CISSP | Test Questions | Domain 6 | Security Architecture & Design

Regarding Common Criteria (CC), the outcome of a target of evaluation (TOE) leads to which of the following? 1. Objective results 2. Repeatable results 3. Defensible results 4. Evidential results a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. The target of evaluation (TOE) in the Common Criteria (CC) leads to objective and repeatable results that are defensible and can be cited as evidence.

Which of the following are required for an information system to become resilient? 1. Detect and respond capabilities 2. Manage single points-of-failure 3. Implement a response strategy 4. Develop a reporting system a. 1 and 2 b. 2 and 3 c. 1 and 3 d. 1, 2, 3, and 4

d. For information systems to become resilient, organizations should establish detect and respond capabilities, manage single points-of-failure in their systems, implement a response strategy, and develop a reporting system for management.

An information technology security principle should ensure which of the following? a. No single point of access b. No single point of use c. No single point of responsibility d. No single point of vulnerability

d. Good IT principles provide a foundation for better IT security. For example, a sound security policy provides a strong foundation for system design. Similarly, implementing a layered security approach ensures no single point of vulnerability in a computer system. The concern here is that if the single point-of-failure occurs because vulnerability is exploited, then the entire system can be compromised, which is risky.

Phishing attacks are mostly an example of which of the following? a. Browser-oriented attacks b. Server-oriented attacks c. Network-oriented attacks d. User-oriented attacks

d. In a phishing attack, attackers try to trick users into accessing a fake website and divulging personal information. Social engineering methods are employed in phishing attacks. Note that some phishing attacks can be a blended attack targeting the browser.

Information architecture does not govern which of the following? a. Collection of data b. Management of data c. Use of data d. Archiving of data

d. Information architecture, which is a part of functional architecture, defines the information that is needed to achieve mission objectives and how the information systems can work together to satisfy those objectives. The architecture provides a standard framework to govern the collection, development, deployment, management, and use of data and resources to accomplish missions and objectives. Archiving of data is an operational issue, not an architecture issue.

If website owners want to protect data from unauthorized access, what should they do? a. Create encrypted cookies b. Create session cookies c. Create persistent cookies d. Create tracking cookies

a. A cookie is a small data file that holds information about the use of a particular website. Cookies often store data in plain text, which could allow an unauthorized party that accesses a cookie to use or alter the data stored in it. Some websites create encrypted cookies, which protect the data from unauthorized access during a user's Web browsing session. Session cookies are incorrect because they are temporary cookies that are valid only for a single website session. Persistent cookies are incorrect because they are stored on a computer indefinitely so that a website can identify the user during subsequent visits. These cookies can help websites serve their users more effectively. Unfortunately, persistent cookies also can be misused as spyware to track a user's Web browsing activities for questionable reasons without the user's knowledge or consent. Tracking cookies are incorrect because they are placed on a user's computer to track the user's activity on different websites, creating a detailed profile of the user's behavior.

Which of the following is not a single point-of-failure? a. Mesh topology b. Star topology c. Bus topology d. Tree topology

a. A mesh topology is a network in which there are at least two nodes with two or more paths between them. If one path fails, the network reroutes traffic over an alternative path thus providing a high degree of fault tolerance mechanism. Thus, mesh topology is not vulnerable to a single point-of-failure. The other three choices are subjected to a single point-of-failure. The single central hub in star and tree topology and the single cable in bus topology are vulnerable to a single point-offailure.

In a relational database management system, which one of the following types of security locking mechanisms best achieves the concept of fine-grain locking? a. Row-level locking b. Table-level locking c. Block-level locking d. File-level locking

a. A security locking mechanism prevents one transaction from reading or updating a record before another transaction has released its locks on those records. Row-level locks are used for data tables and indexes, which can prevent performance degradation when the database is modified by many users at the same time. The other three choices are incorrect because they offer coarse-grain security locking mechanisms. This is because a row is the smallest level in the database.

According to the Common Criteria (CC), security assurance requirements do not include which of the following? a. Privacy b. Development c. Tests d. Vulnerability assessment

a. According to the Common Criteria (CC), privacy is part of security functional requirements, not a security assurance requirement. The other three choices are part of the security assurance requirements.

Which of the following form the basic component technology of the Active-X framework? a. Active-X controls b. Active-X containers c. Active-X documents d. Active-X scripts

a. Active-X is a framework for Microsoft's software component technology that allows programs encapsulated in units called "controls" to be embedded in Web pages. A programmer can develop a program, wrap it in an Active-X interface, compile it, and place it on a Web page. When end users point their Web browsers (that support Active-X) at the Web page, the Active-X control downloads and attempts to execute on their computer. Because Active-X controls are simply programs, they can do anything that they are programmed to do, including causing damage by removing critical files. Other Active-X technologies include Active-X containers, documents, and scripts. An Active-X container is an Active-X application, and an Active-X document is one kind of container. Documents allow the functionality of controls to be extended. Thus, Active-X controls form the basic component technology of the Active-X framework. Active-X containers and scripts pose security risks to the end user.

Which of the following is not the common security approach taken by Java and Active-X? a. Hardware b. Software c. Human judgment d. Digital signature

a. Active-X technology relies on human judgment and the use of digital signatures. Java relies more on software. They are not dependent on hardware.

What is the best time to implement a data dictionary system? a. During the development of a new application system b. During the redesign of an application system c. During the reengineering of an application system d. During the modification of an application system

a. Although it is best to implement a data dictionary during development of a new application system, it can also be implemented during a major redesign, reengineering, or maintenance of an existing application system.

The Web service processing model securing simple object access control protocol (SOAP) messages and extensible markup language (XML) documents does not deal with which of the following? a. Chain of auctioneers b. Chain of providers c. Chain of intermediaries d. Chain of consumers

a. An electronic auction (e-auction) market taking place on the Internet deals with a chain of auctioneers, not in Web services. The other three choices deal with the Web services. The Web service processing model requires the ability to secure simple object access protocol (SOAP) messages and extensible markup language (XML) documents as they are forwarded along potentially long and complex chains of consumer, provider, and intermediary services. The nature of Web services processing makes those services subject to unique attacks, as well as variations on familiar attacks targeting Web servers.

Which of the following memory protection mechanisms deal with security impact levels? a. System partitioning b. Nonmodifiable executable programs c. Resource isolation d. Domain separation

a. An organization partitions the information system into components residing in separate physical domains or environments as deemed necessary. Information system partitioning is a part of a defense-in-depth protection strategy. The system partitioning is based on the system impact levels (i.e., low, medium, or high). Managed interfaces restrict network access and information flow among partitioned system components. The other three choices are incorrect because they do not deal with security impact levels. A nonmodifiable executable program is the one that loads and executes the operating environment and application system from hardware-enforced and read-only media (e.g., CD-R/DVD-R disk drives). Resource isolation is the containment of subjects and objects in a system in such a way that they are separated from one another. Domain separation relates to the mechanisms that protect objects in the system.

Which of the following is the correct approach for an information system to separate user functionality from management functionality? a. Application partitioning b. Boundary protection c. Security parameters d. Controlled interfaces

a. Application partitioning means the information system physically or logically separates user interface services (e.g., public Web pages) from information system storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, or combinations of these or other methods. Boundary protection is incorrect because it means controlling communications at the external boundary of an information system and at key internal boundaries within the system. The organization physically allocates publicly accessible information system components (e.g., public Web servers) to separate sub-networks with separate, physical network interfaces. Security parameters are incorrect because they include security labels and markings, which are associated with information exchanged between information systems. Controlled interfaces are incorrect because they include devices such as proxies, gateways, routers, firewalls, and encrypted tunnels provide controlled interfaces to the Internet or external networks.

Border routers, firewalls, and software/hardware guards provide which of the following? a. First line-of-defense b. Second line-of-defense c. Last-of-defense d. Multiple lines-of-defense

a. Border routers, firewalls, and software/hardware guards provide a first line-of-defense against network compromises (e.g., attacks by outsiders). The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems.

In a public cloud computing environment, which of the following provides client-side protection? a. Encrypted network exchanges b. Plug-ins and add-ins c. Keystroke loggers d. Virtual firewalls

a. Cloud clients can be browser-based or applications-based. Some organizations deploy hardened browser environments that encrypt network exchanges and protect against keystroke logging. Plug-ins, add-ins, backdoor Trojan viruses, and keystroke loggers are examples of client-side risks or threats to be protected from. An add-in is a hardware device, such as an expansion board or chip, which can be added to a computer to expand its capabilities. An add-in can also be a supplemental program that can extend the capabilities of an application program. A plug-in is a small software program that plugs into a larger application to provide added functionality (such as graphic, video, and audio files). A keystroke logger is a program designed to record which keys are pressed on a computer keyboard and is used to obtain passwords or encryption keys and thus bypass other security measures.

Which of the following can represent a single point-of-failure for host applications? a. Cloud computing b. Smart grid computing c. Utility computing d. Quantum computing

a. Cloud computing, which is a form of distributed computing, can become a single pointof- failure due to failure of cloud storage services, network devices, database clusters, and network upgrades for the applications hosted there. In such situations, the services of a second cloud provider could be used to back up data processed by the primary (first) provider to ensure that during a prolonged disruption or serious disaster at the primary site, the data remains available for immediate resumption of critical operations. Note that both the user's data and essential security services may reside in and be managed within the network cloud. Smart grid computing consists of interoperable standards and protocols that facilitate in providing centralized electric power generation, including distributed renewable energy resources and energy storage. Ensuring cyber security of the smart grid is essential because it improves power reliability, quality, and resilience. The goal is to build a safe and secure smart grid that is interoperable, end-to-end. Smart grid computing needs cyber security measures because it uses cyber computing. Utility computing means allowing functional users (end-users) to access technology-based services to perform specific and simple tasks (for example, to run a storage backup program and a disk/file recovery program) without requiring much of the technical knowledge. Quantum computing deals with computers with large word sizes.

Which of the following tools is most useful in detecting security intrusions? a. Data mining tools b. Data optimization tools c. Data reorganization tools d. Data access tools

a. Data mining is a set of automated tools that convert the data in the data warehouse to some useful information. It selects and reports information deemed significant from a data warehouse or database. Data mining techniques can also be used for intrusion detection, fraud detection, and auditing the databases. You can apply data mining tools to detect abnormal patterns in data, which can provide clues to fraud. Data optimization tools improve database performance. Data reorganization tools help relocate the data to facilitate faster access. Data access tools help in reaching the desired data.

Which of the following is not vulnerable to a single point-of-failure? a. Internet b. Converged network c. Password synchronization d. Domain name system server

a. Despite its security weaknesses, the Internet is not vulnerable to a single point-of-failure because it uses a point-to-point protocol (PPP) as the primary data link layer protocol over point-to-point lines. PPP handles error detection, supports multiple framing mechanisms, performs data compression and reliable transmission, enables IP addresses to be negotiated at connection time, and permits authentication. If one path or point fails, the Internet switches to another path or point therefore providing a solid connection. The other three choices are vulnerable to a single point-of-failure. A converged network combines both data and voice, and as such it is vulnerable. Password synchronization can be a single point-of-failure because it uses the same password for many resources. The domain name system (DNS) server can become a single point-of-failure if there are no fault-tolerant and redundant mechanisms.

Which of the following enables adequate user authentication of mobile hand-held devices? a. First line-of-defense b. Second line-of-defense c. Third line-of-defense d. Last line-of-defense

a. Enabling adequate user authentication is the first line-of-defense against unauthorized use of an unattended, lost, or stolen mobile hand-held device such as personal digital assistant (PDA) and smartphones. Authentication is the first-line-of-defense.

Entrapment techniques against attacks by outsiders act as which of the following? a. First line-of-defense b. Second line-of-defense c. Last line-of-defense d. Multiple lines-of-defense

a. Entrapment techniques provide a first line-of-defense against attacks by outsiders using fake data and systems (decoys, honeypots, and honeynet systems). The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems.

The scope of Common Criteria (CC) covers which of the following? a. Physical protection b. Administrative security c. Electromagnetic emanation control d. Quality of cryptographic algorithm

a. In particular, the Common Criteria (CC) addresses some aspects of physical protection. CC does not contain security evaluation criteria pertaining to administrative security measures not related directly to the IT security functionality. CC does not cover the evaluation of technical physical aspects of IT security such as electromagnetic emanation control. CC does not cover the inherent qualities of cryptographic algorithms.

Masquerading is an example of which of the following threat categories that apply to systems on the Internet? a. Browser-oriented b. Software-oriented c. Server-oriented d. Network-oriented

a. Internet-related threats are broken down into three categories: browser-oriented, serveroriented, and network-oriented. Software-oriented is a generic category useful to the other categories. Software-oriented threats may result from software complexity, configuration, and quality. Web servers can launch attacks against Web browser components and technologies. Because browsers can support multiple associations with different Web servers as separate windowed contexts, the mobile code of one context can also target another context. Unauthorized access may occur simply through a lack of adequate access control mechanisms or weak identification and authentication controls, which allow untrusted code to act or masquerade as a trusted component. After access is gained, information residing at the platform can be disclosed or altered.

Mapping information security needs to business data is a part of which of the following to secure multi-user and multiplatform environments? a. Management controls b. Technical controls c. Physical controls d. Procedural controls

a. Management controls deal with policies and directives. Mapping information security needs to business data is a management policy. Technical controls deal with technology and systems. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures.

