CISSP Questions
1. Name at least three access control types.
1. Access control types include preventive, detective, corrective, deterrent, recovery, directive, and compensating access controls. They are implemented as administrative controls, logical/technical controls, and/or physical controls.
1. What is a computer crime? A. Any attack specifically listed in your security policy B. Any illegal attack that compromises a protected computer C. Any violation of a law or regulation that involves a computer D. Failure to practice due diligence in computer security
1. C. A crime is any violation of a law or regulation. The violation stipulation defines the action as a crime. It is a computer crime if the violation involves a computer either as the target or as a tool.
1. Many PC operating systems provide functionality that enables them to support the simultaneous execution of multiple applications on single-processor systems. What term is used to describe this capability? A. Multiprogramming B. Multithreading C. Multitasking D. Multiprocessing
1. C. Multitasking is processing more than one task at the same time. In most cases, multitasking is simulated by the operating system even when not supported by the processor.
1. What is the major difference between a virus and a worm?
1. Viruses and worms both travel from system to system attempting to deliver their malicious payloads to as many machines as possible. However, viruses require some sort of human intervention, such as sharing a file, network resource, or email message, to propagate. Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well-connected network.
3. Describe the relationship between auditing and audit trails.
3. Auditing is a methodical examination or review of an environment and encompasses a wide variety of activities to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Audit trails provide the data that supports such examination or review and essentially are what make auditing and subsequent detection of attacks and misbehavior possible.
3. What infrastructure component is often located in the same position across multiple floors in order to provide a convenient means of linking floor-based networks together? A. Server room B. Wiring closet C. Datacenter D. Media cabinets
3. B. A wiring closet is the infrastructure component often located in the same position across multiple floors in order to provide a convenient means of linking floor-based networks together.
3. A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table? A. Access control list B. Access control matrix C. Federation D. Creeping privilege
3. B. An access control matrix includes multiple objects, and it lists subjects' access to each of the objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to the excessive privileges a subject gathers over time.
3. Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects? A. Identification B. Availability C. Encryption D. Layering
3. B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.
3. Which OSI model layer manages communications in simplex, half-duplex, and full-duplex modes? A. Application B. Session C. Transport D. Physical
3. B. Layer 5, Session, manages simplex (one-direction), half-duplex (two-way, but only one direction can send data at a time), and full-duplex (two-way, in which data can be sent in both directions simultaneously) communications.
3. Which of the following is a primary purpose of an exit interview? A. To return the exiting employee's personal belongings B. To review the nondisclosure agreement C. To evaluate the exiting employee's performance D. To cancel the exiting employee's network access accounts
3. B. The primary purpose of an exit interview is to review the nondisclosure agreement (NDA) and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.
3. Which one of the following types of attacks relies on the difference between the timing of two events? A. Smurf B. TOCTOU C. Land D. Fraggle
3. B. The time of check to time of use (TOCTOU) attack relies on the timing of the execution of two events.
3. Name at least three types of attacks used to discover passwords.
3. Brute-force attacks, dictionary attacks, sniffer attacks, rainbow table attacks, and socialengineering attacks are all known methods used to discover passwords.
3. What is a closed system? A. A system designed around final, or closed, standards B. A system that includes industry standards C. A proprietary system that uses unpublished protocols D. Any machine that does not run Windows
3. C. A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and Option B describes an open system.
4. Which one of the following techniques is most closely associated with APT attacks? A. Zero-day exploit B. Social engineering C. Trojan horse D. SQL injection
4. A. While an advanced persistent threat (APT) may leverage any of these attacks, they are most closely associated with zero-day attacks.
4. What is the difference between open and closed systems and open and closed source?
4. An open system is one with published APIs that allow third parties to develop products to interact with it. A closed system is one that is proprietary with no third-party product support. Open source is a coding stance that allows others to view the source code of a program. Closed source is an opposing coding stance that keeps source code confidential.
4. What goal is not a purpose of a financial attack? A. Access services you have not purchased B. Disclose confidential personal employee information C. Transfer funds from an unapproved source into your account D. Steal money from another organization
4. B. A financial attack focuses primarily on obtaining services and funds illegally.
4. What is a primary benefit of job rotation and separation of duties policies? A. Preventing collusion B. Preventing fraud C. Encouraging collusion D. Correcting incidents
4. B. Job rotation and separation of duties policies help prevent fraud. Collusion is an agreement among multiple persons to perform some unauthorized or illegal actions, and implementing these policies doesn't prevent collusion, nor does it encourage employees to collude against an organization. They help deter and prevent incidents, but they do not correct them.
4. What type of access controls are hardware or software mechanisms used to manage access to resources and systems, and provide protection for those resources and systems? A. Administrative B. Logical/technical C. Physical D. Preventive
4. B. Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems. Administrative controls are managerial controls, and physical controls use physical items to control physical access. A preventive control attempts to prevent security incidents.
4. Which one of the following disaster types is not usually covered by standard business or homeowner's insurance? A. Earthquake B. Flood C. Fire D. Theft
4. B. Most general business insurance and homeowner's insurance policies do not provide any protection against the risk of flooding or flash floods. If floods pose a risk to your organization, you should consider purchasing supplemental flood insurance under FEMA's National Flood Insurance Program.
4. Which of the following IP addresses is not a private IP address as defined by RFC 1918? A. 10.0.0.18 B. 169.254.1.119 C. 172.31.8.204 D. 192.168.6.43
4. B. The 169.254.x.x subnet is in the APIPA range, which is not part of RFC 1918. The addresses in RFC 1918 are 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255.
4. What type of cipher relies on changing the location of characters within a message to achieve confidentiality? A. Stream cipher B. Transposition cipher C. Block cipher D. Substitution cipher
4. B. Transposition ciphers use a variety of techniques to reorder the characters within a message.
4. Which of the following is the least resistant to EMI? A. Thinnet B. UTP C. STP D. Fiber
4. B. UTP is the least resistant to EMI because it is unshielded. Thinnet (10Base2) is a type of coaxial cable that is shielded against EMI. STP is a shielded form of twisted pair that resists EMI. Fiber is not affected by terrestrial EMI.
4. Name the method that allows users to log on once and access resources in multiple organizations without authenticating again.
4. Federated identity management systems allow single sign-on (SSO) to be extended beyond a single organization. SSO allows users to authenticate once and access multiple resources without authenticating again. SAML is a common language used to exchange federated identity information between organizations.
4. Discuss methods used to secure 802.11 wireless networking.
4. Methods to secure 802.11 wireless networking include disabling the SSID broadcast; changing the SSID to something unique; enabling MAC filtering; considering the use of static IPs or using DHCP with reservations; turning on the highest form of encryption offered (such as WEP, WPA, or WPA2/802.11i); treating wireless as remote access and employing 802.1X, RADIUS, or TACACS; separating wireless access points from the LAN with firewalls; monitoring all wireless client activity with an IDS; and considering requiring wireless clients to connect with a VPN to gain LAN access.
11. Which one of the following would administrators use to connect to a remote server securely for administration? A. Telnet B. Secure File Transfer Protocol (SFTP) C. Secure Copy (SCP) D. Secure Shell (SSH)
11. D. SSH is a secure method of connecting to remote servers over a network because it encrypts data transmitted over a network. In contrast, Telnet transmits data in cleartext. SFTP and SCP are good methods for transmitting sensitive data over a network but not for administration purposes.
12. What is the typical time estimate to activate a warm site from the time a disaster is declared? A. 1 hour B. 6 hours C. 12 hours D. 24 hours
12. C. Warm sites typically take about 12 hours to activate from the time a disaster is declared. This is compared to the relatively instantaneous activation of a hot site and the lengthy time (at least a week) required to bring a cold site to operational status.
12. What type of motion detector senses changes in the electrical or magnetic field surrounding a monitored object? A. Wave B. Photoelectric C. Heat D. Capacitance
12. D. A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object.
12. Which one of the following tasks would a custodian most likely perform? A. Access the data B. Classify the data C. Assign permissions to the data D. Back up data
12. D. A data custodian performs day to day tasks to protect the integrity and security of data, and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.
12. In which phase of the SW-CMM does an organization use quantitative measures to gain a detailed understanding of the development process? A. Initial B. Repeatable C. Defined D. Managed
12. D. In the Managed phase, level 4 of the SW-CMM, the organization uses quantitative measures to gain a detailed understanding of the development process.
