity management system used in an environment where there are tens of thousands of users must be able to scale to support the volumes of data and peak transaction rates. The following answers are incorrect: Increasing number of points of failures. This is actually a potential negative impact of not implementing an identity management solution. Identity management is meant to decrease cost and inefficiencies that organizations struggle with so that failures can be managed more efficiently. Users will no longer be able to "recycle" their password for different applications. This is actually a function of an effective password management system. Consistency and efficiency are maintained by minimizing unique user authentication requirements. Costs increase as identity management technologies require significant resources. On the contrary, "When users access multiple systems, they may be presented with multiple log-in IDs, multiple passwords, and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs The following reference(s) were/was used to create this question: ISC2 Official Guide to the CISSP CBK 2007, pg 173 "Key management challenges regarding identity management solutions are:" [consistency, efficiency, usability, reliabliity and scalability.] "Scalability: Enterprises manage user profile data for large numbers of people. There are typically tens of thousands of internal users, and hundreds or thousands of partners or clients."

QUESTION 156 This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill. What best describes this scenario? A. Excessive Rights B. Excessive Access C. Excessive Permissions D. Excessive Privileges

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented. Reference(s) used for this question: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 645 and

QUESTION 184 Which of the following questions is less likely to help in assessing identification and authentication controls? A. Is a current list maintained and approved of authorized users and their access? B. Is a current list maintained and approved of authorized users and their access? C. Are inactive user identifications disabled after a specified period of time? D. Is there a process for reporting incidents?

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires that the system be able to identify and differentiate among users. Reporting incidents is more related to incident response capability (operational control) than to identification and authentication (technical control). Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A- 30 to A-32).

QUESTION 215 What is the BEST definition of SQL injection. A. SQL injection is a database problem. B. SQL injection is a web Server problem. C. SQL injection is a windows and Linux website problem that could be corrected by applying a website vendors patch. D. SQL injection is an input validation problem.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: SQL injection is execution of unexpected SQL in the database as a result of unsanitized user input being accepted and used in the application code to form the SQL statement.It is a coding problem which affects inhouse, open source and commercial software. The following answers are incorrect: SQL injection is a database problem.SQL injection is a web Server problem. SQL injection is a windows and Linux website problem that could be corrected by applying a website vendors patch. The following reference(s) were/was used to create this question: https://security.berkeley.edu/sites/default/files/uploads/SQLi_Prevention.pdf (page 9 and 10)

QUESTION 196 What is the name of the first mathematical model of a multi-level security policy used to define the concept of a secure state, the modes of access, and rules for granting access? A. Clark and Wilson Model B. Harrison-Ruzzo-Ullman Model C. Rivest and Shamir Model D. Bell-LaPadula Model

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 181 How can an individual/person best be identified or authenticated to prevent local masquerading attacks? A. User Id and password B. Smart card and PIN code C. Two-factor authentication D. Biometrics

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor. Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism. Spoofing is another term used to describe this type of attack as well. A UserId only provides for identification. A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card. Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person. See an extract below from the HISM book volume 1 Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not occur. As has been demonstrated many times, adversaries and criminals obtain and successfully use access cards, even those that require the addition of a PIN. This is because these systems control only pieces of plastic (and sometimes information), rather than people. Real asset and resource protection can only be accomplished by people, not cards and information, because unauthorized persons can (and do) obtain the cards and information. Further, life-cycle costs are significantly reduced because no card or PIN administration system or personnel are required. The authorized person does not lose physical characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are continuously lost, stolen, or forgotten. This is why card access systems require systems and people to administer, control, record, and issue (new) cards and PINs. Moreover, the cards are an expensive and recurring cost. NOTE FROM CLEMENT: This question has been generating lots of interest. The keyword in the question is: Individual (the person) and also the authenticated portion as well. I totally agree with you that Two Factors or Strong Authentication would be the strongest means of authentication. However the question is not asking what is the strongest mean of authentication, it is asking what is the best way to identify the user (individual) behind the technology. When answering questions do not make assumptions to facts not presented in the question or answers. Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan. This is why it is the best method to authenticate the user. I think the reference is playing with semantics and that makes it a bit confusing. I have improved the question to make it a lot clearer and I have also improve the explanations attached with the question. The reference mentioned above refers to authenticating the identity for access. So the distinction is being made that there is identity and there is authentication. In the case of physical security the enrollment process is where the identity of the user would be validated and then the biometrics features provided by the user would authenticate the user on a one to one matching basis (for authentication) with the reference contained in the database of biometrics templates. In the case of system access, the user might have to provide a username, a pin, a passphrase, a smart card, and then provide his biometric attributes. Biometric can also be used for Identification purpose where you do a one to many match. You take a facial scan of someone within an airport and you attempt to match it with a large database of known criminal and terrorists. This is how you could use biometric for Identification. There are always THREE means of authentication, they are: Something you know (Type 1) Something you have (Type 2) Something you are (Type 3) Reference(s) used for this question: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7). and Search Security at http://searchsecurity.techtarget.com/definition/masquerade