Which of the following is an example of second line-of-defense? a. Monitoring of systems and employees b. Decoy systems c. Honeypot systems d. Network monitoring

a. Monitoring of systems and employees against unauthorized actions is an example of second line-of-defense. An example is keyboard monitoring of an employee's work. The other three choices are examples of the first line-of-defense mechanisms. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

Which of the following controls provide a first line-of-defense against potential security threats, risks, or losses to the network? a. Passwords and user IDs b. Software testing c. Dial-back modem d. Transaction logs

a. Passwords and user identification are the first line-of-defense against a breach to a network's security. Several restrictions can be placed on passwords to improve their effectiveness. These restrictions may include minimum length and format and forced periodic password changes. Software testing is the last line-of-defense to ensure data integrity and security. Therefore, the software must be tested thoroughly by end users, information systems staff, and computer operations staff. Switched ports (not Cisco switches) are among the most vulnerable security points on a network. These allow dial in and dial out access. They are security risks because they allow users with telephone terminals to access systems. Although callback or dial-back is a potential control as a first line-of-defense, it is not necessarily the most effective because of the call forwarding capability of telephone circuits. For online applications, the logging of all transactions processed or reflected by input programs provides a complete audit trail of actual and attempted entries, thus providing a last line-ofdefense. The log can be stored on tape or disk files for subsequent analysis. The logging control should include the date, time, user ID and password used, the location, and number of unsuccessful attempts made. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

Which of the following is an example of last line-of-defense? a. Employee vigilance b. Program change controls c. Fault-tolerant techniques d. Exterior protection

a. People can detect abnormalities that machines cannot through their common sense; therefore, employee vigilance is the last line-of-defense against anything that has escaped the first and/or second line-of-defense mechanisms. Exterior protection, such as walls and ceilings designed to prevent unauthorized entry, are examples of second line-of-defense, whereas the other three choices are examples of the first line-of-defense mechanisms. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

What is a database relation containing multiple rows with the same primary key called? a. Polyinstantiation b. Polymorphism c. Inference d. Aggregation

a. Polyinstantiation enables a relation to contain multiple rows with the same primary key. The multiple instances are distinguished by their security levels. In polymorphism, a name may denote objects of many different classes that are related by some common superclass. Inference is derivation of new information from known information. Aggregation is the result of assembling distinct units of data when handling sensitive information.

Which of the following characterizes the relational database technology? a. Rows and columns b. Nodes and branches c. Blocks and arrows d. Parents and children

a. Relational database technology deals with tables, rows, and columns. A hierarchical data model (tree structure) consists of nodes and branches and parents and children. The highest node is called a root. The node types are called segment-types. The root node type is called the root-segment-type. Blocks and arrows can be found in the network data model.

How is a Common Gateway Interface (CGI) script vulnerable? a. Because it is interpreted. b. Because it gives root access. c. Because it accepts checked input. d. Because it can be precompiled.

a. The common gateway interface (CGI) scripts are interpreted, not precompiled. As such, there is a risk that a script can be modified in transit and not perform its original actions. CGI scripts should not accept unchecked input.

Which one of the following data models is suitable for predetermined data relationships? a. Hierarchical data model b. Network data model c. Relational data model d. Distributed data model

a. The hierarchical data structures are suitable for predetermined data relationships, so frequently found, that have a superior/inferior connotation, as parents to child, manager to subordinate, whole to parts, and so on. Despite this naturalism, this model requires the user to understand fairly complex arrangements when a large, diverse database is assembled with it. Depending on the DBMS implementation, this model can be efficient in saving storage and in processing high volume, routine transactions while accessing records one at a time. It has proven also to be an effective model for query techniques that operate on sets of records. The network model provides somewhat more general structures than the hierarchical, for relating diversified data with concern for saving storage. The resulting database may be complex, and the user, normally a programmer, must carefully track the current reference position among the data occurrences. For this reason, the network structure is said to induce a navigational approach in processing transactions. The network model is capable of high efficiency in performance and storage use. Query facilities, although available, are less developed for this model than for the other models. The relational model is widely accepted as the most suitable for end users because its basic formulation is easily understood, and its tabular data structure is obvious and appealing to laymen. Query language innovations are most pronounced for this model over others. The distributed model can be thought of as having many network nodes and access paths between the central and local computers and within the local computer sites. Database security becomes a major issue in a truly distributed environment, where data itself is distributed and there are many access paths to the data from far-flung locations.

The totality of protection mechanisms used for enforcing a security policy is which of the following? a. Trusted computing base b. Trusted path c. Trusted software d. Trusted subject

a. The trusted computing base (TCB) is the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. The other three choices are part of the TCB.

Deadly embraces or deadlock situations in a database can best be handled through which of the following? a. Prevention b. Detection c. Correction d. Ignoring

a. There are two general methods of handling deadlocks. The preferred method involves detecting the probability of deadlock and preventing its occurrence. The other method involves detecting the deadlock when it occurs and doing something to correct it. Deadlocks can be prevented through good database design, especially with physical design efforts. Deadlock situations are too common to ignore. Consistent use of the database can minimize the chances of deadlock.

Useful information architecture links better with which of the following? a. Business planning to information technology planning b. Information engineering to information systems c. Applications security to logical security d. Network security to encryption methods

a. Useful information architecture cannot be developed until an organization establishes a business planning process and links it to strategic information technology planning. This is a high-level planning effort, whereas the items in the other three choices are low-level planning efforts. Information engineering is a systematic process in which information systems are developed to precisely support the business of an organization.

A data warehouse contains which of the following? a. Raw data b. Massaged data c. Source data d. Transaction data

b. A database contains raw data whereas a data warehouse contains massaged data (i.e., summarized data or correlated data). Source data and transaction data are the same as raw data.

Which of the following is an example of a second line-of-defense in attack recognition? a. Firewall b. Attack detection software c. Password d. Internal controls

b. A firewall, a password, and internal controls are first lines-of-defenses against attacks and fraud. The firewall can be bypassed by a clever attacker using an Internet protocol (IP) spoof attack or by bypassing it completely and gaining access to the network directly through a modem. Because of the difficulty in configuring a firewall, a second line-of-defense is needed, and it is the attack detection software installed either on host or network. If an attack cannot be prevented, it must at least be detected. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

Which of the following memory protection mechanisms can eliminate the possibility of malicious code insertion? a. System partitioning b. Nonmodifiable executable programs c. Resource isolation d. Domain separation

b. A nonmodifiable executable program is the one that loads and executes the operating environment and application system from hardware-enforced and read-only media (e.g., CDR/ DVD-R disk drives). The term operating environment is defined as the code upon which application systems are hosted (e.g., a monitor, executive, operating system, or application system running directly on the hardware platform). Use of nonmodifiable storage ensures the integrity of the software program from the point of creation of the read-only image. It can eliminate the possibility of malicious code insertion via persistent, writeable storage. System partitioning means breaking the system into components to reside in separate physical domains or environments as deemed necessary. Resource isolation is the containment of subjects and objects in a system in such a way that they are separated from one another. Domain separation relates to the mechanisms that protect objects in the system.

Which of the following is needed for the correct operation of other security mechanisms? a. Covert storage channel b. Trusted channel c. Covert timing channel d. Overt channel

b. A trusted channel is needed for the correct operation of other security mechanisms. An overt channel may not be trusted. A covert storage and timing channel is a part of covert channel.

Structured Query Language (SQL) security threats include which of the following? a. Data retrieval and manipulation b. Aggregation and inference c. Schema definition and manipulation d. Transaction and diagnostic management

b. Aggregation is the result of assembling or combining distinct units of data when handling sensitive information. Aggregation of data at one sensitivity level may result in all the data being designated at a higher sensitivity level. Inference is derivation of new information from known information. The inference problem refers to the fact that the derived information may be classified at a level for which the user is not cleared. Items included in the other three choices are functions and features of a SQL.

Which of the following is an issue when dealing with information cross-domains? a. Authentication policy b. Level of trust c. Common infrastructure d. Shared infrastructure

b. An information domain is a set of active entities (e.g., person, process, or devices) and their data objects. The level of trust is always an issue when dealing with cross-domain interactions due to untrusted sources. Authentication policy and the use of a common and shared infrastructure with appropriate protections at the operating system, application system, and workstation levels are some of solutions for ensuring effective cross-domain interactions.

Which of the following is n o t a broad-based security objective for ensuring information systems protection? a. Prepare and prevent b. Breach and damage c. Detect and respond d. Build and grow

b. Breach and damage are narrow-based security objectives because they signify the occurrence of a security incident and recovery from its damage. The scope of prepare and prevent includes minimizing the possibility of a significant attack on critical information assets and networks. Detect and respond includes identifying and assessing an attack in a timely manner. Build and grow is building organizations and facilities, hiring and training people, and establishing policies and procedures.

In the trusted computing base (TCB) environment, which of the following is referred to when a security administrator accidentally or intentionally configures the access tables incorrectly? a. Compromise from above b. Compromise from within c. Compromise from below d. Compromise from cross domains

b. Compromise from within results when a security administrator accidentally or intentionally configures the access tables incorrectly. Compromise from above occurs when an unprivileged user can write untrusted code that exploits vulnerability. Compromise from below occurs as a result of accidental failure of an underlying trusted component. Compromise from cross domains is not relevant here.

Technology, one of the principal aspects of the defense-in-depth strategy does not include which of the following? a. Information assurance architecture b. Facilities countermeasures c. Information assurance criteria d. Acquisition integration of evaluated products

b. Facilities countermeasures are a part of the people principal, whereas all the other choices are part of the technology principal. Defense-in depth strategy focuses on people, technology, and operations.

A factor favoring acceptability of a covert channel is which of the following? a. High bandwidth b. Low bandwidth c. Narrow bandwidth d. Broad bandwidth

b. Factors favoring acceptability of a covert channel include low bandwidth and the absence of application software that can exploit covert channels.

Which of the following statements is true with respect to data dictionaries? a. A data dictionary must always be active to be useful. b. An active data dictionary must be dependent on database management systems. c. A passive data dictionary is an important feature of database management systems. d. A data dictionary can exist only with a database system.

b. In the case of an active data dictionary, there is no option, meaning that the data dictionary and the database management system go together; they need each other to function effectively. The other three choices are not correct because (i) both active and passive data dictionaries are useful, (ii) a passive data dictionary may or may not require a check for currency of data descriptions before a program is executed, and (iii) nondatabase systems can have data dictionaries.

Which of the following has a sound security model to prevent malicious code behavior? a. Active-X controls b. Java Applets c. JavaScripts d. E-mail attachments

b. Java Applets have a sound security model to prevent malicious code behavior when compared to Active-X controls, JavaScripts, and e-mail attachments. Java applets use a technology-oriented policy called the sandbox concept. The Java Sandbox prevents Java applets from using sensitive system services. With all other forms of active content, the security policy is trust-based. That is, the user must trust the source of the active content and assume the risk in case the active content causes harm, whether through malicious intention or through inadvertent flaws in the code. Although most malicious file attachments have suspicious file extensions, such as .bat, .cmd, .exe, .pif, .vbs, and .scr, the use of once-benign file extensions, such as .zip, has become more prevalent for malicious file attachments.

Which of the following allows a layered security strategy for information systems? 1. Implementing lower assurance solutions with lower costs to protect less critical systems 2. Implementing all management, operational, and technical controls for all systems 3. Implementing all compensating and common controls for all systems 4. Implementing higher assurance solutions only at the most critical areas of a system a. 1 and 2 b. 1 and 4 c. 2 and 3 d. 1, 2, 3, and 4

b. Management should recognize the uniqueness of each system to allow for a layered security strategy. This is achieved by implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas of a system. It is not practical or cost-effective to implement all management, operational, technical, compensating, and common controls for all systems.

Which of the following creates several independent demilitarized zones (DMZs) on a network? a. Multiple encryption methods b. Multihomed firewalls c. Multiple-chip cryptographic modules d. Multilayered switches

b. Multihomed firewalls providing multiple lines-of-defense are allowed to create several independent demilitarized zones (DMZs)—one interfacing the Internet (public network), one interfacing the DMZ segments, and another one interfacing the internal company network (i.e., intranet). These firewalls have more than one network interface card (NIC) to work with. The other three choices do not have the capability to create several independent DMZs on a network.

Regarding Common Criteria (CC), reference monitor concept is applied to enforce which of the following? a. Security Target (ST) b. Target of Evaluations (TOE) c. Protection Profile (PP) d. System Specifications

b. Reference monitor concept is an access control concept referring to an abstract machine that mediates all accesses to objects by subjects. It is applied to enforce target of evaluations (TOE) access control policies during the design of TOE. The Common Criteria (CC) contains criteria to be used by evaluators when forming judgments about the conformance of TOEs to their security requirements. The CC describes the set of general actions the evaluator is to carry out but does not specify procedures to be followed in carrying out those actions. A protection profile (PP) is a template for a security target (ST). Whereas a ST always describes a specific TOE (e.g., firewall v18.5), a PP is intended to describe a TOE type (e.g., firewall). A PP is an implementation-independent statement of security needs for a product type and a ST is an implementation-dependent construct. The ST may be based on one or more PPs. System specifications refer to the roles that a ST or PP should or should not fulfill.

A restart and recovery mechanism for a database management system (DBMS) would not include which of the following? a. Rollback approach b. Reorganization c. Shadowing approach d. Versioning facility

b. Reorganization of a database occurs at initial loading and any subsequent reloading. Reorganization eliminates unused space between the valid records as a result of a deletion of some records. Besides reclaiming unused space, reorganization can arrange the records in such a way that their physical sequence is the same or nearly the same as their logical sequence. Reorganization has nothing to do with restart and recovery. The DBMS must have a comprehensive and reliable recovery system that uses either the rollback approach in which invalid or incomplete transactions and database images are backed up; or the shadowing approach with journaling (or transaction recording) and recovery by reapplying transactions against a previous version of the database. These facilities should also accommodate selected recovery for specific files, records, or logical records. In addition, the DBMS should also have a versioning facility to track and record changes made to data over time through the history of design changes. The version management system should track version successors and predecessors. Although the rollback approach uses before images, the roll-forward approach uses after images. Both of these images are stored on a log tape. If a database is damaged, the after image copies can be added to a backup copy of the database. The database is rolled forward from a point in time when it is known to be correct to a later time.

Taken to its extreme, what does active content become? a. Built-in macro processing b. Delivery mechanism for mobile code c. Scripting language d. Virtual machine

b. Taken to its extreme, active content becomes, in effect, a delivery mechanism for mobile code. Active content involves a host of new technologies such as built-in macro processing, scripting language, and virtual machine.

The Common Criteria (CC) addresses which of the following in an uncommon way? a. Confidentiality b. Risks c. Integrity d. Availability

b. The Common Criteria (CC) addresses information protection from unauthorized disclosure (confidentiality), modification (integrity), or loss of use (availability), which is a common way. The CC is also applicable to risks arising from human activities (malicious or otherwise) and to risks arising from nonhuman activities, which is an uncommon way.

The Common Criteria (CC) permits which of the following between the results of independent security evaluations? a. Usability b. Comparability c. Scalability d. Reliability

b. The Common Criteria (CC) permits comparability between the results of independent security evaluations. The evaluation process establishes a level of confidence that the security functionality of IT products and the assurance measures applied to these IT products meet a common set of requirements. The CC is applicable to IT security functionality implemented in hardware, firmware, or software. Usability is incorrect because it means such things as easy to learn and remember, productivity enhancing, error resistant, and friendly features. Scalability is incorrect because it means the system can be made to have more or less computational power by configuring it with a larger or smaller number of processors, amount of memory, interconnection bandwidth, input/output bandwidth, and amount of mass storage. Reliability is incorrect because it means the system can be counted upon to perform as expected.