12. Which resource should you protect first when designing continuity plan provisions and processes? A. Physical plant B. Infrastructure C. Financial resources D. People
12. D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees!
13. When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset loss. D. The annual costs of safeguards should not exceed 10 percent of the security budget.
13. C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
13. The most commonly overlooked aspect of mobile phone eavesdropping is related to which of the following? A. Storage device encryption B. Screen locks C. Overhearing conversations D. Wireless networking
13. C. The most commonly overlooked aspect of mobile phone eavesdropping is related to people in the vicinity overhearing conversations (at least one side of them). Organizations frequently consider and address issues of wireless networking, storage device encryption, and screen locks.
16. Which of the following is the best choice to support a federated identity management (FIM) system? A. Kerberos B. Hypertext Markup Language (HTML) C. Extensible Markup Language (XML) D. Security Assertion Markup Language (SAML)
16. D. SAML is an XML-based framework used to exchange user information for single signon (SSO) between organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. XML could be used, but it would require redefining tags already defined in SAML.
15. What type of cryptographic attack rendered Double DES (2DES) no more effective than standard DES encryption? A. Birthday attack B. Chosen ciphertext attack C. Meet-in-the-middle attack D. Man-in-the-middle attack
15. C. The meet-in-the-middle attack demonstrated that it took relatively the same amount of computation power to defeat 2DES as it does to defeat standard DES. This led to the adoption of Triple DES (3DES) as a standard for government communication.
15. Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level? A. (star) Security Property B. No write up property C. No read up property D. No read down property
15. C. The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher-security-level object.
15. How many keys are required to fully implement a symmetric algorithm with 10 participants? A. 10 B. 20 C. 45 D. 100
15. C. The number of keys required for a symmetric algorithm is dictated by the formula (n*(n-1))/2, which in this case, where n = 10, is 45.
15. What is the primary purpose of Kerberos? A. Confidentiality B. Integrity C. Authentication D. Accountability
15. C. The primary purpose of Kerberos is authentication, as it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.
16. You are the IT security manager for a retail merchant organization that is just going online with an e-commerce website. You hired several programmers to craft the code that is the backbone of your new web sales system. However, you are concerned that while the new code functions well, it might not be secure. You begin to review the code, the systems design, and the services architecture to track down issues and concerns. Which of the following do you hope to find in order to prevent or protect against XSS? A. Input validation B. Defensive coding C. Allowing script input D. Escaping metacharacters
16. A, B, and D. A programmer can implement the most effective way to prevent XSS by validating input, coding defensively, escaping metacharacters, and rejecting all scriptlike input.
16. Why should you avoid deleting log files on a daily basis? A. An incident may not be discovered for several days and valuable evidence could be lost. B. Disk space is cheap, and log files are used frequently. C. Log files are protected and cannot be altered. D. Any information in a log file is useless after it is several hours old.
16. A. Log files contain a large volume of generally useless information. However, when you are trying to track down a problem or an incident, they can be invaluable. Even if an incident is discovered as it is happening, it may have been preceded by other incidents. Log files provide valuable clues and should be protected and archived.
16. What security control is directly focused on preventing collusion? A. Principle of least privilege B. Job descriptions C. Separation of duties D. Qualitative risk analysis
16. C. The likelihood that a co-worker will be willing to collaborate on an illegal or abusive scheme is reduced because of the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.
18. What type of plan addresses the technical controls associated with alternate processing facilities, backups, and fault tolerance? A. Business continuity plan B. Business impact assessment C. Disaster recovery plan D. Vulnerability assessment
18. C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.
18. What security principle helps prevent users from accessing memory spaces assigned to applications being run by other users? A. Separation of privilege B. Layering C. Process isolation D. Least privilege
18. C. Process isolation provides separate memory spaces to each process running on a system. This prevents processes from overwriting each other's data and ensures that a process can't read data from another process.
18. Which of the following can be used to bypass even the best physical and logical security mechanisms to gain access to a system? A. Dictionary attacks B. Denial of service C. Social engineering D. Port scanning
18. C. Social engineering can often be used to bypass even the most effective physical and logical controls. Whatever activity the attacker convinces the victim to perform, it is usually directed toward opening a back door that the attacker can use to gain access to the network.
18. Which one of the following is the comprehensive EU law that governs data privacy that was passed in 2016 and goes into effect in 2018? A. DPD B. GLBA C. GDPR D. SOX
18. C. The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that protects personal information of EU residents worldwide. The law is scheduled to go into effect in 2018.
18. What type of attack uses email and attempts to trick high-level executives? A. Phishing B. Spear phishing C. Whaling D. Vishing
18. C. Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).
An organization has a datacenter that processes highly sensitive information and is staffed 24 hours a day. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on internet sites, exposing the organization's internal sensitive data. 18. Of the following choices, what would have prevented this loss without sacrificing security? A. Mark the media kept offsite. B. Don't store data offsite. C. Destroy the backups offsite. D. Use a secure offsite storage facility.
18. D. Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won't protect it if it is stored in an unstaffed warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite, or offsite backups are destroyed, security is sacrificed by risking availability.
3. What kinds of potential issues can an emergency visit from the fire department leave in its wake?
3. Anytime water is used to respond to fire, flame, or smoke, water damage becomes a serious concern, particularly when water is released in areas where electrical equipment is in use. Not only can computers and other electrical gear be damaged or destroyed by water, but also many forms of storage media can become damaged or unusable. Also, when seeking hot spots to put out, firefighters often use axes to break down doors or cut through walls to reach them as quickly as possible. This, too, poses the potential for physical damage to or destruction of devices and/or wiring that may also be in the vicinity.
3. What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem? A. 56 bits B. 128 bits C. 192 bits D. 256 bits
3. A. DES uses a 56-bit key. This is considered one of the major weaknesses of this cryptosystem.
4. What is the difference between mutation fuzzing and generational fuzzing?
4. Mutation (dumb) fuzzing takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques. Generational (intelligent) fuzzing develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
4. How far backward does the waterfall model allow developers to travel when a development flaw is discovered?
4. One phase.
4. What should an organization do to verify that accounts are managed properly?
4. Organizations should regularly perform access reviews and audits. These can detect when an organization is not following its own policies and procedures related to account management. They can be performed manually or using automation techniques available in some identity and access management (IAM) systems.
5. Identify the three primary elements within the identity and access provisioning lifecycle.
5. The identity and access provisioning lifecycle includes provisioning accounts, periodically reviewing and managing accounts, and disabling or deleting accounts when they are no longer being used.
5. Name the six primary security roles as defined by (ISC)2 for CISSP.
5. The six security roles are senior management, IT/security staff, owner, custodian, operator/ user, and auditor.
6. Which one of the following storage locations provides a good option when the organization does not know where it will be when it tries to recover operations? A. Primary data center B. Field office C. Cloud computing D. IT manager's home
6. C. Cloud computing services provide an excellent location for backup storage because they are accessible from any location.
9. What is a TCP wrapper? A. An encapsulation protocol used by switches B. An application that can serve as a basic firewall by restricting access based on user IDs or system IDs C. A security protocol used to protect TCP/IP traffic over WAN links D. A mechanism to tunnel TCP/IP through non-IP networks
9. B. A TCP wrapper is an application that can serve as a basic firewall by restricting access based on user IDs or system IDs.
9. Which of the following best identifies the benefit of a passphrase? A. It is short. B. It is easy to remember. C. It includes a single set of characters. D. It is easy to crack.
9. B. A passphrase is a long string of characters that is easy to remember, such as IP@$$edTheCISSPEx@m. It is not short and typically includes all four sets of character types. It is strong and complex, making it difficult to crack.
9. All but which of the following items requires awareness for all individuals affected? A. Restricting personal email B. Recording phone conversations C. Gathering information about surfing habits D. The backup mechanism used to retain email messages
9. D. Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.
1. Which one of the following is not a component of the DevOps model? A. Information security B. Software development C. Quality assurance D. IT operations
1. A. The three elements of the DevOps model are software development, quality assurance, and IT operations.
1. Which of the following is the most important aspect of security? A. Physical security B. Intrusion detection C. Logical security D. Awareness training
1. A. Physical security is the most important aspect of overall security. Without physical security, none of the other aspects of security are sufficient.