QUESTION 174 Why would anomaly detection IDSs often generate a large number of false positives? A. Because they can only identify correctly attacks they already know about. B. Because they are application-based are more subject to attacks. C. Because they can't identify abnormal behavior. D. Because normal patterns of user and system behavior can vary wildly.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Unfortunately, anomaly detectors and the Intrusion Detection Systems (IDS) based on them often produce a large number of false alarms, as normal patterns of user and system behavior can vary wildly. Being only able to identify correctly attacks they already know about is a characteristic of misuse detection (signature- based) IDSs. Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software application. They are more vulnerable to attacks than host-based IDSs. Not being able to identify abnormal behavior would not cause false positives, since they are not identified. Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002 (page 92).

QUESTION 233 Which of the following biometrics methods provides the HIGHEST accuracy and is LEAST accepted by users? A. Palm Scan B. Hand Geometry C. Fingerprint D. Retina scan

Correct Answer: DSection: Communication and Network Security Explanation Explanation/Reference: Retina based biometric involves analyzing the layer of blood vessels situated at the back of the eye. An established technology, this technique involves using a low-intensity light source through an optical coupler to scan the unique patterns of the retina. Retinal scanning can be quite accurate but does require the user to look into a receptacle and focus on a given point. This is not particularly convenient if you wear glasses or are concerned about having close contact with the reading device. For these reasons, retinal scanning is not warmly accepted by all users, even though the technology itself can work well. For your exam you should know the information below: Biometrics Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification and not well received by society. Biometrics is a very sophisticated technology; thus, it is much more expensive and complex than the other types of identity verification processes. A biometric system can make authentication decisions based on an individual's behavior, as in signature dynamics, but these can change over time and possibly be forged. Biometric systems that base authentication decisions on physical attributes (such as iris, retina, or fingerprint) provide more accuracy because physical attributes typically don't change, absent some disfiguring injury, and are harder to impersonate Biometrics is typically broken up into two different categories. The first is the physiological. These are traits that are physical attributes unique to a specific individual. Fingerprints are a common example of a physiological trait used in biometric systems. The second category of biometrics is known as behavioral. The behavioral authentication is also known as continuous authentication. The behavioral/continuous authentication prevents session hijacking attack. This is based on a characteristic of an individual to confirm his identity. An example is signature Dynamics. Physiological is "what you are" and behavioral is "what you do." When a biometric system rejects an authorized individual, it is called a Type I error (false rejection rate). When the system accepts impostors who should be rejected, it is called a Type II error (false acceptance rate). The goal is to obtain low numbers for each type of error, but Type II errors are the most dangerous and thus the most important to avoid. When comparing different biometric systems, many different variables are used, but one of the most important metrics is the crossover error rate (CER). This rating is stated as a percentage and represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining the system's accuracy. A biometric system that delivers a CER of 3 will be more accurate than a system that delivers a CER of 4 Crossover error rate (CER) is also called equal error rate (EER). Throughput describes the process of authenticating to a biometric system. This is also referred to as the biometric system response time. The primary consideration that should be put into the purchasing and implementation of biometric access control are user acceptance, accuracy and processing speed. Biometric Considerations In addition to the access control elements of a biometric system, there are several other considerations that are important to the integrity of the control environment. These are: Resistance to counterfeiting Data storage requirements User acceptance Reliability and Target User and approach Fingerprint Fingerprints are made up of ridge endings and bifurcations exhibited by friction ridges and other detailed characteristics called minutiae. It is the distinctiveness of these minutiae that gives each individual a unique fingerprint. An individual places his finger on a device that reads the details of the fingerprint and compares this to a reference file. If the two match, the individual's identity has been verified. Palm Scan The palm holds a wealth of information and has many aspects that are used to identify an individual. The palm has creases, ridges, and grooves throughout that are unique to a specific person. The palm scan also includes the fingerprints of each finger. An individual places his hand on the biometric device, which scans and captures this