Which of the following actions is n o t a part of the increase resilience security principle? a. Operate an IT system to limit damage and to be resilient in response. b. Do not implement unnecessary security mechanisms. c. Isolate public access systems from mission-critical resources. d. Implement audit mechanisms to detect unauthorized use and to support incident investigations.

b. The action item "Do not implement unnecessary security mechanisms" is a part of the reduce vulnerabilities. security principle. The other three choices are part of the increase resilience security principle.

Which of the following action items is not a part of the security principle of "increase resilience"? a. Implement layered security to ensure no single point of vulnerability. b. Use common languages in developing security requirements. c. Limit or contain vulnerabilities. d. Use boundary mechanisms to separate computing systems and networks.

b. The action item "Use common languages in developing security requirements" is a part of ease-of-use security principle. The other three choices are part of the increase resilience security principle.

Which one of the following security features and mechanisms is specified by the structured query language (SQL) standards? a. Identification and authentication b. Transaction management c. Auditing d. Fault tolerance

b. The database language SQL is a standard interface for accessing and manipulating relational databases. Many critical security features are not specified by SQL; others are specified in one version of SQL but omitted from earlier versions. A database may be in a consistent or inconsistent state. A consistent state implies that all tables (or rows) reflect some real-world change. An inconsistent state implies that some tables (or rows) have been updated but others still reflect the old world. Transaction management mechanisms are applied to ensure that a database remains in a consistent state at all times. These mechanisms enable the database to return to the previous consistent state if an error occurs. Identification and authentication mechanisms are not specified in SQL. However, they are required implicitly. In the simplest case, the user authenticates his identity to the system at logon. That information is maintained throughout the session. The information is passed to the DBMS when the DBMS is accessed. The strength of authentication varies with the type, implementation, and management of the authentication mechanisms. The SQL specification does not include auditing requirements, but SQL products may include some auditing functionality. Warning mechanisms are closely related to auditing requirements. If the SQL processor includes auditing, the operating system must have sufficient access controls to prevent modification of, or access to, the audit trail. Fault tolerance is not required by any SQL specification but is a feature of certain SQL implementations. Fault-tolerant systems address system failure; disk array technology can be used to address storage media failure.

The principal aspects of the defense-in-depth strategy to achieve an effective information-assurance posture do not include which of the following? a. People b. Processes c. Technology d. Operations

b. The defense-in-depth strategy achieves an effective information assurance posture and includes people, technology, and operations, but not processes. Organizations address information assurance needs with people executing operations supported by technology.

The detect-and-respond infrastructure for information assurance requires which of the following? 1. Intrusion detection 2. Cryptographic key management infrastructure 3. Monitoring software 4. Public key infrastructure a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 3 and 4

b. The detect-and-respond infrastructure enables rapid detection of, and reaction to, intrusions. The infrastructure required includes technical solutions such as intrusion detection, monitoring software, and skilled specialists often referred to as a computer emergency response team (CERT). The cryptographic key management infrastructure (KMI), which includes public key infrastructure (PKI), provides a common unified process for the secure creation, distribution, and management of the public key certificates and traditional symmetric keys. KMI and PKI are not directly related to detect and respond; although, they are all part of supporting infrastructure addressing information assurance.

From a relative risk viewpoint, the need for layered security protection is most important for which of the following systems in order to protect against sophisticated attacks? a. Major information systems b. Commercial off-the-shelf systems c. General support systems d. Custom designed application systems

b. The need for layered security protection is most important when commercial off-theshelf products are used from software vendors. Practical experience has shown that the current state-of-the-art for security quality in vendor's commercial system products does not provide a high degree of protection against sophisticated attacks. Additional security controls are needed to provide a layered security protection because the vendor product is a generic product with minimal security controls for all customers' use. The systems in the other three choices are internal systems to an organization that are developed with a specific business purpose and with adequate security controls. General support system is an interconnected set of information resources under the same direct management control that share common functionality, including hardware, software, data/information, applications, communications, and people. An information system is classified as a major system when its development, maintenance, and operating cost are high and when it has a significant role in the overall operations of an organization.

Which of the following is an example of a single point-of-failure? a. Security administration b. Single sign-on c. Multiple passwords d. Network changes

b. The single sign-on (SSO) system is an example of a single point-of-failure, where the risk is concentrated rather than diffused. If the sign-on system is compromised, the entire system is vulnerable. The other three choices are examples of multiple points-of-failure, where many things can go wrong in many places by many individuals. Every time an employee is terminated or parts of the network changed, the security administrator must deactivate all the employee's passwords and reconfigure the network. Here, the risk is spread out, not concentrated.

Which of the following statements is not true about a system's protection profile (PP) format of the Common Criteria (CC)? a. It records the threats that are being considered. b. It is the result of the initial security analysis. c. It documents the security objectives that are being pursued. d. It records the actual security specifications as they are created.

b. The system protection profile (PP) format of Common Criteria (CC) can be used for presenting the results of the needs determination and requirements analysis. Further, a system PP acts as a record of the security analysis performed during this specification generation process. The PP provides all the things mentioned in the other three choices. Therefore, a system PP should be viewed as an evolving document that is not simply the "result" of the initial security analysis, but is also the full record of the security analysis performed during the course of the specification generation process.

Which of the following requires that all users must have formal access approval? a. Compartmented security mode b. System-high security mode c. Controlled mode d. Limited access mode

b. The system-high security mode requires that if the system processes special access information, all users must have formal access approval.

What is a communication channel that enables a process to transfer information in a manner that violates the system's security policy called? a. Communication channel b. Covert channel c. Exploitable channel d. Overt channel

b. This is the definition of a covert channel. A communication channel is the physical media and device that provides the means for transmitting information from one component of a network to other components. An exploitable channel is usable or detectable by subjects external to the Trusted Computing Base (TCB). An overt channel is a path within a network designed for the authorized transfer of data. This is in contrast to a covert channel.

Information system partitioning is a part of which of the following protection strategies? a. Defense-in-breadth b. Defense-in-depth c. Defense-in-technology d. Defense-in-time

b. Using a defense-in-depth protection strategy, an information system can be partitioned into components residing in separate physical domains or environments to ensure safe and secure operations. It integrates people, technology, and operations to establish variable barriers across multiple layers and multiple functions. A defense-in-breadth strategy is used to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or product life cycle. A defense-in technology uses compatible technology platforms, and a defense-in-time considers different time zones in the world to operate global information systems.

Poorly implemented session-tracking may provide an avenue for which of the following? a. Browser-oriented attacks b. Server-oriented attacks c. Network-oriented attacks d. User-oriented attacks

b. Web-based applications often use tracks, such as session identifiers, to provide continuity between transactions. Poorly implemented session-tracking may provide an avenue for server-oriented attacks.

A data dictionary is which of the following? a. It is a central catalog of programs. b. It is a central catalog of processes. c. It is a central catalog of data. d. It is a central catalog of objects.

c. A data dictionary is a tool to help organizations control their data assets by providing a central catalog of data. The data dictionary requires security protection.

Which of the following represents a single point-of-failure? a. Network server b. Database server c. Firewall d. Router

c. A firewall tends to concentrate security in a single point, which can lead to the potential of compromising the entire network through a single point. If the firewall fails, the entire network could be attacked. The other three choices are not examples of single point-of-failure.

What do fundamental goals of the defense-in-depth include? a. Sneak and peek b. Trap and trace c. Detect and respond d. Protect and detect

c. A fundamental tenet of the defense-in-depth strategy is to prevent a cyber attack from penetrating networks and to detect and to respond effectively to mitigate the effects of attacks that do. Detect and respond capabilities are complex structures that run the gamut of intrusion and attack detection, characterization, and response. Sneak and peek are incorrect because they are an element of the U.S. Patriot Act of 2001, which was developed to provide convenience to law enforcement authorities in the event of terrorism. Trap and trace are incorrect because they are a part of a criminal investigation. Protect and detect are incorrect because they are a part of physical security function.

Which of the following contains a security kernel, some trusted-code facilities, hardware, and some communication channels? a. Security domain b. Security model c. Security perimeter d. Security parameters

c. A security perimeter is a boundary within which security controls are applied to protect information assets. The security domain is a set of elements, a security policy, an authority, and a set of relevant activities. The security model is a formal presentation of the security policy enforced by the system. Examples of security parameters include passwords and encryption keys.

Which of the following enforces the network policy? a. Exploitable channel b. Communications channel c. Security-compliant channel d. Memory channel

c. A security-compliant channel enforces the network policy and depends only upon characteristics of the channel either included in the evaluation or assumed as an installation constraint.

Which of the following maintains the integrity of information that is sent over a channel? a. Communication channel b. Security-compliant channel c. Trusted channel d. Memory channel

c. A trusted channel maintains the integrity of information that is sent over it. The other three choices cannot maintain the integrity because they are not trusted.

Regarding Common Criteria (CC), how should a Security Target (ST) be used? 1. Before evaluation 2. After evaluation 3. Detailed specification 4. Complete specification a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

c. A typical security target (ST) fulfills two roles such as before and during the evaluation and after the evaluation. Two roles that an ST should not fulfill include a detailed specification and a complete specification.

According to the Common Criteria (CC), security functional requirements do not include which of the following? a. User data protection b. Security management c. Configuration management d. Resource utilization

c. According to the Common Criteria (CC), configuration management is part of security assurance requirements, not a functional requirement. The other three choices are part of the security functional requirements.

When the requirements of the ISO's Information Security Management Systems (ISO/IEC 27001) framework are applied to any computing environment, "measure and improve controls" belong to which of the following PDCA cycle steps? a. Plan b. Do c. Check d. Act

c. According to the International Organization or Standardization (ISO), the Plan-Do- Check-Act (PDCA) cycle is the operating principle of ISO's management system standards. The step "check" measures the results. Specifically, it measures and monitors how far the actual achievements meet the planned objectives. The step "plan" establishes objectives and develops plans. Specifically, it analyzes an organization's situation, establishes the overall objectives, sets interim targets, and develops plans to achieve them. The step "do" implements the plans. The step "act" corrects and improves the plans by putting them into practice. Specifically, it makes one learn from mistakes in order to improve and achieve better results next time.

From a security policy viewpoint, a survivable system should be built based on a specific: a. Hardware b. Software c. Architecture d. Vendor

c. An architecture-based approach should be taken to achieve survivability. That is, one should take an approach where design issues, rather than specific hardware or software products or vendors, are key to creating such a system.

Pharming attacks are an example of which of the following? a. Browser-oriented attacks b. Server-oriented attacks c. Network-oriented attacks d. User-oriented attacks

c. An attacker may modify the domain name system (DNS) mechanism to direct it to a false website. These techniques are often used to perform pharming attacks, where users may divulge sensitive information. Note that pharming attacks can also be initiated by subverting the victim's host computer files.

Which of the following is not an example of a first line-of-defense? a. Policies and procedures b. Internal controls c. Audit trails and logs d. Training, awareness, and education

c. Audit trails and logs provide after-the-fact information to detect anomalies and therefore cannot provide the first line-of-defenses in terms of preventing an anomaly. Audit trails and logs provide second line-of-defenses, whereas all the other three choices provide first line-ofdefense mechanisms.

Which of the following does not act as the first line-of-defense for protecting the data? a. Passwords b. Disk mirroring c. Audit trails d. Redundant array of independent disk

c. Audit trails provide information on an after-the-fact basis. They do not prevent bad things from happening. Disk mirroring, redundant array of independent disk (RAID), and passwords are the first lineof- defenses. Disk mirroring and RAID act as the first line-of-defense for protecting against data loss. Incorrect entry of a password will be rejected thus disallowing an unauthorized person to enter into a computer system. Both disk mirroring and RAID provide redundant services. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

Which of the following supports the security-in-depth strategy? a. Abstraction b. Data hiding c. Layering d. Encryption

c. By using multiple, overlapping protection mechanisms, the failure or circumvention of any individual protection approach will not leave the system unprotected. The concept of layered protections is called security-in-depth or defense-in-depth strategy. Abstraction, data hiding, and encryption are some examples of protection mechanisms, which are part of securityin- depth strategy.

In which of the following security operating modes is the system access secured to at least the top level? a. Multilevel security mode b. Dedicated security mode c. Compartmented security mode d. Controlled mode

c. Compartmented security mode is the mode of operation that allows the system to process two or more types of compartmented information (information requiring a special authorization) or any one type of compartmented information with other than compartmented information. In this mode, system access is secured to at least the top-secret level, but all system users do not necessarily need to be formally authorized to access all types of compartmented information being processed and/or stored in the system. Multilevel security mode is incorrect. It is the mode of operation that allows two or more classification levels of information to be processed simultaneously within the same system when some users are not cleared for all levels of information present. Dedicated security mode is incorrect. It is the mode of operation in which the system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time. Controlled mode is incorrect. It is a type of multilevel security in which a more limited amount of trust is placed in the hardware/software base of the system, with resultant restrictions on the classification levels and clearance levels that may be supported.

In the trusted computing base (TCB) environment, which of the following is referred to when a trusted component is accidentally failed? a. Compromise from above b. Compromise from within c. Compromise from below d. Compromise from cross domains

c. Compromise from below occurs as a result of malicious or accidental failure of an underlying trusted component. Compromise from above occurs when an unprivileged user can write untrusted code that exploits vulnerability. Compromise from within occurs when a privileged user or process misuses the allocated privileges. Compromise from cross domains is not relevant here.

In the trusted computing base (TCB) environment, which of the following is referred to when a failure results from the modifications to the hardware? a. Compromise from above b. Compromise from within c. Compromise from below d. Compromise from cross domains

c. Compromise from below results when a failure occurs due to modification to the hardware. This is because the hardware is located at the bottom of the hierarchy. Compromise from above occurs when an unprivileged user can write untrusted code that exploits vulnerability. Compromise from within occurs when a privileged user or process misuses the allocated privileges. Compromise from cross domains is not relevant here.