1. What is the most commonly used technique to protect against virus attacks? A. Signature detection B. Heuristic detection C. Data integrity assurance D. Automated reconstruction
1. A. Signature detection mechanisms use known descriptions of viruses to identify malicious code resident on a system.
1. Describe the primary difference between discretionary and nondiscretionary access control models.
1. A discretionary access control (DAC) model allows the owner, creator, or data custodian of an object to control and define access. Administrators centrally administer nondiscretionary access controls and can make changes that affect the entire environment.
1. What kind of device helps to define an organization's perimeter and also serves to deter casual trespassing?
1. A fence is an excellent perimeter safeguard that can help to deter casual trespassing. Moderately secure installations work when the fence is 6 to 8 feet tall and will typically be cyclone (also known as chain link) fencing with the upper surface twisted or barbed to deter casual climbers. More secure installations usually opt for fence heights over 8 feet and often include multiple strands of barbed or razor wire strung above the chain link fabric to further deter climbers.
1. Which one of the following identifies the primary purpose of information classification processes? A. Define the requirements for protecting sensitive data. B. Define the requirements for backing up data. C. Define the requirements for storing data. D. Define the requirements for transmitting data.
1. A. A primary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data. Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing all data. Similarly, information classification processes will typically include requirements to protect sensitive data in transit but not necessarily all data in transit.
1. Which of the following is the best response after detecting and verifying an incident? A. Contain it. B. Report it. C. Remediate it. D. Gather evidence.
1. A. Containment is the first step after detecting and verifying an incident. This limits the effect or scope of an incident. Organizations report the incident based on policies and governing laws, but this is not the first step. Remediation attempts to identify the cause of the incident and steps that can be taken to prevent a reoccurrence, but this is not the first step. It is important to protect evidence while trying to contain an incident, but gathering the evidence will occur after containment.
1. Which one of the following tools is used primarily to perform network discovery scans? A. Nmap B. Nessus C. Metasploit D. lsof
1. A. Nmap is a network discovery scanning tool that reports the open ports on a remote system.
1. Name the layers of the OSI model and their numbers from top to bottom.
1. Application (7), Presentation (6), Session (5), Transport (4), Network (3), Data Link (2), and Physical (1).
1. What is system certification? A. Formal acceptance of a stated system configuration B. A technical evaluation of each part of a computer system to assess its compliance with security standards C. A functional evaluation of the manufacturer's goals for each hardware and software component to meet integration standards D. A manufacturer's certificate stating that all components were installed and configured correctly
1. B. A system certification is a technical evaluation. Option A describes system accreditation. Options C and D refer to manufacturer standards, not implementation standards.
1. is a layer 2 connection mechanism that uses packet-switching technology to establish virtual circuits between the communication endpoints. A. ISDN B. Frame Relay C. SMDS D. ATM
1. B. Frame Relay is a layer 2 connection mechanism that uses packet-switching technology to establish virtual circuits between the communication endpoints. The Frame Relay network is a shared medium across which virtual circuits are created to provide point-to-point communications. All virtual circuits are independent of and invisible to each other.
1. What is the first step that individuals responsible for the development of a business continuity plan should perform? A. BCP team selection B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment
1. B. The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.
1. Which of the following best describes an implicit deny principle? A. All actions that are not expressly denied are allowed. B. All actions that are not expressly allowed are denied. C. All actions must be expressly denied. D. None of the above.
1. B. The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn't require all actions to be denied.
1. In the RSA public key cryptosystem, which one of the following numbers will always be largest? A. e B. n C. p D. q
1. B. The number n is generated as the product of the two large prime numbers, p and q. Therefore, n must always be greater than both p and q. Furthermore, it is an algorithm constraint that e must be chosen such that e is smaller than n. Therefore, in RSA cryptography, n is always the largest of the four variables shown in the options to this question.
1. Which of the following contains the primary goals and objectives of security? A. A network's border perimeter B. The CIA Triad C. A stand-alone system D. The internet
1. B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.
1. Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography. 2. Explain the process Alice would use to decrypt the message Bob sent in question 1. 3. Explain the process Bob should use to digitally sign a message to Alice. 4. Explain the process Alice should use to verify the digital signature on the message from Bob in question 3.
1. Bob should encrypt the message using Alice's public key and then transmit the encrypted message to Alice. 2. Alice should decrypt the message using her private key. 3. Bob should generate a message digest from the plaintext message using a hash function. He should then encrypt the message digest using his own private key to create the digital signature. Finally, he should append the digital signature to the message and transmit it to Alice. 4. Alice should decrypt the digital signature in Bob's message using Bob's public key. She should then create a message digest from the plaintext message using the same hashing algorithm Bob used to create the digital signature. Finally, she should compare the two message digests. If they are identical, the signature is authentic.
1. What are some of the main concerns businesses have when considering adopting a mutual assistance agreement?
1. Businesses have three main concerns when considering adopting a mutual assistance agreement. First, the nature of an MAA often necessitates that the businesses be located in close geographical proximity. However, this requirement also increases the risk that the two businesses will fall victim to the same threat. Second, MAAs are difficult to enforce in the middle of a crisis. If one of the organizations is affected by a disaster and the other isn't, the organization not affected could back out at the last minute, leaving the other organization out of luck. Finally, confidentiality concerns (both legal and business related) often prevent businesses from trusting others with their sensitive operational data.
20. Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the degree of this table? A. Two B. Three C. Thirty D. Undefined
20. B. The cardinality of a table refers to the number of rows in the table while the degree of a table is the number of columns.
1. An organization ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following? A. Principle of least permission B. Separation of duties C. Need-to-know D. Role Based Access Control
1. C. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn't control all the elements of a process. Role Based Access Control (RBAC) grants access to resources based on a role.
1. What is the end goal of disaster recovery planning? A. Preventing business interruption B. Setting up temporary business operations C. Restoring normal business activity D. Minimizing the impact of a disaster
1. C. Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off.
1. Which criminal law was the first to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer systems? A. Computer Security Act B. National Infrastructure Protection Act C. Computer Fraud and Abuse Act D. Electronic Communications Privacy Act
1. C. The Computer Fraud and Abuse Act, as amended, provides criminal and civil penalties for individuals convicted of using viruses, worms, Trojan horses, and other types of malicious code to cause damage to computer systems.
1. How many possible keys exist in a 4-bit key space? A. 4 B. 8 C. 16 D. 128
1. C. To determine the number of keys in a key space, raise 2 to the power of the number of bits in the key space. In this example, 24 = 16.
1. Which of the following is the weakest element in any security solution? A. Software products B. Internet connections C. Security policies D. Humans
1. D. Regardless of the specifics of a security solution, humans are the weakest element.
1. What is layer 4 of the OSI model? A. Presentation B. Network C. Data Link D. Transport
1. D. The Transport layer is layer 4. The Presentation layer is layer 6, the Data Link layer is layer 2, and the Network layer is layer 3.
1. Which of the following would not be an asset that an organization would want to protect with access controls? A. Information B. Systems C. Devices D. Facilities E. None of the above
1. E. All of the answers are included in the types of assets that an organization would try to protect with access controls.
1. Describe the differences between transport mode and tunnel mode of IPsec.
1. IPsec's transport mode is used for host-to-host links and encrypts only the payload, not the header. IPsec's tunnel mode is used for host-to-LAN and LAN-to-LAN links and encrypts the entire original payload and header and then adds a link header.
1. List the different phases of incident response identified in the CISSP Security Operations domain.
1. Incident response steps listed in the CISSP Security Operations domain are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.
1. Why is it important to include legal representatives on your business continuity planning team?
1. Many federal, state, and local laws or regulations require businesses to implement BCP provisions. Including legal representation on your BCP team helps ensure that you remain compliant with laws, regulations, and contractual obligations.
1. Define the difference between need-to-know and the principle of least privilege.
1. Need to know focuses on permissions and the ability to access information, whereas the principle of least privilege focuses on privileges. Privileges include both rights and permissions. Both limit the access of users and subjects to only what they need. Following these principles prevents and limits the scope of security incidents.
1. Describe PII and PHI.
1. Personally identifiable information (PII) is any information that can identify an individual. It includes information that can be used to distinguish or trace an individual's identity, such as name, social security number or national ID number, date and place of birth, mother's maiden name, and biometric records. Protected health information (PHI) is any health-related information that can be related to a specific person. PHI doesn't apply only to healthcare providers. Any employer that provides, or supplements, healthcare policies collects and handles PHI.