information. This information is compared to a reference file, and the identity is either verified or rejected. Hand Geometry The shape of a person's hand (the shape, length, and width of the hand and fingers) defines hand geometry. This trait differs significantly between people and is used in some biometric systems to verify identity. A person places her hand on a device that has grooves for each finger. The system compares the geometry of each finger, and the hand as a whole, to the information in a reference file to verify that person's identity. Retina Scan A system that reads a person's retina scans the blood-vessel pattern of the retina on the backside of the eyeball. This pattern has shown to be extremely unique between different people. A camera is used to project a beam inside the eye and capture the pattern and compare it to a reference file recorded previously. Iris Scan An iris scan is a passive biometric control The iris is the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas, and furrows. The uniqueness of each of these characteristics within the iris is captured by a camera and compared with the information gathered during the enrollment phase. When using an iris pattern biometric system, the optical unit must be positioned so the sun does not shine into the aperture; thus, when implemented, it must have proper placement within the facility. Signature Dynamics When a person signs a signature, usually they do so in the same manner and speed each time. Signing a signature produces electrical signals that can be captured by a biometric system. The physical motions performed when someone is signing a document create these electrical signals. The signals provide unique characteristics that can be used to distinguish one individual from another. Signature dynamics provides more information than a static signature, so there are more variables to verify when confirming an individual's identity and more assurance that this person is who he claims to be. Keystroke Dynamics Whereas signature dynamics is a method that captures the electrical signals when a person signs a name, keystroke dynamics captures electrical signals when a person types a certain phrase. As a person types a specified phrase, the biometric system captures the speed and motions of this action. Each individual has a certain style and speed, which translate into unique signals. This type of authentication is more effective than typing in a password, because a password is easily obtainable. It is much harder to repeat a person's typing style than it is to acquire a password.Voice Print People's speech sounds and patterns have many subtle distinguishing differences. A biometric system that is programmed to capture a voice print and compare it to the information held in a reference file can differentiate one individual from another. During the enrollment process, an individual is asked to say several different words. Facial Scan A system that scans a person's face takes many attributes and characteristics into account. People have different bone structures, nose ridges, eye widths, forehead sizes, and chin shapes. These are all captured during a facial scan and compared to an earlier captured scan held within a reference record. If the information is a match, the person is positively identified. Hand Topography Whereas hand geometry looks at the size and width of an individual's hand and fingers, hand topology looks at the different peaks and valleys of the hand, along with its overall shape and curvature. When an individual wants to be authenticated, she places her hand on the system. Off to one side of the system, a camera snaps a side-view picture of the hand from a different view and angle than that of systems that target hand geometry, and thus captures different data. This attribute is not unique enough to authenticate individuals by itself and is commonly used in conjunction with hand geometry. Vascular Scan Valcular Scan uses the blood vessel under the first layer of skin. The following answers are incorrect: Fingerprint - Fingerprints are made up of ridge endings and bifurcations exhibited by friction ridges and other detailed characteristics called minutiae. It is the distinctiveness of these minutiae that gives each individual a unique fingerprint. An individual places his finger on a device that reads the details of the fingerprint and compares this to a reference file. If the two match, the individual's identity has been verified. Hand Geometry - The shape of a person's hand (the shape, length, and width of the hand and fingers) defines hand geometry. This trait differs significantly between people and is used in some biometric systems to verify identity. A person places her hand on a device that has grooves for each finger. The system compares the geometry of each finger, and the hand as a whole, to the information in a reference file to verify that person's identity. Palm Scan - The palm holds a wealth of information and has many aspects that are used to identify an individual. The palm has creases, ridges, and grooves throughout that are unique to a specific person. The palm scan also includes the fingerprints of each finger. An individual places his hand on the biometric device, which scans and captures this information. This information is compared to a reference file, and the identity is either verified or rejected. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 330 and 331 Official ISC2 guide to CISSP CBK 3rd Edition Page number 924