Which of the following is the last (final) line-of-defense for the defense-in-depth strategy? a. Perimeter-based security b. Network-based computing environment c. Host-based computing environment d. Host-based security

c. Detect and respond actions effectively mitigate the effects of attacks that penetrate and compromise the network. The host-based computing environment is the last (final) line-ofdefense for the defense-in-depth strategy. The protection approach must take into account some facts such as workstations and servers can be vulnerable to attacks through poor security postures, misconfigurations, software flaws, or end-user misuse. Perimeter-based security is incorrect because it is a technique of securing a network by controlling accesses to all entry and exit points of the network. Network-based computing environment is incorrect because it focuses on effective control and monitoring of data flow into and out of the enclave, which consists of multiple LANs, ISDNs, and WANs connected to the Internet. It provides a first line-of-defense. Host-based security is incorrect because it is a technique of securing an individual system from attacks. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

Which of the following can be most easily exploited when executing behind firewalls? a. Electronic mail b. Web requests c. Active-X controls d. File transfer protocol

c. Firewalls are good at preventing vulnerabilities in software inside the firewall from being exposed to the Internet at large. However, firewalls permit Internet requests to access certain software running on machines inside the firewall. This includes e-mail, Web requests, file transfer protocol (FTP), and telnet sessions. The problem with trusted Active-X controls is that an Active-X control can easily exploit vulnerabilities in the firewall that allows the control to make a connection back to a Web server. This means that the Active-X control can behave maliciously by design or through manipulation by a malicious server. The ability for Active-X controls to accept scripting commands makes them vulnerable to manipulation from malicious servers.

It is best to assume that external computer systems are: a. Simple b. Secure c. Insecure d. Complex

c. In general, external computer systems should be considered insecure. Until an external system has been deemed trusted, it is safe to assume that it is insecure. Systems can be simple or complex in design, which may or may not affect security.

A strategy of layered protections is needed for which of the following? 1. Multiple points of vulnerability 2. Single points-of-failure 3. Network boundaries 4. Legacy information systems a. 1 and 2 b. 2 and 3 c. 1, 2, and 3 d. 1, 2, 3, and 4

c. Information infrastructures are composed of complicated systems with multiple points of vulnerability, single points-of-failure, and critical areas such as network boundaries. Layers of technology solutions are needed to establish an adequate information assurance posture. Organizations have spent considerable amounts of money on developing large legacy information systems to satisfy unique mission or business needs. These legacy systems will remain in place for some time to come, and slowly will be replaced by commercial off-theshelf software products. Layered protection is not needed for legacy systems that will be expired soon.

Protecting interconnectivity communication devices is a part of which of the following to secure multi-user and multiplatform environments? a. Management controls b. Technical controls c. Physical controls d. Procedural controls

c. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures. Physical security controls (e.g., locked rooms and closets) are used to protect interconnectivity communication devices. Management controls deal with policies and directives. Technical controls deal with technology and systems.

Regarding Common Criteria (CC), which of the following provides an implementation-independent statement of security needs? a. Target of evaluation (TOE) b. Security target (ST) c. Protection profile (PP) d. Evaluation of assurance level (EAL)

c. Protection profile (PP) is an implementation-independent statement of security needs for a product type. TOE is incorrect because it is a product that has been installed and is being operated according to its guidance. ST is incorrect because it is an implementation-dependent statement of security needs for a specific identified TOE. EAL is incorrect because it is an assurance package, consisting of assurance requirements, representing a point on the CC predefined assurance scale.

Which of the following determines the extent to which changes to an information system have affected the security state of the system? a. Information system boundary b. Information system resilience c. Security impact analysis d. Security control assessment

c. Security impact analysis is conducted to determine the extent to which changes to the information system have affected the security state of the system. The other three choices do not deal with security states. Information system boundary means all components of a system to be authorized for operation have a defined boundary, and it excludes separately authorized systems to which the system is connected. Information system resilience is the capability of a system to continue to operate while under attack, even if in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack. Security control assessment is the testing and/or evaluation of the security controls (i.e., management, operational, and technical controls) to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of an information system.

Which of the following are used to perform data inferences? a. Memory and CPU channels b. Exploitable and detectable channels c. Storage and timing channels d. Buffer and overt channels

c. Sensitive information can be inferred by correlating data on storage media or observing timing effects of certain operations. Storage and timing channels are part of covert channels, where an unauthorized communications path is used to transfer information in a manner that violates a security policy. An exploitable channel is usable or detectable by subjects external to the Trusted Computing Base (TCB). An overt channel is a path within a network designed for the authorized transfer of data. Memory, CPU, and buffer channels are distracters.

What is the least effective way to handle the Common Gateway Interface (CGI) scripts? a. Avoid them. b. Delete them. c. Execute them. d. Move them away.

c. Some hypertext transfer protocol (HTTP) servers come with a default directory of CGI scripts. The best thing is to delete or avoid these programs, or move them away to another location. The CGI scripts are dangerous because they are vulnerable to attack while executing.

Operations, one of the principal aspects of the defense-in-depth strategy does not include which of the following? a. Certification and accreditation b. Attack sensing and warning c. System risk assessment d. Recovery and reconstitution

c. System risk assessment is a part of the technology principal, whereas the other choices are part of the operations principal. Defense-in depth strategy focuses on people, technology, and operations.

Which of the following action items is not a part of security principle of "reduce vulnerabilities"? a. Strive for simplicity b. Implement least privilege c. Base security on open standards for portability and interoperability d. Minimize the system elements to be trusted

c. The action item "Base security on open standards for portability and interoperability" is a part of the ease-of-use security principle. The other three choices are part of the reduce vulnerabilities security principle.

Which of the following is not an example of the basic components of a generic Web browser? a. Java b. Active-X c. CGI d. Plug-ins

c. The common gateway interface (CGI) is an industry standard for communicating between a Web server and another program. It is a part of a generic Web server. Java, Active X, and plug-ins are incorrect because they are a part of a generic Web browser.

The use of which of the following can lead to the existence of a covert channel? a. Data label b. Dual label c. Floating label d. Fixed label

c. The covert channel problem resulting from the use of floating labels can lead to erroneous information labels. A fixed label is a part of a dual label.

What is the first place to focus on security improvements in a client/server system? a. Application software level b. Database server level c. Database level d. Application server level

c. The first place to focus on security improvements is at the database level. One advantage is that security imposed at the database level will be consistent across all applications in a client/server system.

Access to all the following should be denied except: a. HTTP cookies b. CGI scripts c. PGP cookie cutter program d. Applets

c. The full name of a cookie is a Persistent Client State HTTP Cookie, which can be an intrusion into the privacy of a Web user. A cookie is a basic text file, transferred between the Web server and the Web client (browser) that tracks where a user went on the website, how long the user stayed in each area, and so on. The collection of this information behind the scenes can be seen as an intrusion into privacy. Access to hypertext transfer protocol (HTTP) cookies can be denied. The pretty good privacy (PGP) cookie cutter program can prevent information about a user from being captured. A common gateway interface (CGI) script is a small program to execute a single task on a Web server. These scripts are useful for filling out and submitting Web forms and hold information about the server on which they run. This information is also useful to an attacker, which makes its risky. The script can be attacked while running. Applets enable a small computer program to be downloaded along with a Web page. Applets have both good and bad features. Making a Web page look richer in features is a good aspect. Siphoning off files and erasing a hard drive are some examples of bad aspects.

Which of the following physical security mechanisms provides a first line-of-defense for a data center? a. Interior areas within a building b. Exterior walls of a building c. Perimeter barriers outside a building d. Ceilings of a building

c. The perimeter barriers such as gates and guards, which are located at an outer edge of a property, provide a first line-of-defense. Exterior walls, ceilings, roofs, and floors of a building themselves provide a second line-of-defense. Interior areas within a building such as doors and windows provide a third line-of-defense. All these examples are physical security mechanisms. The first line-of-defense is always better than the other lines-of-defenses due to cost, time, and effectiveness factors. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

Which of the following describes one process signaling information to another by modulating its own use of system resources in such a way that this manipulation affects the real response time observed by the second process? a. A communication channel b. A covert storage channel c. A covert timing channel d. An exploitable channel

c. The statement fits the description of a covert timing channel. A communication channel is the physical media and device that provides the means for transmitting information from one component of a network to other components. An exploitable channel is any channel usable or detectable by subjects external to the Trusted Computing Base (TCB).

Regarding Common Criteria (CC), which of the following alone is not sufficient for use in common evaluation methodology? 1. Repeatability 2. Objectivity 3. Judgment 4. Knowledge a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

c. Use of a common evaluation methodology contributes to the repeatability and objectivity of the results but it is not by itself sufficient. Many of the evaluation criteria require the application of expert judgment and background knowledge for which consistency is more difficult to achieve.

Which of the following provides organizations with the ability to disguise information systems and to reduce the likelihood of successful attacks without the cost of having multiple platforms? a. Virtual computing b. Virtual machine software c. Virtualization technologies d. Virtualized networking

c. Virtualization technologies provide organizations with the ability to disguise information systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. Although frequent changes to operating systems and application systems pose configuration management challenges, the changes result in an increased work factor for adversaries to carry out successful attacks. Changing the apparent operating system or application system, as opposed to the actual operating system or application system, results in virtual changes that still impede attacker success while helping to reduce the configuration management effort. To achieve this goal, organizations should employ randomness in the implementation of the virtualization technologies. Many virtualization solutions allow more than one operating system to run on a single computer simultaneously, each appearing as if it were a real computer. This has become popular recently because it allows organizations to make more effective use of computer hardware. Most of these types virtualization systems include virtualized networking, which allows the multiple operating systems to communicate as if they were on standard Ethernet, even though there is no actual networking hardware. Virtual machine (VM) is software that allows a single host computer to run one or more guest operating systems. Because each VM is identical to the true hardware, each one can run any operating system that will run directly on the hardware. In fact, different VMs can run different operating systems. VMs can be used to prevent potentially malicious software from using the operating system for illicit actions. They typically lie between the operating system and the physical hardware. This mediation layer between the software and hardware is a powerful feature that prevents potentially malicious software from interfacing directly with real hardware. VMs normally provide virtual resources to the operating system. Worms that attempt to run in such an environment can damage only the virtual resources and not the true operating system or hardware. VMs can also help a user recover their system, after an attack has been detected. They often have the capability to restore the system to a previous, uninfected state. Virtual computing and virtualized networking are a part of virtualization techniques or technologies.

When building or acquiring new applications systems, which of the following specifically deal with data security requirements? a. Sequencing plan b. System lifecycle c. Technical architecture d. Logical architecture

d. A logical (functional) architecture defines in business terms the activities or subfunctions that support the core areas of the business, the relationships among these activities or subfunctions, and the data required to supporting these activities or subfunctions. A technical (physical) architecture defines subsystems, configuration items, data allocations, interfaces, and commons services that collectively provide a physical view of the target systems environment. The combination of logical and technical architecture can make up the organization's total architecture. A sequencing plan defines the actions that must be taken and their schedules, along with costs to cost-effectively evolve from the current to the future systems operating environment. A system life cycle defines the policies, processes, and products for managing information technology investments from conception, development, and deployment through maintenance, support, and operation.

For Common Criteria (CC), how should a Protection Profile (PP) be used? 1. Specification of a single product 2. Complete specification 3. Requirements specification 4. Baseline a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

d. A protection profile (PP) is typically used as part of a requirement specification, part of a regulation from a specific regulatory entity, or a baseline defined by a group of IT developers. Three roles that a PP should not fulfill include a detailed specification, a complete specification and a specification of a single product.

Which of the following is not a component of a system's architecture? a. Functional b. Technical c. Physical d. Mechanical

d. A system's architecture defines the critical attributes of an organization's collection of information systems in both business/functional and technical/physical terms. Mechanical is not included.

A denial-of-service attack is an example of which of the following threat categories that apply to systems on the Internet? a. Browser-oriented b. User-oriented c. Server-oriented d. Network-oriented

d. Attacks can be launched against the network infrastructure used to communicate between the browser and server. An attacker can gain information by masquerading as a Web server using a man-in-the middle attack, whereby requests and responses are conveyed via the impostor as a watchful intermediary. Such a Web spoofing attack allows the impostor to shadow not only a single targeted server, but also every subsequent server accessed. Other obvious attack methods lie outside the browser-server framework and involve targeting either the communications or the supporting platforms. Denial-of-service (DoS) attacks through available network interfaces are another possibility, as are exploits involving any existing platform vulnerability.

Which of the following security controls are needed to protect digital and nondigital media during their transport? 1. Cryptography 2. Physical security controls 3. Locked storage container 4. Procedural security controls a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. Both digital and nondigital media during transport should be protected with cryptography (encryption), physical security controls, locked storage containers, and procedural security controls.

Which of the following is required to ensure a foolproof security over a mobile code? a. Firewalls b. Antivirus software c. Intrusion detection and prevention systems d. Cascaded defense-in-depth measures

d. Cascaded defense-in-depth measures come close to providing foolproof security over a mobile code with examples such as firewalls, antivirus software, intrusion detection and prevention systems, and behavior blocking technologies. Although firewalls, antivirus software, and intrusion detection and prevention systems provide useful safeguards, they do not provide strong security due to the existence of a variety of techniques for deception such as mutation, segmentation, and disguise via extended character set encoding.

If Control A misses 30 percent of attacks and Control B also misses 30 percent of attacks, in combination, what percentage of attacks will be caught? a. 40 percent b. 60 percent c. 70 percent d. 91 percent

d. Controls work in an additive way, meaning that their combined effect is far greater than the sum of each individual effect. In combination, both controls should miss only 9 percent (i.e., 0.3 x 0.3) of attacks. This means 91 percent (i.e., 100 percent - 9 percent) of attacks should be caught. Forty percent is incorrect because it adds 30 percent and 30 percent and subtracts the result from 100%. Sixty percent is incorrect because it simply adds 30 percent for Control A and B. Seventy percent is incorrect because it subtracts 30 percent from 100 percent, resulting in 70 percent.

Implementing layered and diverse defenses to an information system means: 1. Attacks are progressively weakened. 2. Attacks are eventually defeated. 3. Placing identical controls in succession. 4. Placing different controls that complement each other. a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 1, 2, 3, and 4

d. Defending an information system requires safeguards applied not only at points of entry, but also throughout the system. Ideally, selecting and placing security controls are done in such a way that all attacks are progressively weakened and eventually defeated. Having an identical control in succession tends to lengthen the duration of the attack. Applying different types of controls that complement each other and are mutually supportive is a much more effective approach (i.e., defense-in-depth strategy).

Which of the following is a disadvantage of distributed database management systems when compared to centralized database management systems? a. Autonomy b. Reliability c. Flexibility d. Data backup

d. Distributed database management systems are complex to develop and maintain and mission critical data may need to be placed centrally to use backup facilities typically available at a central location. These are some disadvantages of being distributed. The other three choices are incorrect. Autonomy and better control are provided to local management. Reliability is increased; that is, if one server goes down, most of the data remains accessible. Flexibility is provided; that is, users tend to request locally created and maintained data more frequently than data from other locations. These are advantages of being distributed.