1. Name six different administrative controls used to secure personnel.
1. Possible answers include job descriptions, principle of least privilege, separation of duties, job responsibilities, job rotation/cross-training, performance reviews, background checks, job action warnings, awareness training, job training, exit interviews/terminations, nondisclosure agreements, noncompete agreements, employment agreements, privacy declaration, and acceptable use policies.
1. Name at least seven security models.
1. Security models include state machine, information flow, noninterference, Take-Grant, access control matrix, Bell-LaPadula, Biba, Clark-Wilson, Brewer and Nash (aka Chinese Wall), Goguen-Meseguer, Sutherland, and Graham-Denning.
1. Describe the difference between TCP SYN scanning and TCP connect scanning.
1. TCP SYN scanning sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as "half-open" scanning. TCP connect scanning opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
1. Discuss and describe the CIA Triad.
1. The CIA Triad is the combination of confidentiality, integrity, and availability. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, information, or resources. Integrity is the concept of protecting the reliability and correctness of data. Availability is the concept that authorized subjects are granted timely and uninterrupted access to objects. The term CIA Triad is used to indicate the three key components of a security solution.
1. What are the key provisions of the Privacy Shield Framework agreement between the United States and the European Union?
1. The key provisions of the Privacy Shield Framework agreement between the United States and the European Union are as follows: ■ Inform individuals about data processing ■ Provide free and accessible dispute resolution ■ Cooperate with the Department of Commerce ■ Maintain data integrity and purpose limitation ■ Ensure accountability for data transferred to third parties ■ Maintain transparency related to enforcement actions ■ Ensure commitments are kept as long as data is held
1. What are the major categories of computer crime?
1. The major categories of computer crime are military/intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, and thrill attacks.
1. What is the major hurdle preventing the widespread adoption of one-time pad cryptosystems to ensure data confidentiality?
1. The major obstacle to the widespread adoption of onetime pad cryptosystems is the difficulty in creating and distributing the very lengthy keys on which the algorithm depends.
1. What is the main purpose of a primary key in a database table?
1. The primary key uniquely identifies each row in the table. For example, an employee identification number might be the primary key for a table containing information about employees.
1. Name the three standard cloud-based X as a service options and briefly describe them.
1. The three standard cloud-based X-as-a-service options are platform as a service (PaaS), software as a service (SaaS), and infrastructure as a service (IaaS). PaaS is the concept of providing a computing platform and software solution stack as a virtual or cloud-based service. Essentially, this type of cloud solution provides all the aspects of a platform (that is, the operating system and complete solution package). The primary attraction of PaaS is the avoidance of having to purchase and maintain high-end hardware and software locally. SaaS is a derivative of PaaS. SaaS provides on-demand online access to specific software applications or suites without the need for local installation. In many cases, there are few local hardware and OS limitations. SaaS can be implemented as a subscription, a pay-as-you-go service, or a free service. IaaS takes the PaaS model yet another step forward and provides not just on-demand operating solutions but complete outsourcing options. This can include utility or metered computing services, administrative task automation, dynamic scaling, virtualization services, policy implementation and management services, and managed/filtered internet connectivity. Ultimately, IaaS allows an enterprise to scale up new software or data-based services/ solutions through cloud systems quickly and without having to install massive hardware locally.
5. What are the four main steps of the business continuity planning process?
5. The four steps of the BCP process are project scope and planning, business impact assessment, continuity planning, and approval/implementation.
10. What is a security perimeter? (Choose all that apply.) A. The boundary of the physically secure area surrounding your system B. The imaginary boundary that separates the TCB from the rest of the system C. The network where your firewall resides D. Any connections to your computer system
10. A, B. Although the most correct answer in the context of this chapter is Option B, Option A is also a correct answer in the context of physical security.
10. Which of the following is an example of a Type 2 authentication factor? A. Something you have B. Something you are C. Something you do D. Something you know
10. A. A Type 2 authentication factor is based on something you have, such as a smartcard or token device. Type 3 authentication is based on something you are and sometimes something you do, which uses physical and behavioral biometric methods. Type 1 authentication is based on something you know, such as passwords or PINs.
10. What type of electrical component serves as the primary building block for dynamic RAM chips? A. Capacitor B. Resistor C. Flip-flop D. Transistor
10. A. Dynamic RAM chips are built from a large number of capacitors, each of which holds a single electrical charge. These capacitors must be continually refreshed by the CPU in order to retain their contents. The data stored in the chip is lost when power is removed.
10. What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances? A. Privacy Act B. Electronic Communications Privacy Act C. Health Insurance Portability and Accountability Act D. Gramm-Leach-Bliley Act
10. A. The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances.
10. You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)? A. $750,000 B. $1.5 million C. $7.5 million D. $15 million
10. A. This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an SLE of $750,000.
10. Which of the following represents accidental or intentional exploitations of vulnerabilities? A. Threat events B. Risks C. Threat agents D. Breaches
10. A. Threat events are accidental or intentional exploitations of vulnerabilities.
10. Hacktivists are motivated by which of the following factors? (Choose all that apply.) A. Financial gain B. Thrill C. Skill D. Political beliefs
10. B, D. Hacktivists (the word is a combination of hacker and activist) often combine political motivations with the thrill of hacking. They organize themselves loosely into groups with names like Anonymous and Lolzsec and use tools like the Low Orbit Ion Cannon to create large-scale denial-of-service attacks with little knowledge required.
10. What business continuity planning technique can help you prepare the business unit prioritization task of disaster recovery planning? A. Vulnerability analysis B. Business impact assessment C. Risk management D. Continuity planning
10. B. During the business impact assessment phase, you must identify the business priorities of your organization to assist with the allocation of BCP resources. You can use this same information to drive the DRP business unit prioritization.
10. What is both a benefit and a potentially harmful implication of multilayer protocols? A. Throughput B. Encapsulation C. Hash integrity checking D. Logical addressing
10. B. Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols.
10. Richard wants to digitally sign a message he's sending to Sue so that Sue can be sure the message came from him without modification while in transit. Which key should he use to encrypt the message digest? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
10. B. Richard should encrypt the message digest with his own private key. When Sue receives the message, she will decrypt the digest with Richard's public key and then compute the digest herself. If the two digests match, she can be assured that the message truly originated from Richard.
10. What is the most common cause of failure for a water-based fire suppression system? A. Water shortage B. People C. Ionization detectors D. Placement of detectors in drop ceilings
10. B. The most common cause of failure for a water-based system is human error. If you turn off the water source after a fire and forget to turn it back on, you'll be in trouble for the future. Also, pulling an alarm when there is no fire will trigger damaging water release throughout the office.
11. Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases? A. Resource prioritization B. Likelihood assessment C. Strategy development D. Provisions and processes Review Questions 123
11. C. The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.
10. Of the following choices, what is the best form of anti-malware protection? A. Multiple solutions on each system B. A single solution throughout the organization C. Anti-malware protection at several locations D. One-hundred-percent content filtering at all border gateways
10. C. A multipronged approach provides the best solution. This involves having anti-malware software at several locations, such as at the boundary between the internet and the internal network, at email servers, and on each system. More than one anti-malware application on a single system isn't recommended. A single solution for the whole organization is often ineffective because malware can get into the network in more than one way. Content filtering at border gateways (boundary between the internet and the internal network) is a good partial solution, but it won't catch malware brought in through other methods.
10. Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message? A. Stream cipher B. Caesar cipher C. Block cipher D. ROT3 cipher
10. C. Block ciphers operate on message "chunks" rather than on individual characters or bits. The other ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of a message.
10. Which one of the following is based on Blowfish and helps protect against rainbow table attacks? A. 3DES B. AES C. Bcrypt D. SCP
10. C. Linux systems use bcrypt to encrypt passwords, and bcrypt is based on Blowfish. Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks. Advanced Encryption Standard (AES) and Triple DES (or 3DES) are separate symmetric encryption protocols, and neither one is based on Blowfish, or directly related to protecting against rainbow table attacks. Secure Copy (SCP) uses Secure Shell (SSH) to encrypt data transmitted over a network.
10. What should be done with equipment that is at the end of its lifecycle and is being donated to a charity? A. Remove all CDs and DVDs. B. Remove all software licenses. C. Sanitize it. D. Install the original software.