Which of the following is the most important property of well-designed distributed systems? a. Fault tolerance through redundancy b. Security protection through isolation c. Extendibility through adaptability d. Distribution transparency through separation of components

d. Distribution transparency provides a unified interface to a collection of computing resources using the same names and operations regardless of their location. This means that services are delivered wherever the user is located. New components can be added to the system without interrupting system operations. The other three choices are benefits of welldesigned distributed systems.

Which of the following cannot protect simple object access protocol (SOAP) messages in a service-oriented architecture (SOA) providing Web services? a. XML encryption b. XML gateway c. XML signature d. XML parser

d. Ensuring the security of Web services involves augmenting traditional security mechanisms with security frameworks based on use of authentication, authorization, confidentiality, and integrity mechanisms. This augmentation includes the use of XML encryption, XML gateways, and XML signature, which are countermeasures. It is always beneficial to implement defense-in-depth using XML gateways at the perimeter along with WSSecurity or HTTPS for all internal Web services. XML parsers are often the target attacks because they are the first portion of a Web service that processes input from other Web services. Poorly designed or configured XML parsers can be used to compromise the parser regardless of how secure the Web service is.

Regarding Common Criteria (CC), precise and universal rating for IT security products is infeasible due to which of the following? 1. Reducing risks 2. Protecting assets 3. Objective elements 4. Subjective elements a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

d. Evaluation should lead to objective and repeatable results that can be cited as evidence, even if there is no totally objective scale for representing the results of a security evaluation. As the application of criteria contains objective and subjective elements, precise and universal ratings for IT security are infeasible. Reducing risks and protecting assets are the outcomes of a target of evaluation (TOE).

Which of the following approaches isolates public-access systems from missioncritical resources? 1. Physical isolation 2. Demilitarized zones 3. Screened subnets 4. Security policies and procedures a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 1, 2, 3, and 4

d. Mission-critical resources include data, systems, and processes, which should be protected from public-access systems either physically or logically. Physical isolation may include ensuring that no physical connection exists between an organization's public information resources and an organization's critical information. When implementing a logical isolation solution, layers of security services and mechanisms should be established between public systems and secure private systems responsible for protecting mission-critical resources. Security layers may include using network architecture designs such as demilitarized zones (DMZ) and screened subnets. Finally, system designers and administrators should enforce organizational security policies and procedures regarding use of public-access systems.

Which of the following is an example of risk on the client side of a network? a. Software development tools b. Scripts c. Document formats d. Active-X controls

d. On the browser (client) side, unnecessary plug-ins, add-ons, or Active-X controls should be removed. It is also recommended to substitute programs with lesser functionality in lieu of fully capable helper applications or plug-ins. The other three choices are risks from the server side. On the server side, any unnecessary software not needed in providing Web services should be removed as well, particularly any software development tools that could be used to further an attack if an intruder should gain an initial foothold. Ideally, server-side scripts should constrain users to a small set of welldefined functionality and validate the size and values of input parameters so that an attacker cannot overrun memory boundaries or piggyback arbitrary commands for execution. Scripts should be run only with minimal privileges (i.e., nonadministrator) to avoid compromising the entire website in case the scripts have security flaws. Potential security weaknesses can be exploited even when Web applications run with low privilege settings. For example, a subverted script could have enough privileges to mail out the system password file, examine the network information maps, or launch a login to a high numbered port. Whenever possible, content providers and site operators should provide material encoded in less harmful document formats. For example, if document distillers are not available to convert textual documents into portable document format (PDF), an alternative is to make available a version in .rtf (rich text format), rather than a proprietary word processing format.

Perimeter-based network security technologies such as firewalls are inadequate to protect service-oriented architectures (SOAs) providing Web services due to which of the following reasons? 1. Transport layer security (TLS) 2. Hypertext transfer protocol (HTTP) 3. Simple object access protocol (SOAP) 4. Reverse SOAP a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 1, 2, 3, and 4

d. Perimeter-based network security technologies (e.g., firewalls) are inadequate to protect SOAs for the following reasons: The Transport Layer Security (TLS), which is used to authenticate and encrypt Webbased messages, is inadequate for protecting SOAP messages because it is designed to operate between two endpoints. TLS cannot accommodate Web services' inherent capability to forward messages to multiple other Web services simultaneously. SOAP is transmitted over Hypertext Transfer Protocol (HTTP), which is allowed to flow without restriction through most firewalls. Application-aware firewalls in the form of HTTP proxies for HTTP-based traffic allow organizations to limit what an application-layer protocol can and cannot do. Because SOAP travels over HTTP, it is traditionally left open for Web traffic at perimeter firewalls. Additionally, with the Reverse SOAP (PAOS) specification, SOAP messages can pass through firewalls that limit incoming HTTP traffic but allow outgoing HTTP traffic. Some firewalls have begun to support blocking or allowing SOAP requests based on the source or destination of the request, but more robust and intelligent firewalls are needed to defend networks against malicious SOAP attacks. SOAs are dynamic and can seldom be fully constrained to the physical boundaries of a single network.

Requiring signed conflict-of-interest and nondisclosure statements are a part of which of the following to secure multi-user and multiplatform environments? a. Management controls b. Technical controls c. Physical controls d. Procedural controls

d. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures. Requiring signed conflict of interest and nondisclosure statements are a part of procedural controls. Management controls deal with policies and directives. Technical controls deal with technology and systems.

Operations, one of the principal aspects of the defense-in-depth strategy does not include which of the following? a. Readiness assessments b. Security management c. Cryptographic key management d. Physical security

d. Physical security is a part of the people principal, whereas all the other three choices are part of the operations principal.

Which of the following consists of a layered security approach to protect against a specific threat or to reduce vulnerability? 1. Use of packet-filtering routers 2. Use of an application gateway 3. Use of strong password controls 4. Adequate user training a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 1, 2, 3, and 4

d. Security designs should consider a layered approach to address or protect against a specific threat or to reduce vulnerability. For example, the use of a packet-filtering router with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding good password controls and adequate user training improves the system's security posture even more.

The Common Criteria (CC) is not useful as a guide for which of the following when evaluating the security functionality of IT products? a. Development b. Evaluation c. Procurement d. Implementation

d. The CC is useful as a guide for the development, evaluation, and/or procurement of products with IT security functionality. The CC is not useful in implementation because implementation scenarios can vary from organization to organization.

Enclave boundary for information assurance is defined as which of the following? 1. The point at which information enters an organization 2. The point at which information leaves an enclave 3. The physical location is relevant to an organization 4. The logical location is relevant to an enclave a. 1 and 3 b. 2 and 4 c. 3 and 4 d. 1, 2, 3, and 4

d. The enclave boundary is the point at which information enters or leaves the enclave or organization. Due to multiple entry and exit points, a layer of protection is needed to ensure that the information entering does not affect the organization's operation or resources, and that the information leaving is authorized. Information assets exist in physical and logical locations and boundaries exist between these locations.

What is the most effective control against Active-X programs? a. Use digital signatures. b. Issue a policy statement. c. Accept only approved Active-X programs. d. Prohibit all Active-X programs.

d. The problem with Active-X programs is that users may download a program signed by someone with whom the user is unfamiliar. A policy statement about who can be trusted is difficult to implement. The most effective control is to prohibit all Active-X programs.

Which of the following is required for a distributed information system to support migration to new technology or upgrade of new features? 1. Modular design 2. Common language 3. Interoperability 4. Portability a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 1, 2, 3, and 4

d. The security design should be modular so that individual parts of the security design can be upgraded without the requirement to modify the entire system. The use of a common language (e.g., the Common Criteria) during the development of security requirements permits organizations to evaluate and compare security products and features. This evaluation can be made in a common test environment. For distributed information systems to be effective, security program designers should make every effort to incorporate interoperability and portability into all security measures, including hardware and software, and implementation practices.

Which of the following are the main approaches to mitigate risks in using active content? 1. Principles 2. Practices 3. Avoidance 4. Harm reduction a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

d. Two main approaches to mitigate the risks in using active content include avoidance, which is staying completely clear of known and potential vulnerabilities and harm reduction, which is applying measures to limit the potential loss due to exposure. The other three choices are incorrect because principles and practices are a part of security policy, which is a part of safeguards or controls.

Which of the following strategies is used to protect against risks and vulnerabilities at every stage of system, network, and product life cycles? a. Defense-in-breadth b. Defense-in-depth c. Defense-in-technology d. Defense-in-time

a. A defense-in-breadth strategy is used to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or product life cycle. This is accomplished through the use of complementary, mutually reinforcing security strategies to mitigate threats, vulnerabilities, and risks. Defense-in-depth uses layers of security, defense-in technology uses compatible technology platforms, and defense-in-time considers different time zones in the world to operate global information systems.

Which of the following is applied to all aspects of a system design or security solution? a. Policy b. Procedure c. Standard d. Control

a. A security policy is applied to all aspects of the system design or security solution. The policy identifies security goals (i.e., confidentiality, integrity, and availability) the system should support and theses goals guide the procedures, standards, and controls used in the IT security architecture design.

Which of the following cannot be initiated by untrusted software? a. Trusted channel b. Overt channel c. Security-compliant channel d. Exploitable channel

a. A trusted channel cannot be initiated by untrusted software due to its design. The other three choices are not as trustworthy as the trusted channel due to their design. An overt channel is a path within a computer system or network designed for the authorized data transfer. A security-compliant channel enforces the network policy. An exploitable channel is a covert channel intended to violate the security policy.

Which of the following IT platforms face a single point-of-failure situation? a. Wide-area networks b. Distributed systems c. Mainframe systems d. Websites

a. A wide-area network (WAN) is a data communication network that consists of two or more local-area networks (LANs) that are dispersed over a wide geographical area. Communications links, usually provided by a public carrier, enable one LAN to interact with other LANs. If redundant communication links are used, it is important to ensure that the links have physical separation and do not follow the same path; otherwise, a single incident, such as a cable cut, could disrupt both links. Similarly, if redundant communication links are provided through multiple network service providers (NSPs), it is important to ensure that the NSPs do not share common facilities at any point. Hence, the communication links and the network service providers can become a single point-of-failure for WANs. Distributed systems, mainframe systems, and websites do not have the single point-of-failure problems because WANs are more complicated.

An extensible markup language (XML) gateway-based service-oriented architecture's (SOA's) security features do not contain which of the following? a. Firewall b. Public key infrastructure c. Digital signature d. Encryption

a. An XML gateway-based SOA's security features include public key infrastructure (PKI), digital signatures, encryption, XML schema validation, antivirus, and pattern recognition. It does not contain a firewall feature; although, it operates like a firewall at the network perimeter.

Attackers installing spyware and connecting the computing platform to a botnet are examples of which of the following? a. Browser-oriented attacks b. Server-oriented attacks c. Network-oriented attacks d. User-oriented attacks

a. Attackers may take advantage of browser vulnerabilities in mobile code execution environments. Attackers may install spyware, connect the computing platform to a botnet, or modify the platform's configuration, which are examples of browser-oriented attacks.

Which of the following security services is n o t common between the availability security objective and the assurance security objective? a. Audit b. Authorization c. Access control enforcement d. Proof-of-wholeness

a. Audit security service is needed for the assurance security objective but not to the availability security objective. The other three choices are common to availability and the assurance security objective.

Which of the following security controls are needed to protect digital and nondigital media at rest on selected secondary storage devices? 1. Cryptography 2. Physical security controls 3. Locked storage container 4. Procedural security controls a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

a. Both digital and nondigital media should be protected with cryptography (encryption) and physical security controls when they are at rest on selected secondary storage devices. Locked storage containers and procedural security controls are not appropriate for media at rest.

Which of the following is not like active content? a. Character documents b. Trigger actions automatically c. Portable instructions d. Interpretable content

a. Broadly speaking, active content refers to electronic documents that, unlike past character documents based on ASCII, can carry out or trigger actions automatically without an individual directly or knowingly invoking the actions. Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when the document is rendered. Examples of active content include PostScript documents, Web pages containing Java applets and JavaScript instructions, proprietary desktop-application formatted files containing macros, spreadsheet formulas, or other interpretable content, and interpreted electronic mail formats having embedded code or bearing executable attachments. Electronic mail and Web pages accessed through the Internet provide efficient means for conveying active content, but they are not the only ones. Active content technologies span a broad range of products and services, and involve various computational environments including those of the desktop, workstations, servers, and gateway devices.

In an end user computing environment, what is the least important concern for the information security analyst? a. Data mining b. Data integrity c. Data availability d. Data usefulness

a. Data mining is a concept where the data is warehoused for future retrieval and use. Data mining takes on an important role in the mainframe environment as opposed to the personal computer (end user) environment. Management at all levels relies on the information generated by end user computer systems. Therefore, data security, integrity, availability, and usefulness should be considered within the overall business plans, requirements, and objectives. Data security protects confidentiality to ensure that data is disclosed to authorized individuals only. Data integrity addresses properties such as accuracy, authorization, consistency, timeliness, and completeness. Data availability ensures that data is available anywhere and anytime to authorized parties. Data usefulness ensures that data is used in making decisions or running business operations.

Which of the following statements is not true? A data warehouse is: a. Distributed b. Subject-oriented c. Time-variant d. Static in nature

a. Databases can be distributed, but not the data warehouse. A distributed data warehouse can have all the security problems faced by a distributed database. From a security viewpoint, data warehousing provides the ability to centrally manage access to an organization's data regardless of a specific location. A data warehouse is subject-oriented, time-variant, and static in nature.

Which of the following security services are applicable to the confidentiality security objective? a. Prevention services b. Detection services c. Correction services d. Recovery services

a. Only the prevention services are needed to maintain the confidentiality security objective. When lost, confidentiality cannot be restored. The other three choices do not apply to the confidentiality security objective.

The security services that provide for availability security objectives also provide for which of the following security objectives? a. Integrity b. Confidentiality c. Accountability d. Assurance

a. Examples of common security services between availability and integrity objectives include access authorization and access control enforcement. The primary availability services are those that directly impact the ability of the system to maintain operational effectiveness. One aspect of maintaining operational effectiveness is protection from unauthorized changes or deletions by defining authorized access and enforcing access controls. Operational effectiveness is also maintained by detecting intrusions, detecting loss of wholeness, and providing the means of returning to a secure state. The services that provide for availability also provide for integrity. This is because maintaining or restoring system integrity is an essential part of maintaining system availability. By definition, integrity is the property that protected and sensitive data has not been modified or deleted in an unauthorized and undetected manner. By definition, availability means ensuring timely and reliable access to and use of data and information by authorized users. How is the data available to authorized users if it was deleted or destroyed? The security services provided to fulfill the security objectives of availability, confidentiality, accountability, and assurance together have nothing in common.

To mitigate the risks of using active content, which of the following is an example of a technical safeguard? a. Filters b. Incident response handling c. Security policy d. Risk analysis

a. Filters can examine program code at points of entry and block or disable it if deemed harmful. Examples of filters include ingress filtering, egress filtering, and intrusion detection systems. The other three choices are examples of management and operational safeguards (controls).

To mitigate the risks of using active content, which of the following is an example of hybrid technical safeguards? a. Proof carrying code and filters b. Security policy and security audit c. Version control and patch management d. System isolation and application settings

a. Hybrid technical safeguards combine more than one control. Blending the proof carrying code and filters is an example of hybrid technical safeguard. The blending of proof carrying code and software cage is known as model-carrying code. The other three choices are examples of management and operational safeguards.

Normal information can be reliably sent through all the following ways except: a. Increasing the bandwidth for a covert channel b. Using error correcting code c. Using a hamming code d. Introducing page faults at random

a. Increasing the bandwidth can make a covert channel noisy as one of the goals is to reduce its bandwidth. Covert channels are not only difficult to find, but also difficult to block. Normal information cannot be reliably sent through covert channels. The other three choices can send normal information reliably because they use an error correcting code (e.g., hamming code) or introducing page faults at random (i.e., modulating paging rates between 0 and 1).

The structured query language (SQL) server enables many users to access the same database simultaneously. Which of the following locks is held until the end of the transaction? a. Exclusive lock b. Page lock c. Table lock d. Read lock

a. It is critical to isolate transactions being done by various users to ensure that one user does not read another user's uncommitted transactions. Exclusive locks are held until the end of the transaction and used only for data modification operations. The SQL server locks either pages or entire tables, depending on the query plan for the transactions. Read locks are usually held only long enough to read the page and then are released. These are ways to prevent deadlocks when several users simultaneously request the same resource.

Polyinstantiation approaches are designed to solve which of the following problems in databases? a. Lack of tranquility b. Lack of reflexivity c. Lack of transitivity d. Lack of duality

a. Lack of tranquility exposes what has been called the "multiple update conflict" problem. Polyinstantiation approaches are the best solution to this problem. Tranquility is a property applied to a set of controlled entities saying that their security level may not change. The principle behind tranquility is that changes to an object's access control attributes are prohibited as long as any subject has access to the object. Reflexivity and transitivity are two basic information flow properties. Duality is a relationship between nondisclosure and integrity.

Which of the following is not a core part of defense-in-depth strategy? a. Least functionality b. Layered protections c. System partitioning d. Line-of-defenses

a. Least functionality or minimal functionality means configuring an information system to provide only essential capabilities and specifically prohibiting or restricting the use of risky (by default) and unnecessary functions, ports, protocols, and/or services. However, it is sometimes convenient to provide multiple services from a single component of an information system, but doing so increases risk over limiting the services provided by any one component. Where feasible, IT organizations limit component functionality to a single function per device (e.g., e-mail server or Web server, not both). Because least functionality deals with system usability, it cannot support the defense-in-depth strategy (i.e., protecting from security breaches). The concepts of layered protections, system partitioning, and line-of-defenses form a core part of security-in-depth or defense-in-depth strategy. By using multiple, overlapping protection mechanisms, the failure or circumvention of any individual protection approach will not leave the system unprotected. Through user training and awareness, well-crafted policies and procedures, and redundancy of protection mechanisms, layered protections enable effective protection of IT assets for the purpose of achieving its objectives. System partitioning means system components reside in separate physical domains. Managed interfaces restrict network access and information flow among partitioned system components. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems.

In the trusted computing base (TCB) environment, which of the following is not a sufficient design consideration for implementing domain separation? a. Memory mapping b. Multistate hardware c. Multistate software d. Multistate compiler

a. Memory mapping, which is manipulating memory-mapping registers, alone is not sufficient to meet the domain separation requirement but may be used to enhance hardware isolation. The other three choices are examples of good design considerations.

Database application systems have similarities and differences from traditional flat file application systems. Database systems differ most in which of the following control areas? a. Referential integrity b. Access controls c. Data editing and validation routines d. Data recovery

a. Referential integrity means that no record may contain a reference to the primary key of a nonexisting record. Cascading of deletes, one of the features of referential integrity checking, occurs when a record is deleted and all other referenced records are automatically deleted. This is a special feature of database applications. The other three choices are incorrect because they are the same for flat file and database systems. They both need access controls to prevent unauthorized users accessing the system, they both need data editing and validation controls to ensure data integrity, and they both need data recovery techniques to recover from a damaged or lost file.

System assurance cannot be increased by which of the following? a. Applying more complex technical solutions b. Using more trustworthy components c. Limiting the extent of a vulnerability d. Installing nontechnical countermeasures

a. System assurance is grounds for confidence that an entity meets its security objectives as well as system characteristics that enable confidence that the system fulfills its intended purpose. Applying more complex technical solutions can create more complexity in implementing security controls. Simple solutions are better. The other three choices can increase system assurance.

Which of the following refers to logical system isolation solutions to prevent security breaches? 1. Demilitarized zones 2. Screened subnet firewalls 3. Electronic mail gateways 4. Proxy servers a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 1, 2, 3, and 4

a. System isolation means separating system modules or components from each other so that damage is eliminated or reduced. Layers of security services and mechanisms include demilitarized zones (DMZs) and screened subnet firewalls. E-mail gateways and proxy servers are examples of logical access perimeter security controls.

In the trusted computing base (TCB) environment, the compromise resulting from the execution of a Trojan horse can be examined from which of the following perspectives? a. Compromise from above b. Compromise from within c. Compromise from below d. Compromise from cross domains

a. The compromise resulting from the execution of a Trojan horse that misuses the discretionary access control (DAC) mechanism is an example of compromise from above. The other three choices do not allow such an examination. Compromise from within occurs when a privileged user or process misuses the allocated privileges. Compromise from below occurs as a result of accidental failure of an underlying trusted component. Compromise from cross domains is not relevant here.

Which of the following is not a risk by itself for a Structured Query Language (SQL) server? a. Concurrent transactions b. Deadlock c. Denial-of-service d. Loss of data integrity

a. The concurrent transaction is not a risk by itself. The SQL server must ensure orderly access to data when concurrent transactions attempt to access and modify the same data. The SQL server must provide appropriate transaction management features to ensure that tables and elements within the tables are synchronized. The other three choices are risks resulting from handling concurrent transactions.

Which of the following storage methods for file encryption system (FES) is the least expensive solution? a. Public key cryptography standard b. Key encryption key c. Hardware token d. Asymmetric user owned private key

a. The file encryption system (FES) uses a single symmetric key to encrypt every file on the system. This single key is generated using the public key cryptography standard (PKCS) from a user's password; hence it is the least expensive solution. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner's asymmetric private key. It requires either a user password or a user token.

Which of the following storage methods for file encryption system (FES) is less secure? a. Public key cryptography standard b. Key encryption key c. Hardware token d. Asymmetric user owned private key

a. The public key cryptography standard (PKCS) is less secure because the security is dependent only on the strength of the password used. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner's asymmetric private key. It requires either a user password or a user token.

Which of the following provides additional security for storing symmetric keys used in file encryption to prevent offline exhaustion attacks? a. Encrypt the split keys using a strong password. b. Store the random keys on the computer itself or on the hardware token. c. After a key split, store one key component on the computer itself. d. After a key split, store the other key component on the hardware token.

a. When a key is split between the hardware token and the computer, an attacker needs to recover both pieces of hardware to recover (decrypt) the key. Additional security is provided by encrypting the key splits using a strong password to prevent offline exhaustion attacks.

Use of cookies on the Web raises which of the following? a. Integrity issue b. Privacy issue c. Connectivity issue d. Accountability issue

b. Cookies were invented to enable websites to remember its users from visit to visit. Because cookies collect personal information about the Web user, it raises privacy issues such as what information is collected and how it is used. Cookies do not raise integrity, connectivity, or accountability issues.

To mitigate the risks of using active content, which of the following is an example of a technical safeguard? a. Version control b. Digital signatures c. Patch management d. System isolation

b. Digital signatures can prevent a program code execution unless it is digitally signed by a trusted source (a technical safeguard). The other three choices are examples of management and operational safeguards.

Transaction management mechanisms are applied to ensure that a structured query language (SQL) database remains in a consistent state at all times. Which of the following SQL statements is not part of the transaction management functions? a. Rollback b. Roll-forward c. Commit d. Savepoint

b. A database may be in a consistent or inconsistent state. A consistent state implies that all tables (or rows) reflect some real-world change. An inconsistent state implies that some tables (or rows) have been updated but others still reflect the old world. A transaction management mechanism enables the database to return to the previous consistent state if an error occurs. Roll-forward restores the database from a point in time when it is known to be correct to a later time. Rollback is incorrect because the rollback statement terminates a transaction and cancels all changes to the database, including data or schema changes. This returns the database to the previous consistent state. Commit is incorrect because the commit statement terminates a transaction and commits all changes to the database, including both data and schema changes. This makes the changes available to other applications. If a commit statement cannot complete a transaction successfully, for example, a constraint is not met, an exception is raised, and an implicit rollback is performed. Savepoint is incorrect because the savepoint feature enables a user to mark points in a transaction, creating subtransactions. With this feature, a user can roll back portions of a transaction without affecting other subtransactions.

Which of the following IT platforms most often face a single point-of-failure situation? a. Desktop computers b. Local-area networks c. Servers d. Websites

b. A local-area network (LAN) is owned by a single organization; it can be as small as two PCs attached to a single hub, or it may support hundreds of users and multiple servers. LANs are subject to single point-of-failures due to threats to cabling system, such as cable cuts, electromagnetic and radio frequency interferences, and damage resulting from fire, water, and other hazards. As a result, redundant cables may be installed when appropriate. Desktop computers, servers, and websites do not face single point-of-failure problems as LANs do, but they have problems in backing up data and storing the data at an offsite location. The other three choices need data backup policies, load balancing procedures, and incident response procedures.

A system employs sufficient hardware and software integrity measures to allow its use for processing simultaneously a range of sensitive or classified information. Which of the following fits this description? a. Boundary system b. Trusted system c. Open system d. Closed system

b. A trusted system employs sufficient hardware and software integrity measures to allow its use for processing simultaneously a range of sensitive or classified information. A boundary system can establish external boundaries and internal boundaries to monitor and control communications between systems. A boundary system employs boundary protection devices (e.g., proxies, gateways, routers, firewalls, hardware/software guards, and encrypted tunnels) at managed interfaces. An open system is a vendor-independent system designed to readily connect with other vendors' products. A closed system is the opposite of an open system in that it uses a vendor-dependent system.

Which of the following exists external to the trusted computing base (TCB)? a. Memory channel b. Exploitable channel c. Communications channel d. Security-compliant channel

b. An exploitable channel is a covert channel usable or detectable by subjects external to the trusted computing base (TCB). The other three choices are incorrect because they do not exist external to the TCB. A memory channel is based on CPU capacity. A communication channel is the physical media and devices that provide the means for transmitting information from one component of a network to other components. A security-compliant channel enforces the network policy.

Enforcement of a system's security policy does not imply which of the following? a. Consistency b. Efficiency c. Reliability d. Effectiveness

b. Assurance of trust requires enforcement of the system's security policy. Enforcement implies consistency, reliability, and effectiveness. It does not imply efficiency because effectiveness is better than efficiency.

Which of the following is a true statement about Active-X content? 1. It is language-dependent. 2. It is platform-specific. 3. It is language-independent. 4. It is not platform-specific. a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1 and 4

b. Because Active-X is a framework for Microsoft's software component technology, it is platform-specific in that Active-X contents can be executed on a 32-bit or 64-bit Windows platform. It is language-independent because Active-X contents can be written in several different languages, including C, C++, Visual Basic, and Java. Note that Java, Active-X, and plug-ins can be malicious or hostile.

Typically, computer architecture does not cover which of the following? a. Operating systems b. Business application systems c. Computer memory chips d. Hardware circuits

b. Computer architecture covers operating systems, computer memory chips, and hardware circuits to make the computer run. However, it does not cover business application systems because they are required to perform a business task or function. Business application systems by themselves do not make the computer run.

For information assurance vulnerabilities, what is independent validation of an information system conducted through?: a. Penetration testing b. Conformance testing c. Red team testing d. Blue team testing

b. Conformance testing is a type of compliance testing conducted by independent parties to ensure management that system specifications are followed through validation, which may include testing. For example, conformance testing is conducted on a cryptographic module against its cryptographic algorithm standards. Penetration testing is conducted either by a red team or blue team.

Restricting the use of dynamic port allocation routines is a part of which of the following to secure multi-user and multiplatform environments? a. Management controls b. Technical controls c. Physical controls d. Procedural controls

b. Controlling the multi-user and multiplatforms requires technical controls such as restricting the use of dynamic port allocation routines. Technical controls are implemented through security mechanisms contained in the hardware, software, or firmware components of a system. Management controls deal with risk management, policies, directives, rules of behavior, accountability, and personnel security decisions. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures, where they are implemented and executed by people, not by systems.

Security domains do not contain which of the following key elements? a. Flexibility b. Domain parameters c. Tailored protections d. Domain inter-relationships

b. Domain parameters are used with cryptographic algorithms that are usually common to a domain of users (e.g., DSA or ECDSA). Security domains can be physical or logical and hence domain parameters are not applicable. Security domain is a system or subsystem that is under the authority of a single trusted authority. These domains may be organized (e.g., hierarchically) to form larger domains. The key elements of security domains include flexibility, tailored protections, domain inter-relationships, and the use of multiple perspectives to determine what is important in IT security.