10. C. Systems should be sanitized when they reach the end of their lifecycle to ensure that they do not include any sensitive data. Removing CDs and DVDs is part of the sanitation process, but other elements of the system, such as disk drives, should also be checked to ensure that they don't include sensitive information. Removing software licenses or installing the original software is not necessarily required unless the organization's sanitization process requires it.
10. What type of network discovery scan only follows the first two steps of the TCP handshake? A. TCP connect scan B. Xmas scan C. TCP SYN scan D. TCP ACK scan
10. C. The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.
10. Which of the following best describes a rule-based access control model? A. It uses local rules applied to users individually. B. It uses global rules applied to users individually. C. It uses local rules applied to all users equally. D. It uses global rules applied to all users equally.
10. D. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.
10. Which one of the following is not a principle of Agile development? A. Satisfy the customer through early and continuous delivery. B. Businesspeople and developers work together. C. Pay continuous attention to technical excellence. D. Prioritize security over other requirements.
10. D. In Agile, the highest priority is to satisfy the customer through early and continuous delivery of valuable software.
10. Which of the following is not a benefit of NAT? A. Hiding the internal IP addressing scheme B. Sharing a few public internet addresses with a large number of internal clients C. Using the private IP addresses from RFC 1918 on an internal network D. Filtering network traffic to prevent brute-force attacks
10. D. NAT does not protect against or prevent brute-force attacks.
10. What element of data categorization management can override all other forms of access control? A. Classification B. Physical access C. Custodian responsibilities D. Taking ownership
10. D. Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.
10. What character should always be treated carefully when encountered as user input on a web form? A. ! B. & C. * D. '
10. D. The single quote character (') is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.
11. Your organization issues devices to employees. These devices generate onetime passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this? A. Synchronous token B. Asynchronous token C. Smartcard D. Common access card
11. A. A synchronous token generates and displays onetime passwords, which are synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the onetime password. Smartcards do not generate onetime passwords, and common access cards are a version of a smartcard that includes a picture of the user.
11. When a safeguard or a countermeasure is not present or is not sufficient, what remains? A. Vulnerability B. Exposure C. Risk D. Penetration
11. A. A vulnerability is the absence or weakness of a safeguard or countermeasure.
11. What is the minimum number of cryptographic keys required for secure two-way communications in symmetric key cryptography? A. One B. Two C. Three D. Four
11. A. Symmetric key cryptography uses a shared secret key. All communicating parties utilize the same key for communication in any direction.
11. Matthew would like to test systems on his network for SQL injection vulnerabilities. Which one of the following tools would be best suited to this task? A. Port scanner B. Network vulnerability scanner C. Network discovery scanner D. Web vulnerability scanner
11. D. SQL injection attacks are web vulnerabilities, and Matthew would be best served by a web vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but the web vulnerability scanner is specifically designed for the task and more likely to be successful.
11. An organization is planning the layout of a new building that will house a datacenter. Where is the most appropriate place to locate the datacenter? A. In the center of the building B. Closest to the outside wall where power enters the building C. Closest to the outside wall where heating, ventilation, and air conditioning systems are located D. At the back of the building
11. A. Valuable assets require multiple layers of physical security, and placing a datacenter in the center of the building helps provide these additional layers. Placing valuable assets next to an outside wall (including at the back of the building) eliminates some layers of security.
11. When using penetration testing to verify the strength of your security policy, which of the following is not recommended? A. Mimicking attacks previously perpetrated against your system B. Performing attacks without management knowledge C. Using manual and automated attack tools D. Reconfiguring the system to resolve any discovered vulnerabilities
11. B. Penetration testing should be performed only with the knowledge and consent of the management staff. Unapproved security testing could result in productivity loss, trigger emergency response teams, and result in legal action against the tester including loss of employment. A penetration test can mimic previous attacks and use both manual and automated attack methods. After a penetration test, a system may be reconfigured to resolve discovered vulnerabilities.
11. What framework allows U.S. companies to certify compliance with EU privacy laws? A. COBiT B. Privacy Shield C. Privacy Lock D. EuroLock
11. B. The Privacy Shield framework, governed by the U.S. Department of Commerce and Federal Trade Commission, allows U.S. companies to certify compliance with EU data protection law.
11. A significant benefit of a security control is when it goes unnoticed by users. What is this called? A. Invisibility B. Transparency C. Diversion D. Hiding in plain sight
11. B. When transparency is a characteristic of a service, security control, or access mechanism it is unseen by users.
11. Which one of the following investigation types has the highest standard of evidence? A. Administrative B. Civil C. Criminal D. Regulatory
11. C. Criminal investigations may result in the imprisonment of individuals and, therefore, have the highest standard of evidence to protect the rights of the accused.
11. What type of information is used to form the basis of an expert system's decision-making process? A. A series of weighted layered computations B. Combined input from a number of human experts, weighted according to past performance C. A series of "if/then" rules codified in a knowledge base D. A biological decision-making process that simulates the reasoning process used by the human mind
11. C. Expert systems use a knowledge base consisting of a series of "if/then" statements to form decisions based on the previous experience of human experts.
11. What type of access control model is used on a firewall? A. MAC model B. DAC model C. Rule-based access control model D. RBAC model
11. C. Firewalls use a rule-based access control model with rules expressed in an access control list. A Mandatory Access Control (MAC) model uses labels. A Discretionary Access Control (DAC) model allows users to assign permissions. A Role Based Access Control (RBAC) model organizes users in groups.
11. What is the most common and inexpensive form of physical access control device? A. Lighting B. Security guard C. Key locks D. Fences
11. C. Key locks are the most common and inexpensive form of physical access control device. Lighting, security guards, and fences are all much more costly.
11. What ensures that the subject of an activity or event cannot deny that the event occurred? A. CIA Triad B. Abstraction C. Nonrepudiation D. Hash totals
11. C. Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.
11. Which one of the following storage devices is most likely to require encryption technology in order to maintain data security in a networked environment? A. Hard disk B. Backup tape Review Questions 397 C. Removable drives D. RAM
11. C. Removable drives are easily taken out of their authorized physical location, and it is often not possible to apply operating system access controls to them. Therefore, encryption is often the only security measure short of physical security that can be afforded to them. Backup tapes are most often well controlled through physical security measures. Hard disks and RAM chips are often secured through operating system access controls.
11. By examining the source and destination addresses, the application usage, the source of origin, and the relationship between current packets with the previous packets of the same session, firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities. A. Static packet-filtering B. Application-level gateway C. Stateful inspection D. Circuit-level gateway
11. C. Stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities.
11. Which one of the following algorithms is not supported by the Digital Signature Standard? A. Digital Signature Algorithm B. RSA C. El Gamal DSA D. Elliptic Curve DSA
11. C. The Digital Signature Standard allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.
11. Which one of the following alternative processing sites takes the longest time to activate? A. Hot site B. Mobile site C. Cold site D. Warm site
11. C. The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This often takes weeks.
11. What part of the TCB concept validates access to every resource prior to granting the requested access? A. TCB partition B. Trusted library C. Reference monitor D. Security kernel
11. C. The reference monitor validates access to every resource prior to granting the requested access. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions. In other words, the security kernel is the implementation of the reference monitor concept. Options A and B are not valid TCB concept components.
12. The Children's Online Privacy Protection Act (COPPA) was designed to protect the privacy of children using the internet. What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent? A. 13 B. 14 C. 15 D. 16
12. A. The Children's Online Privacy Protection Act (COPPA) provides severe penalties for companies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children younger than the age of 13 before any information is collected (other than basic information required to obtain that consent).
12. What is used to keep subjects accountable for their actions while they are authenticated to a system? A. Authentication B. Monitoring C. Account lockout D. User entitlement reviews 798 Chapter 17 ■ Preventing and Responding to Incidents
12. B. Accountability is maintained by monitoring the activities of subjects and objects as well as monitoring core system functions that maintain the operating environment and the security mechanisms. Authentication is required for effective monitoring, but it doesn't provide accountability by itself. Account lockout prevents login to an account if the wrong password is entered too many times. User entitlement reviews can identify excessive privileges.
12. When you're designing a security system for internet-delivered email, which of the following is least important? A. Nonrepudiation B. Availability C. Message integrity D. Access restriction
12. B. Although availability is a key aspect of security in general, it is the least important aspect of security systems for internet-delivered email.