Which of the following statements are true about the operation of a trusted platform module (TPM) chip? 1. TPM chip is circumvented when it is shut off with physical access. 2. TPM chip has an owner password to protect data confidentiality. 3. TPM data is not cleared when the TPM chip is reset after the password is lost. 4. TPM data or owner password should be backed up to an alternative secure location. a. 1 and 3 b. 2 and 4 c. 3 and 4 d. 1, 2, 3, and 4

b. Each trusted platform module (TPM) chip requires an owner password to protect data confidentiality. Hence, the selected passwords should be strong. Either the owner password or the data on the TPM should be backed up to an alternative secure location. The TPM chip cannot be circumvented even after it is shut off by someone with physical access to the system because the chip is residing on the computer motherboard. If the owner password is lost, stolen, or forgotten, the chip can be reset by clearing the TPM, but this action also clears all data stored on the TPM.

Which of the following provides a centralized approach to enforcing identity and security management aspects of service-oriented architecture (SOA) implementation using Web services? a. Unified modeling language (UML) b. Extensible markup language (XML) gateways c. Extended hypertext markup language (XHTML) d. Extensible access control markup language (XACML)

b. Extensible markup language (XML) gateways are hardware- or software-based solutions for enforcing identity and security for SOA. An XML gateway is a dedicated application that enables a more centralized approach at the network perimeter. The other three choices do not provide identity and security management features. UML simplifies the complex process of software design. XHTML is a unifying standard that brings the benefits of XML to those of HTML. XACML is a general-purpose language for specifying access control policies.

All of the following are the most simplest and practical approaches to controlling active content documents and mobile code except: a. Isolation at the system level b. Isolation at the physical level c. Isolation at the program level d. Isolation at the logical level

b. Isolation can be applied at various levels to minimize harm or damage resulting from inserting malicious hidden code. The simplest one is complete isolation at the system level (high level) and the hardest one is at the physical level (low level) when controlling the active content documents and mobile code. Physical level means being close to the PC/workstation's hardware, circuits, and motherboards, which is not practical with remote computing. This means physical isolation is not always possible due to location variables. Regarding system level isolation, a production computer system that is unable to receive active content documents cannot be affected by malicious hidden code insertions. Logical level isolation consists of using router settings or firewall rulesets. Program level isolation means isolating tightly bounded, proprietary program components. By integrating products from different manufacturers, you can effectively isolate program components from not using the standard documented interfaces.

Which of the following is an example of the last line-of-defense? a. Perimeter barriers b. Property insurance c. Separation of duties d. Integrity verification software

b. Property insurance against natural or manmade disasters is an example of the last line-ofdefense, whereas the other three choices are examples of the first line-of-defense mechanisms. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

For the payment card industry data security standard (PCI-DSS), which of the following security controls cannot meet the control objective of maintaining a vulnerability management program? a. Regularly update antivirus software. b. Protect stored cardholder data. c. Maintain secure operating systems. d. Maintain secure application systems.

b. Protecting stored cardholder data meets a different control objective than protecting cardholder data, not the one in the question. The other three choices meet the control objective of maintaining a vulnerability management program.

Which one of the following is not related to the others? a. Sandbox b. S-box c. Dynamic sandbox d. Behavioral sandbox

b. S-box is a nonlinear substitution table box used in several byte substitution transformations in the cryptographic key expansion routine to perform a one-for-one substitution of a byte value. S-box is not related to the three choices. An application in a sandbox is usually restricted from accessing the file system or the network (e.g., JavaApplet). Extended technologies of a sandbox include dynamic sandbox or runtime monitor (i.e., behavioral sandbox), which are used in software cages and proof carrying code to protect against active content and for controlling the behavior of mobile code.

From a security viewpoint, which of the following acts like a first line-of-defense? a. Remote server b. Web server c. Firewall d. Secure shell program

c. A firewall can serve as a first line-of-defense but by no means can it offer a complete security solution. A combination of controls is needed to supplement the firewall's protection mechanism. The other three choices cannot act like a first line-of-defense. Both remote server and Web server are often the targets for an attacker. A secure shell program replaces the unsecure programs such as rlogin, rsh, rcp, Telnet, and rdist commands with a more secure version that adds authentication and encryption mechanisms to provide for greater security.

All the following are factors favoring acceptability of a covert channel except: a. Floating label b. Low bandwidth c. Fixed label d. Absence of application software

c. A fixed label contains a subject's maximum security label, which dominates that of the floating label. Hence, a fixed label does not favor acceptability of a covert channel. The other three choices favor a covert channel.

In which of the following security operating models is the minimum user clearance not cleared and the maximum data sensitivity not classified? a. Dedicated security mode b. Limited access mode c. System high-security mode d. Partitioned mode

b. Security policies define security modes. A security mode is a mode of operation in which management accredits a computer system to operate. One such mode is the limited access mode, in which the minimum user clearance is not cleared and the maximum data sensitivity is not classified but sensitive. Dedicated security mode is incorrect. It is the mode of operation in which the system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time. System high-security mode is incorrect. It is the mode of operation in which system hardware or software is trusted to provide only need-to-know protection between users. In this mode, the entire system, to include all components electrically and/or physically connected, must operate with security measures commensurate with the highest classification and sensitivity of the information being processed and/or stored. All system users in this environment must possess clearances and authorizations for all information contained in the system, and all system output must be clearly marked with the highest classification and all system caveats, until the information has been reviewed manually by an authorized individual to ensure appropriate classifications and caveats have been affixed. Partitioned mode is incorrect. It is a mode of operation in which all persons have the clearance, but not necessarily the need-to-know and formal access approval, for all data handled by a computer system.

Which of the following security principles does not work effectively? a. Security-by-rules b. Security-by-obscurity c. Deny-by-default d. Data-by-hiding

b. Security-by-obscurity is a countermeasure principle that does not work effectively in practice because attackers can compromise the security of any system at any time. This means trying to keep something secret when it is not does more harm than good. The other three choices work effectively. Security-by-rules and data-by-hiding are commonly accepted security principles. Deny-by-default is blocking all inbound and outbound traffic that has not been expressly permitted by firewall policy.

Software re-engineering is where: a. Software engineering techniques are applied to fix the old software. b. The existing system is analyzed and new functionality is added. c. The existing programming code is manually converted to a database. d. Software engineering techniques are applied to design a new system.

b. Software re-engineering is an approach for adding new functionality to an existing system. Unlike reverse software engineering, which aims to recycle existing specifications into an entirely new system, software re-engineering extends the functionality of a system without recreating it. Software engineering is the use of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software; that is, the use of engineering principles in the development of software. It uses a combination of automated and manual tools, techniques, and procedures.

Which of the following provides key cache management to protect keys used in encrypted file system (EFS)? a. Trusted computer system b. Trusted platform module chip c. Trusted computing base d. Trusted operating system

b. The trusted platform module (TPM) chip, through its key cache management, offers a format for protecting keys used in encrypted file system (EFS). The TPM chip, which is a specification, provides secure storage of keys on computers. The other three choices do not provide key cache management.

Which of the following can lead to a single point-of-failure? a. Decentralized identity management b. Universal description, discovery, and integration registry c. Application programming interface d. Web services description language

b. The universal description, discovery, and integration (UDDI) registry in Web services supports listing of multiple uniform resource identifiers (URIs) for each Web service. When one instance of a Web service has failed, requesters can use an alternative URI. Using UDDI to support failover causes the UDDI registry to become a single point-of-failure. Centralized identity management, not decentralized identity management, is vulnerable to a single point-of-failure. Application programming interface (API) and Web services description language (WSDL) are not vulnerable to a single point-of-failure because API is defined as a subroutine library, and WSDL complements the UDDI standard.

In the encrypted file system (EFS) environment, which of the following is used to secure the storage of key encryption keys on the hard drive? a. Trusted computer system b. Trusted platform module chip c. Trusted computing base d. Trusted operating system

b. Using the trusted platform module (TPM) chip, the key encryption keys are securely stored on the TPM chip. This key is also used to decrypt each file encryption key. The other three choices do not provide secure storage of the key encryption key.

A buffer overflow attack is an example of which of the following threat category that applies to systems on the Internet? a. Browser-oriented b. User-oriented c. Server-oriented d. Network-oriented

c. A buffer overflow attack is a (i) method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt data in memory, and (ii) condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit these methods and conditions through servers to crash a system or to insert specially crafted code that allows them to gain control of the system. Subtle changes introduced into the Web server can radically change the server's behavior (for example, turning a trusted entity into a malicious one), the accuracy of the computation (for example, changing computational algorithms to yield incorrect results), or the confidentiality of the information (for example, disclosing collected information). The other three choices are incorrect because they do not involve buffer overflow attacks. Web browser-oriented threats can launch attacks against Web browser components and technologies. Web-based applications often use tricks, such as hidden fields within a form, to provide continuity between transactions, which may provide an avenue of attack. Examples of useroriented threats include social engineering. Examples of network-oriented threats include spoofing, masquerading, and eavesdropping attacks.

A flaw in a computer system is exploitable. Which of the following provides the best remedy? a. Hire more IT security analysts. b. Hire more IT system auditors. c. Install more IT layered protections. d. Hire more IT security contractors.

c. Layered security protections (defense-in-depth) can be installed to prevent exploitability. Architectural system design can also help prevent exploitability. Layered security protections include least privilege, object reuse, process separation, modularity, and trusted systems. The other three choices do not provide best remedy.

Which of the following is most susceptible to a single point-of-failure? a. Quarantine server b. Proxy server c. Centralized authentication server d. Database server

c. A single sign-on (SSO) solution usually includes one or more centralized authentication servers containing authentication credentials for many users. Such a server becomes a single point-of-failure for authentication to many resources, so the availability of the server affects the availability of all the resources that they rely on the server for authentication services. Also, any compromise of the server can compromise authentication credentials for many resources. The servers in the other three choices do not contain authentication credentials.

Usually, a trusted path is not employed for which of the following? a. To provide authentication b. To provide reauthentication c. To protect cryptographic keys d. To protect user login

c. A trusted path is employed for high confidence connections between the security functions of the information system (i.e., authentication and reauthentication) and the user (e.g., for login). A trusted path cannot protect cryptographic keys. On the other hand, a trusted platform module (TPM) chip is used to protect small amounts of sensitive information (e.g., passwords and cryptographic keys).

A trusted platform module (TPM) chip can protect which of the following? 1. Digital signatures 2. Digital certificates 3. Passwords 4. Cryptographic keys a. 1 and 2 b. 2 and 4 c. 3 and 4 d. 1, 2, 3, and 4

c. A trusted platform module (TPM) chip is a tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys. The TPM chip cannot protect the digital signatures and certificates because they require complex cryptographic algorithms for digital signature generation and verification and for validating the digital certificates.

Web spoofing using the man-in-the-middle attack is an example of which of the following? a. Browser-oriented attacks b. Server-oriented attacks c. Network-oriented attacks d. User-oriented attacks

c. An attacker can gain information by masquerading as a Web server using a man-in-themiddle (MitM) attack, whereby requests and responses are conveyed via the imposter as a watchful intermediary. Such a Web spoofing attack enables the imposter to shadow not only a single targeted server, but also every subsequent server accessed on the network.

Which of the following storage methods for file encryption system (FES) is highly secure? a. Public key cryptography standard b. Key encryption key c. Hardware token d. Asymmetric user owned private key

c. Because of the key split, hardware tokens are highly secure if implemented correctly. The other three choices are not highly secure. The public key cryptography standard (PKCS) generates a single key from a user's password. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner's asymmetric private key. It requires either a user password or a user token.

From an information security viewpoint, a Security-in-Depth strategy means which of the following? a. User training and awareness b. Policies and procedures c. Layered protections d. Redundant equipment

c. By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach does not leave the system unprotected. Through user training and awareness, well-crafted policies and procedures, and redundancy of protection mechanisms, layered protections enable effective security of IT assets to achieve an organization's security objectives. The other three choices are part of the layered protections.

For a trusted computing base (TCB) to enforce the security policy, it must contain which of the following? a. Single-layer and separate domain b. Privileged user and privileged process c. Tamperproof and uncompromisable d. Trusted rule-base and trusted program

c. For a trusted computing base (TCB) to enforce the security policy, the TCB must be both tamperproof and uncompromisable. The other three choices are not strong.

To mitigate the risks of using active content, which of the following is an example of hybrid technical safeguards? a. Risk analysis and security management b. Layered defenses and security policy c. Software cages and digital signatures d. Minimal functionality and least privilege

c. Hybrid safeguards combine more than one control. Combining software cages and digital signatures is an example of hybrid technical safeguard. The other three choices are examples of management and operational safeguards.

In the trust hierarchy of a computer system, which of the following is least trusted? a. Operating system b. System user c. Hardware/firmware d. Application system

c. In a computer system, trust is built from the bottom layer up, with each layer trusting all its underlying layers to perform the expected services in a reliable and trustworthy manner. The hardware/firmware layer is at the bottom of the trust hierarchy and is the least trusted. The system user layer is at the top of the trust hierarchy and is the most trusted. For example, the users trust the application system to behave in the manner they expect of it. The layers from the top to the bottom include system user, application system, operating system, and hardware/firmware.

Which of the following statement is not true about operating system security services as a part of multilayer distributed system security services? a. Security services do not exist at any one level of the OSI model. b. Security services are logically distributed across layers. c. Each layer is supported by higher layers. d. Security services are physically distributed across network.

c. In multilayer distributed system security services, cooperating service elements are distributed physically across network and logically across layers. Operating system security services (lower layer) underlie all distributed services, and above it are the logical levels of middleware, user-application, and client-server security services (higher layers). System security can be no stronger than the underlying operating system. Each layer depends on capabilities supplied by lower layers, directly on operating system mechanisms. Hence, it is not true that each layer in a multilayer distributed system is supported by higher layers. The other choices are true statements.

From a security risk viewpoint, which of the following situations is not acceptable? a. Fail in a known state b. Return to an operational state c. Fail in a safe but unknown state d. Restore to a secure state

c. It is not good to assume that an unknown state is safe until proven because it is risky. The other three choices are examples of acceptable situations because of little or no risk.

Covert channel analysis is not meaningful for which of the following? a. Cross-domain systems b. Multilevel secure systems c. Multilayer systems d. Multiple security level systems

c. Multilayer systems are distributed systems requiring cooperating elements distributed physically and logically across the network layers. Covert channel analysis is not meaningful for distributed systems because they are not the usual targets for covert storage and timing channels. The other three choices are good candidates for covert channel analysis and should be tested on all vendor-identified covert channel targets.

Organizations should not design which of the following? a. Operating system-independent application systems b. Virtualization techniques c. Operating system-dependent applications d. Virtualized networking

c. Organizations should design operating system-independent application systems because they can run on multiple operating system platforms. Such applications provide portability and reconstitution on different platform architectures, increasing the availability or critical functionality while operating system-dependent application systems are under attack. Virtualization techniques provide the ability to disguise information systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. Virtualized networking is a part of virtualization techniques.