12. Which of the following is not a valid definition for risk? A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure
12. B. Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.
12. In which of the following security modes can you be assured that all users have access permissions for all information processed by the system but will not necessarily need to know of all that information? A. Dedicated B. System high C. Compartmented D. Multilevel
12. B. In system high mode, all users have appropriate clearances and access permissions for all information processed by the system but need to know only some of the information processed by that system.
12. Which of the following is the most important and distinctive concept in relation to layered security? A. Multiple B. Series C. Parallel D. Filter
12. B. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.
12. Dave is developing a key escrow system that requires multiple people to retrieve a key but does not depend on every participant being present. What type of technique is he using? A. Split knowledge B. M of N Control C. Work function D. Zero-knowledge proof
12. B. M of N Control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks.
12. What is the best definition of a security model? A. A security model states policies an organization must follow. B. A security model provides a framework to implement a security policy. C. A security model is a technical evaluation of each part of a computer system to assess its concordance with security standards. D. A security model is the process of formal acceptance of a certified configuration.
12. B. Option B is the only option that correctly defines a security model. Options A, C, and D define part of a security policy and the certification and accreditation process.
12. Which of the following provides authentication based on a physical characteristic of a subject? A. Account ID B. Biometrics C. Token D. PIN
12. B. Physical biometric methods such as fingerprints and iris scans provide authentication for subjects. An account ID provides identification. A token is something you have and it creates onetime passwords, but it is not related to physical characteristics. A personal identification number (PIN) is something you know.
12. During an operational investigation, what type of analysis might an organization undertake to prevent similar incidents in the future? A. Forensic analysis B. Root-cause analysis C. Network traffic analysis D. Fagan analysis
12. B. Root-cause analysis seeks to identify the reason that an operational issue occurred. The root-cause analysis often highlights issues that require remediation to prevent similar incidents in the future.
12. firewalls are known as third-generation firewalls. A. Application-level gateway B. Stateful inspection C. Circuit-level gateway D. Static packet-filtering
12. B. Stateful inspection firewalls are known as third-generation firewalls.
12. Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for secure electronic communication? A. X.500 B. X.509 C. X.900 D. X.905
12. B. X.509 governs digital certificates and the public-key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke certificates.
12. What type of access controls rely on the use of labels? A. DAC B. Nondiscretionary C. MAC D. RBAC
12. C. Mandatory Access Control (MAC) models rely on the use of labels for subjects and objects. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management such as a rule-based access control model deployed on a firewall. Role Based Access Control (RBAC) models define a subject's access based on job-related roles.
12. Badin Industries runs a web application that processes e-commerce orders and handles credit card transactions. As such, it is subject to the Payment Card Industry Data Security Standard (PCI DSS). The company recently performed a web vulnerability scan of the application and it had no unsatisfactory findings. How often must Badin rescan the application? A. Only if the application changes B. At least monthly C. At least annually D. There is no rescanning requirement.
12. C. PCI DSS requires that Badin rescan the application at least annually and after any change in the application.
12. Which of the following is a true statement regarding virtual machines (VMs) running as guest operating systems on physical servers? A. Updating the physical server automatically updates the VMs. B. Updating any VM automatically updates all the VMs. C. VMs do not need to be updated if the physical server is updated. D. VMs must be updated individually.
12. D. VMs need to be updated individually just as they would be if they were running on a physical server. Updates to the physical server do not update hosted VMs. Similarly, updating one VM doesn't update all VMs.
13. Some cloud-based service models require an organization to perform some maintenance and take responsibility for some security. Which of the following is a service model that places most of these responsibilities on the organization leasing the cloud-based resources? A. IaaS B. PaaS C. SaaS D. Hybrid
13. A. Organizations have the most responsibility for maintenance and security when leasing infrastructure as a service (IaaS) cloud resources. The cloud service provider takes more responsibility with the platform as a service (PaaS) model and the most responsibility with the software as a service (SaaS) model. Hybrid refers to a cloud deployment model (not a service model) and indicates that two or more deployment models are used (such as private, public, and/or community.
13. What step of the Electronic Discovery Reference Model ensures that information that may be subject to discovery is not altered? A. Preservation B. Production C. Processing D. Presentation
13. A. Preservation ensures that potentially discoverable information is protected against alteration or deletion.
13. Which of the following is not considered an example of data hiding? A. Preventing an authorized reader of an object from deleting that object B. Keeping a database from being accessed by unauthorized visitors C. Restricting a subject at a lower classification level from accessing data at a higher classification level D. Preventing an application from accessing hardware directly
13. A. Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.
13. Which one of the following is not a requirement that Internet service providers must satisfy in order to gain protection under the "transitory activities" clause of the Digital Millennium Copyright Act? A. The service provider and the originator of the message must be located in different states. B. The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider. C. Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients and must not be retained for longer than reasonably necessary. D. The transmission must be originated by a person other than the provider.
13. A. The Digital Millennium Copyright Act does not include any geographical location requirements for protection under the "transitory activities" exemption. The other options are three of the five mandatory requirements. The other two requirements are that the service provider must not determine the recipients of the material and the material must be transmitted with no modification to its content.
13. Which one of the following data roles is most likely to assign permissions to grant users access to data? A. Administrator B. Custodian C. Owner D. User
13. A. The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.
13. Which of the following is not a typical type of alarm that can be triggered for physical security? A. Preventive B. Deterrent C. Repellant D. Notification
13. A. There is no such thing as a preventive alarm. Alarms are always triggered in response to a detected intrusion or attack.
13. What type of a security control is an audit trail? A. Administrative B. Detective C. Corrective D. Physical
13. B. Audit trails are a passive form of detective security control. Administrative controls are management practices. Corrective controls can correct problems related to an incident, and physical controls are controls that you can physically touch.
13. Grace is performing a penetration test against a client's network and would like to use a tool to assist in automatically executing common exploits. Which one of the following security tools will best meet her needs? A. nmap B. Metasploit C. Nessus D. Snort
13. B. Metasploit is an automated exploit tool that allows attackers to easily execute common attack techniques.
13. Which of the following is not true regarding firewalls? A. They are able to log traffic information. B. They are able to block viruses. C. They are able to issue alarms based on suspected attacks. D. They are unable to prevent internal attacks.
13. B. Most firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms and even basic IDS functions. Firewalls are unable to block viruses or malicious code transmitted through otherwise authorized communication channels, prevent unauthorized but accidental or intended disclosure of information by users, prevent attacks by malicious users already behind the firewall, or protect data after it passed out of or into the private network.
13. Which of the following acts as a proxy between an application and a database to support interaction and simplify the work of programmers? A. SDLC B. ODBC C. DSS D. Abstraction
13. B. ODBC acts as a proxy between applications and the backend DBMS.
13. What cryptosystem provides the encryption/decryption technology for the commercial version of Phil Zimmerman's Pretty Good Privacy secure email system? A. ROT13 B. IDEA C. ECC D. El Gamal
13. B. Pretty Good Privacy uses a "web of trust" system of digital signature verification. The encryption technology is based on the IDEA private key cryptosystem.
13. Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment? A. Loss of a plant B. Damage to a vehicle C. Negative publicity D. Power outage
13. C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.
18. Which one of the following is not part of the change management process? A. Request control B. Release control C. Configuration audit D. Change control
18. C. Configuration audit is part of the configuration management process rather than the change control process.
13. What does the CER for a biometric device indicate? A. It indicates that the sensitivity is too high. B. It indicates that the sensitivity is too low. C. It indicates the point where the false rejection rate equals the false acceptance rate. D. When high enough, it indicates the biometric device is highly accurate.
13. C. The point at which the biometric false rejection rate and the false acceptance rate are equal is the crossover error rate (CER). It does not indicate that sensitivity is too high or too low. A lower CER indicates a higher-quality biometric device, and a higher CER indicates a less accurate device.
13. Which one of the following Data Encryption Standard (DES) operating modes can be used for large messages with the assurance that an error early in the encryption/decryption process won't spoil results throughout the communication? A. Cipher Block Chaining (CBC) B. Electronic Code Book (ECB) C. Cipher Feedback (CFB) D. Output feedback (OFB)
13. D. Output feedback (OFB) mode prevents early errors from interfering with future encryption/decryption. Cipher Block Chaining and Cipher Feedback modes will carry errors throughout the entire encryption/decryption process. Electronic Code Book (ECB) operation is not suitable for large amounts of data.
13. Which security models are built on a state machine model? A. Bell-LaPadula and Take-Grant B. Biba and Clark-Wilson C. Clark-Wilson and Bell-LaPadula D. Bell-LaPadula and Biba
13. D. The Bell-LaPadula and Biba models are built on the state machine model.
13. Which of the following best describes a characteristic of the MAC model? A. Employs explicit-deny philosophy B. Permissive C. Rule-based D. Prohibitive
13. D. The Mandatory Access Control (MAC) model is prohibitive, and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules.
13. Which of the following is typically not an element that must be discussed with end users in regard to email retention policies? A. Privacy B. Auditor review C. Length of retainer D. Backup method
13. D. The backup method is not an important factor to discuss with end users regarding email retention.
13. Which one of the following items is a characteristic of hot sites but not a characteristic of warm sites? A. Communications circuits B. Workstations C. Servers D. Current data
13. D. Warm sites and hot sites both contain workstations, servers, and the communications circuits necessary to achieve operational status. The main difference between the two alternatives is the fact that hot sites contain near-real-time copies of the operational data and warm sites require the restoration of data from backup.
14. Sally has a user account and has previously logged on using a biometric system. Today, the biometric system didn't recognize her so she wasn't able to log on. What best describes this? A. False rejection B. False acceptance C. Crossover error D. Equal error
14. A. A false rejection, sometimes called a false negative authentication or a Type I error, occurs when a valid subject (Sally in this example) is not authenticated. A Type 2 error (false acceptance, sometimes called a false positive authentication or Type II error) occurs when an invalid subject is authenticated. Crossover errors and equal errors aren't valid terms related to biometrics. However, the crossover error rate (also called equal error rate) compares the false rejection rate to the false acceptance rate and provides an accuracy measurement for a biometric system.
14. In what type of software testing does the tester have access to the underlying source code? A. Static testing B. Dynamic testing C. Cross-site scripting testing D. Black-box testing
14. A. In order to conduct a static test, the tester must have access to the underlying source code.
14. Which security model addresses data confidentiality? A. Bell-LaPadula B. Biba C. Clark-Wilson D. Brewer and Nash
14. A. Only the Bell-LaPadula model addresses data confidentiality. The Biba and ClarkWilson models address data integrity. The Brewer and Nash model prevents conflicts of interest.
14. Which of the following options is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes? A. Penetration testing B. Auditing C. Risk analysis D. Entrapment
14. B. Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Penetration testing attempts to exploit vulnerabilities. Risk analysis attempts to analyze risks based on identified threats and vulnerabilities. Entrapment is tricking someone into performing an illegal or unauthorized action.
14. What type of memory device is usually used to contain a computer's motherboard BIOS? A. PROM B. EEPROM C. ROM D. EPROM
14. B. BIOS and device firmware are often stored on EEPROM chips to facilitate future firmware updates.
14. What is it called when email itself is used as an attack mechanism? A. Masquerading B. Mail-bombing C. Spoofing D. Smurf attack
14. B. Mail-bombing is the use of email as an attack mechanism. Flooding a system with messages causes a denial of service.
14. No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent all but which of the following? A. Piggybacking B. Espionage C. Masquerading D. Abuse
14. B. No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Espionage cannot be prevented by physical access controls.
14. How is single loss expectancy (SLE) calculated? A. Threat + vulnerability B. Asset value ($) * exposure factor C. Annualized rate of occurrence * vulnerability D. Annualized rate of occurrence * asset value * exposure factor
14. B. SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).
14. Gary is a system administrator and is testifying in court about a cybercrime incident. He brings server logs to support his testimony. What type of evidence are the server logs? A. Real evidence B. Documentary evidence C. Parole evidence D. Testimonial evidence
14. B. Server logs are an example of documentary evidence. Gary may ask that they be introduced in court and will then be asked to offer testimonial evidence about how he collected and preserved the evidence. This testimonial evidence authenticates the documentary evidence.
14. Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A. 0.01 B. $10,000,000 C. $100,000 D. 0.10
14. B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE). 954 Appendix A ■ Answers to Review Questions
14. An organization is using a SaaS cloud-based service shared with another organization. What type of cloud-based deployment model does this describe? A. Public B. Private C. Community D. Hybrid
14. C. A community cloud deployment model provides cloud-based assets to two or more organizations. A public cloud model includes assets available for any consumers to rent or lease. A private cloud deployment model includes cloud-based assets that are exclusive to a single organization. A hybrid model includes a combination of two or more deployment models. It doesn't matter if it is a software as a service (SaaS) model or any other service model.
14. Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers. What characteristic of this problem are they relying on? A. It contains diffusion. B. It contains confusion. C. It is a one-way function. D. It complies with Kerchoff's principle.
14. C. A one-way function is a mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values.
14. Paul would like to test his application against slightly modified versions of previously used input. What type of test does Paul intend to perform? A. Code review B. Application vulnerability review C. Mutation fuzzing D. Generational fuzzing
14. C. Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.
14. Which one of the following laws is not designed to protect the privacy rights of consumers and internet users? A. Health Insurance Portability and Accountability Act B. Identity Theft Assumption and Deterrence Act C. USA PATRIOT Act D. Gramm-Leach-Bliley Act
14. C. The USA PATRIOT Act was adopted in the wake of the September 11, 2001, terrorist attacks. It broadens the powers of the government to monitor communications between private citizens and therefore actually weakens the privacy rights of consumers and internet users. The other laws mentioned all contain provisions designed to enhance individual privacy rights.
14. Which of the following best defines "rules of behavior" established by a data owner? A. Ensuring that users are granted access to only what they need B. Determining who has access to a system C. Identifying appropriate use and protection of data D. Applying security controls to a system
14. C. The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures that users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.
14. Which of the following is not a routing protocol? A. OSPF B. BGP C. RPC D. RIP
14. C. There are numerous dynamic routing protocols, including RIP, OSPF, and BGP, but RPC is not a routing protocol.
14. What TCP/IP communications port is used by Transport Layer Security traffic? A. 80 B. 220 C. 443 D. 559
14. C. Transport Layer Security uses TCP port 443 for encrypted client-server communications.
14. Which of the following is not a valid access control model? A. Discretionary Access Control model B. Nondiscretionary access control model C. Mandatory Access Control model D. Compliance-based access control model
14. D. Compliance-based access control model is not a valid type of access control model. The other answers list valid access control models.
14. What type of database backup strategy involves maintenance of a live backup server at the remote site? A. Transaction logging B. Remote journaling C. Electronic vaulting D. Remote mirroring
14. D. Remote mirroring is the only backup option in which a live backup server at a remote site maintains a bit-for-bit copy of the contents of the primary server, synchronized as closely as the latency in the link between primary and remote systems will allow.
14. What is the primary goal of change management? A. Maintaining documentation B. Keeping users informed of changes C. Allowing rollback of failed changes D. Preventing security compromises
14. D. The prevention of security compromises is the primary goal of change management.
15. What type of chart provides a graphical illustration of a schedule that helps to plan, coordinate, and track project tasks? A. Gantt B. Venn C. Bar D. PERT
15. A. A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project.
15. What can be used to reduce the amount of logged or audited data using nonstatistical methods? A. Clipping levels B. Sampling C. Log analysis D. Alarm triggers
15. A. Clipping is a form of nonstatistical sampling that reduces the amount of logged data based on a clipping-level threshold. Sampling is a statistical method that extracts meaningful data from audit logs. Log analysis reviews log information looking for trends, patterns, and abnormal or unauthorized events. An alarm trigger is a notification sent to administrators when specific events or thresholds occur.
15. Users of a banking application may try to withdraw funds that don't exist from their account. Developers are aware of this threat and implemented code to protect against it. What type of software testing would most likely catch this type of vulnerability if the developers have not already remediated it? A. Misuse case testing B. SQL injection testing C. Fuzzing D. Code review
15. A. Misuse case testing identifies known ways that an attacker might exploit a system and tests explicitly to see if those attacks are possible in the proposed code.
2. Which cryptographic algorithm forms the basis of the El Gamal cryptosystem? A. RSA B. Diffie-Hellman C. 3DES D. IDEA
2. B. The El Gamal cryptosystem extends the functionality of the Diffie-Hellman key exchange protocol to support the encryption and decryption of messages.