Which of the following is an example of second line-of-defense? a. System isolation techniques b. Minimum security controls c. Penetration testing d. Split knowledge procedures

c. Penetration testing (e.g., blue team or red team testing) against circumventing the security features of a computer system is an example of the second line-of-defense. The other three choices are examples of the first line-of-defense mechanisms. Penetration testing follows vulnerability scanning and network scanning, where the latter are first line-ofdefenses. Penetration testing either proves or disproves the vulnerabilities identified in vulnerability/network scanning. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

To mitigate the risks of using active content, which of the following is an example of a technical safeguard? a. Virtualization b. Isolate proprietary program components c. Proof carrying code d. Isolate tightly bounded programs

c. Proof carrying code (a technical safeguard) contains the safety properties of the program code. The code and the proof are sent together to the code consumer (user) where the safety properties can be verified before the code is executed. The other three choices are examples of management and operational safeguards.

Which of the following eliminates single point-of-failure? a. SCSI b. PATA c. RAID d. SATA

c. Redundant arrays of independent disks (RAID) protect from single points-of-failure. RAID technology provides greater data reliability through redundancy—data can be stored on multiple hard drives across an array, thus eliminating single points-of-failure and decreasing the risk of data loss significantly. RAID systems often dramatically increase throughput of both reading and writing as well as overall capacity by distributing information across multiple drives. Initially, RAID controllers were based on using small computer systems interface (SCSI), but currently all common forms of drives are supported, including parallel-ATA (PATA), serial-ATA (SATA), and SCSI.

In general, which of the following is legal under reverse-engineering practices? a. Reverse-engineer computer software with intent to launch commercially with similar design. b. Reverse-engineer the design of computer chips for duplication. c. Reverse-engineer a computer program to see how it works and what it does. d. Reverse-engineer the basic input/output system of a personal computer for duplication.

c. Reverse engineering is the process of analyzing a subject system to identify the system's components and their interrelationships and create representations of the system in another form or at a higher level of abstraction. Some shrink-wrap agreements contain an express prohibition on reverse engineering, decompilation, or disassembly. The correct answer does not hurt the software copyright owner, and it is legal. The other three choices are based on bad intentions on the part of the user and hence can be illegal.

Which of the following assumes that control over all or most resources is possible? a. Security and quality b. Reliability and availability c. Security and survivability d. Integrity and durability

c. Security and survivability requirements are based on the bounded system concept, which assumes that control over all resources is possible. Security and survivability must be part of the initial design to achieve the greatest level of effectiveness. Security should not be something added on later to improve quality, reliability, availability, integrity, or durability or when budget permits or after an attack has already occurred.

What does implementing security functions in an information system using a layered structure mean? 1. Using multilevel secure systems 2. Using multiple security level systems 3. Avoiding any dependence by lower layers on the functionality of higher layers 4. Minimizing interactions between layers of the design a. 1 and 3 b. 2 and 4 c. 3 and 4 d. 1, 2, 3, and 4

c. Security functions in an information system should be implemented by using a layered structure that minimizes interactions between layers of the design and that avoids any dependence by lower layers on the functionality or correctness of higher layers. Multilevel or multiple levels do not have interactions or dependencies as the layers do because they deal with security clearances and access authorizations.

Which of the following is not an example of a first line-of-defense? a. Physical security b. Network monitors c. Software testing d. Quality assurance

c. Software testing is a last line-of-defense because it is the last step to ensure proper functioning of security controls. After testing, the system is implemented and ready to operate in the real world. The other three choices provide first lines-of-defense. Physical security with security guards and keys and locks can prevent threats. Network monitors can protect against spoofing. Quality assurance programs can improve quality in products and processes through upfront planning.

Which of the following creates a covert channel? a. Use of fixed labels b. Use of variable labels c. Use of floating labels d. Use of nonfloating labels

c. The covert channel problem resulting from the use of floating labels can lead to erroneous information labels but cannot be used to violate the access control policy enforced by the fixed labels. A fixed label contains a "sensitivity" level and is the only label used for access control. The floating label contains an "information" level that consists of a second sensitivity level and additional security markings.

For the payment card industry data security standard (PCI-DSS), which of the following security controls cannot meet the control objectives of building and maintaining a secure network? a. Install firewall configurations. b. Do not use defaults for system passwords. c. Encrypt transmission of cardholder data. d. Do not use defaults for security parameters.

c. The encryption of transmission of cardholder data across open, public networks meets a different control objective of protecting cardholder data, not the control objective of building and maintaining a secure network. The other three choices meet the objective of building and maintaining a secure network.

All the following are outside the scope of the Common Criteria (CC) except: a. Evaluation scheme b. Evaluation methodology c. Evaluation base d. Certification processes

c. The evaluation base, consisting of an assessment of a protection profile (PP), a security target (ST), or a target of evaluation (TOE) against defined criteria, is within the scope of the Common Criteria (CC). The evaluation scheme, evaluation methodology, and certification processes are the responsibility of the evaluation authorities that run evaluation schemes and are outside the scope of the CC. The CC for IT security evaluation is the new standard for specifying and evaluating the security features of computer products and systems globally. The CC is intended to replace previous security criteria used in North America and Europe with a standard that can be used everywhere in the world effectively since early 1999.

Which of the following storage methods for file encryption system (FES) is more expensive? a. Public key cryptography standard b. Key encryption key c. Hardware token d. Asymmetric user owned private key

c. The file encryption system (FES) uses per-file encryption keys that are split into two components that will be an Exclusive-Or operation (XORed) to re-create the key, with one key component stored on hardware token and the other key component derived from a password using the public key cryptography standard (PKCS) to derive the key. Because of the key split, hardware tokens are more expensive. The public key cryptography standard (PKCS) generates a single key from a user's password. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner's asymmetric private key. It requires either a user password or a user token.

Distributed system security services can be no stronger than the underlying: a. Hardware components b. Firmware components c. Operating system d. Application system

c. The operating system security services underlie all distributed services. Therefore, distributed system security can be no stronger than the underlying operating system.

Regarding cryptographic modules, which of the following refers to verifying the design between a formal model and functional specifications? a. Proof-of-wholeness b. Proof-of-origin c. Proof-of-correspondence d. Proof-of-correctness

c. The proof-of-correspondence deals with verifying the design between a formal model and the functional specifications. A proof-of-wholeness is having all of an object's parts or components include both the sense of unimpaired condition (i.e., soundness) and being complete and undivided (i.e., completeness). It applies to preserving the integrity of objects in that different layers of abstraction for objects cannot be penetrated, and their internal mechanisms cannot be modified or destroyed. A proof-of-origin is the basis to prove an assertion. For example, a private signature key is used to generate digital signatures as a proof-of-origin. A proof-of-correctness applies mathematical proofs-of-correctness to demonstrate that a computer program conforms exactly to its specifications and to prove that the functions of the computer programs are correct.

Which of the following can increase emanation attacks? a. Greater separation between the system and the receiver b. Higher signal-to-noise ratio c. Wireless local-area network connections d. More workstations of the same type in the same location

c. The trend toward wireless local-area network (WLAN) connections can increase the likelihood of successful interception leading to emanation attack. The other three choices decrease the emanation attacks.

In the trusted computing base (TCB) environment, resource isolation does not mean which of the following? a. Containment of subjects and objects b. Protection controls of the operating system c. Imposition of mandatory access control d. Auditing of subjects and objects

c. The trusted computing base (TCB) imposes discretionary access controls (DACs) and not mandatory access controls (MACs). The other three choices, along with discretionary access controls, provide resource isolation.

Time-to-exploitation metric can be used to determine the presence of which of the following? a. Memory channel b. Communications channel c. Covert channel d. Exploitable channel

c. Time-to-exploitation metric is measured as the elapsed time between when the vulnerability is discovered and the time it is exploited. Covert channels are usually exploitable. The other three choices are a part of the covert channel.

A system is in a failure state when it is not in a: 1. Protection-state 2. Reachable-state 3. System-state 4. Initial-state a. 1 or 2 b. 1 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. A system must be either in a protection-state or reachable-state. If not, the system is in a failure state. The protection state is a part of system-state, whereas the reachable-state is obtained from an initial-state.

A trusted channel can be realized in which of the following ways? 1. A communication pathway between the cryptographic module and the local endpoints 2. A cryptographic mechanism that does not allow misuse of transitory sensitive security parameters (SSPs) 3. A cryptographic mechanism to protect SSPs during input 4. A cryptographic mechanism to protect SSPs during output a. 1 only b. 2 only c. 1 and 2 d. 1, 2, 3, and 4

d. A trusted channel can be realized as follows: It is a communication pathway between the cryptographic module and endpoints that is entirely local, directly attached to the cryptographic module, and has no intervening systems. It is a mechanism that cryptographically protects SSPs during entry and output. It does not allow misuse of any transitory SSPs.

The accountability security objective does not need which of the following security services? a. Audit b. Nonrepudiation c. Access control enforcement d. Transaction privacy

d. Transaction privacy is a security service that fulfills the confidentiality security objective. The other three choices fulfill the accountability security objective.

A trusted channel will not allow which of the following attacks? 1. Man-in-the-middle attack 2. Eavesdropping 3. Replay attack 4. Physical and logical tampering a. 1 and 2 b. 1 and 3 c. 1, 2, and 3 d. 1, 2, 3, and 4

d. A trusted channel is a mechanism through which a cryptographic module provides a trusted, safe, and discrete communication pathway for sensitive security parameters (SSPs) and communication endpoints. A trusted channel protects against man-in-the-middle (MitM) attacks, eavesdropping, replay attacks, and physical and logical tampering by unwanted operators, entities, processes, devices, both within the module and along the module's communication link.

In organizations, isolating the information system security functions from nonsecurity functions is achieved through: 1. Hardware separation 2. Independent modules 3. Layered structure 4. Minimal interactions a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. An information system isolates security functions from nonsecurity functions by means of partitions and domains, including control of access to and integrity of the hardware, software, and firmware that perform those security functions. The system maintains a separate execution domain (e.g., address space) for each executing process. It employs hardware separation techniques, divides the access control and information flow functions, maintains security functions in largely independent modules that avoid unnecessary interactions between modules, and maintains security functions in a layered structure minimizing interactions between layers of the design.

Countermeasures against emanation attacks include which of the following? 1. High watermark policy 2. Information label 3. Control zones 4. White noise a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 3 and 4

d. Control zones and white noise are countermeasures against emanation attacks. A control zone is the space surrounding equipment processing sensitive information that is under sufficient physical and technical control to prevent an unauthorized entry or compromise. White noise is a distribution of uniform spectrum of random electrical signals so that an intruder cannot decipher real data from random (noise) data due to use of constant bandwidth. A high watermark policy is used to maintain an upper bound on fused data. An information label results from a floating label. The high watermark policy, information label, and floating label are part of a covert channel.

Which of the following is an example of last line-of-defense? a. Quality assurance b. System administrators c. Physical security controls d. Employee bond coverage

d. Employee bond coverage is a form of insurance against dishonest behavior and actions and is an example of the last line-of-defense. The other three choices are examples of the first line-of-defense mechanisms. The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems.

For cryptographic modules, additional life-cycle assurance is provided through which of the following? 1. Automated configuration management 2. Detailed design 3. Low-level testing 4. Operator authentication a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. For cryptographic modules, additional life-cycle assurance is provided through automated configuration management, detailed design, low-level testing, and operator authentication using vendor-provided authentication information.

Most spyware detection and removal utility software specifically looks for which of the following? a. Encrypted cookies b. Session cookies c. Persistent cookies d. Tracking cookies

d. Information collected by tracking cookies is often sold to other parties and used to target advertisements and other directed content at the user. Most spyware detection and removal utility software specifically looks for tracking cookies on systems. Encrypted cookies are incorrect because they protect the data from unauthorized access. Session cookies are incorrect because they are temporary cookies that are valid only for a single website session. Persistent cookies are incorrect because they are stored on a computer indefinitely so that a website can identify the user during subsequent visits.

Memory protection is achieved through which of the following? 1. System partitioning 2. Nonmodifiable executable programs 3. Resource isolation 4. Domain separation a. 1 and 2 b. 1 and 4 c. 3 and 4 d. 1, 2, 3, and 4

d. Memory protection is achieved through the use of system partitioning, nonmodifiable executable programs, resource isolation, and domain separation. Inadequate protection of memory leads to many security breaches through the operating system and applications.

To mitigate the risks of using active content, which of the following is an example of a technical safeguard? a. Security audit b. Evaluated technology c. Application settings d. Software cages

d. Software cages or quarantine mechanisms (technical safeguards) can constrain a program's code behavior during its execution by dynamically intercepting and thwarting attempts by the subject code to take unacceptable actions that violate security policy. The other three choices are examples of management and operational safeguards.

The IT architecture and system security design should focus first on which of the following? a. Information availability b. Hardware availability c. Software availability d. System availability

d. System availability, which includes hardware availability and software availability, should be the first focus, and information availability should be the next focus because a system contains information, not the other way around.

Regarding cryptographic modules, the implementation of a trusted channel protects which of the following? 1. Plaintext critical security parameters 2. Cryptographic module software 3. Use of untrusted software 4. Spoofing by a remote system a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. The implementation of a trusted channel protects plaintext critical security parameters (CSPs) and the software of the cryptographic module from other untrusted software that may be executing on the system. The trusted channel also protects from spoofing by a remote system.

Which of the following can limit the number of network access points to an information system that enables monitoring of inbound and outbound network traffic? a. Trusted path b. Trusted computer system c. Trusted computing base d. Trusted Internet connection

d. The trusted Internet connection (TIC) initiative is an example of limiting the number of managed network access points. The other three choices do not limit the number of network access points.

In a public cloud computing environment, which of the following provides server-side protection? a. Encrypted network exchanges b. Plug-ins and add-ons c. Keystroke loggers d. Virtual firewalls

d. Virtual firewalls can be used to isolate groups of virtual machines from other hosted groups, such as the production system from the development system or the development system from other cloud-resident systems. Hardening of the operating system and applications should occur to produce virtual machine images for deployment. Carefully managing virtual machine images is also important to avoid accidentally deploying images under development or containing vulnerabilities. Plug-ins, add-ons, backdoor Trojan viruses, and keystroke loggers are examples of client-side risks or threats to be protected from. Encrypted network exchanges provide client-side protection.