15. Within the context of the EU GDPR, what is a data processor? A. The entity that processes personal data on behalf of the data controller B. The entity that controls processing of data C. The computing system that processes data D. The network that processes data
15. A. The European Union (EU) Global Data Protection Regulation (GDPR) defines a data processor as "a natural or legal person, public authority, agency, or other body, which processes personal data solely on behalf of the data controller." The data controller is the entity that controls processing of the data and directs the data processor. Within the context of the EU GDPR, the data processor is not a computing system or network.
15. What type of document will help public relations specialists and other individuals who need a high-level summary of disaster recovery efforts while they are under way? A. Executive summary B. Technical guides C. Department-specific plans D. Checklists
15. A. The executive summary provides a high-level view of the entire organization's disaster recovery efforts. This document is useful for the managers and leaders of the firm as well as public relations personnel who need a nontechnical perspective on this complex effort.
15. How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap
15. A. The value of a safeguard to an organization is calculated by ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard [(ALE1 - ALE2) - ACS].
15. A is an intelligent hub because it knows the addresses of the systems connected on each outbound port. Instead of repeating traffic on every outbound port, it repeats traffic only out of the port on which the destination is known to exist. A. Repeater B. Switch C. Bridge D. Router
15. B. A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port.
15. If you need to confiscate a PC from a suspected attacker who does not work for your organization, what legal avenue is most appropriate? A. Consent agreement signed by employees. B. Search warrant. C. No legal avenue is necessary. D. Voluntary consent.
15. B. In this case, you need a search warrant to confiscate equipment without giving the suspect time to destroy evidence. If the suspect worked for your organization and you had all employees sign consent agreements, you could simply confiscate the equipment.
15. Why is spam so difficult to stop? A. Filters are ineffective at blocking inbound messages. B. The source address is usually spoofed. C. It is an attack requiring little expertise. D. Spam can cause denial-of-service attacks.
15. B. It is often difficult to stop spam because the source of the messages is usually spoofed.
15. Which one of the following types of licensing agreements does not require that the user acknowledge that they have read the agreement prior to executing it? A. Standard license agreement B. Shrink-wrap agreement C. Click-wrap agreement D. Verbal agreement
15. B. Shrink-wrap license agreements become effective when the user opens a software package. Click-wrap agreements require the user to click a button during the installation process to accept the terms of the license agreement. Standard license agreements require that the user sign a written agreement prior to using the software. Verbal agreements are not normally used for software licensing but also require some active degree of participation by the software user.
15. What is the primary objective of data classification schemes? A. To control access to objects for authorized subjects B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity C. To establish a transaction trail for auditing accountability D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality
15. B. The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.
15. Backup tapes have reached the end of their lifecycle and need to be disposed of. Which of the following is the most appropriate disposal method? A. Throw them away. Because they are at the end of their lifecycle, it is not possible to read data from them. B. Purge the tapes of all data before disposing of them. C. Erase data off the tapes before disposing of them. D. Store the tapes in a storage facility.
15. B. The tapes should be purged, ensuring that data cannot be recovered using any known means. Even though tapes may be at the end of their lifecycle, they can still hold data and should be purged before throwing them away. Erasing doesn't remove all usable data from media, but purging does. There is no need to store the tapes if they are at the end of their lifecycle.
15. What would an organization do to identify weaknesses? A. Asset valuation B. Threat modeling C. Vulnerability analysis D. Access review
15. C. A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, but threat modeling doesn't identify weaknesses. An access review audits account management and object access practices.
15. What is the most important goal of all security solutions? A. Prevention of disclosure B. Maintaining integrity C. Human safety D. Sustaining availability
15. C. Human safety is the most important goal of all security solutions.
15. What type of memory is directly available to the CPU and is often part of the CPU? A. RAM B. ROM C. Register memory D. Virtual memory
15. C. Registers are small memory locations that are located directly on the CPU chip itself. The data stored within them is directly available to the CPU and can be accessed extremely quickly.
15. Referring to the scenario in question 14, what is the annualized loss expectancy? A. 0.01 B. $10,000,000 C. $100,000 D. 0.10
15. C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.
2. What is polyinstantiation?
2. Polyinstantiation is a database security technique that appears to permit the insertion of multiple rows sharing the same uniquely identifying information.
16. Your organization has a large database of customer data. To comply with the EU GDPR, administrators plan to use pseudonymization. Which of the following best describes pseudonymization? A. The process of replacing some data with another identifier B. The process of removing all personal data C. The process of encrypting data D. The process of storing data
16. A. Pseudonymization is the process of replacing some data with an identifier, such as a pseudonym. This makes it more difficult to identify an individual from the data. Removing personal data without using an identifier is closer to anonymization. Encrypting data is a logical alternative to pseudonymization because it makes it difficult to view the data. Data should be stored in such a way that it is protected against any type of loss, but this is unrelated to pseudonymization.
16. Which of the following tools can be used to improve the effectiveness of a brute-force password cracking attack? A. Rainbow tables B. Hierarchical screening C. TKIP D. Random enhancement
16. A. Rainbow tables contain precomputed hash values for commonly used passwords and may be used to increase the efficiency of password cracking attacks.
16. Which of the following is not a technology specifically associated with 802.11 wireless networking? A. WAP B. WPA C. WEP D. 802.11i
16. A. Wireless Application Protocol (WAP) is a technology associated with cell phones accessing the internet rather than 802.11 wireless networking.
16. Which of the following is a type of connection that can be described as a logical circuit that always exists and is waiting for the customer to send data? A. ISDN B. PVC C. VPN D. SVC
16. B. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data.
16. Which of the following can help mitigate the success of an online brute-force attack? A. Rainbow table B. Account lockout C. Salting passwords D. Encryption of password
16. B. An account lockout policy will lock an account after a user has entered an incorrect password too many times, and this blocks an online brute-force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the stored password but isn't effective against a brute-force attack without an account lockout.
16. Which of the following can be an effective method of configuration management using a baseline? A. Implementing change management B. Using images C. Implementing vulnerability management D. Implementing patch management
16. B. Images can be an effective configuration management method using a baseline. Imaging ensures that systems are deployed with the same, known configuration. Change management processes help prevent outages from unauthorized changes. Vulnerability management processes help to identify vulnerabilities, and patch management processes help to ensure that systems are kept up-to-date.
16. Which of the following is typically not a characteristic considered when classifying data? A. Value B. Size of object C. Useful lifetime D. National security implications
16. B. Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.
16. What industry is most directly impacted by the provisions of the Gramm-Leach-Bliley Act? A. Healthcare B. Banking C. Law enforcement D. Defense contractors
16. B. The Gramm-Leach-Bliley Act provides, among other things, regulations regarding the way financial institutions can handle private information belonging to their customers.
16. What is the ideal humidity range for a computer room? A. 20-40 percent B. 40-60 percent C. 60-75 percent D. 80-95 percent
16. B. The humidity in a computer room should ideally be from 40 to 60 percent.
16. What is the implied meaning of the simple property of Biba? A. Write down B. Read up C. No write up D. No read down
16. B. The simple property of Biba is no read down, but it implies that it is acceptable to read up.
16. Which of the following focuses more on the patterns and trends of data than on the actual content? A. Keystroke monitoring B. Traffic analysis C. Event logging D. Security auditing
16. B. Traffic analysis focuses more on the patterns and trends of data rather than the actual content. Keystroke monitoring records specific keystrokes to capture data. Event logging logs specific events to record data. Security auditing records security events and/or reviews logs to detect security incidents.
16. What type of interface testing would identify flaws in a program's command-line interface? A. Application programming interface testing B. User interface testing C. Physical interface testing D. Security interface testing
16. B. User interface testing includes assessments of both graphical user interfaces (GUIs) and command-line interfaces (CLIs) for a software program.
16. Which database security risk occurs when data from a higher classification level is mixed with data from a lower classification level? A. Aggregation B. Inference C. Contamination D. Polyinstantiation
16. C. Contamination is the mixing of data from a higher classification level and/or needto-know requirement with data from a lower classification level and/or need-to-know requirement.
16. In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team? A. Strategy development B. Business impact assessment C. Provisions and processes D. Resource prioritization
16. C. In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.
16. What block size is used by the Advanced Encryption Standard? A. 32 bits B. 64 bits C. 128 bits D. Variable
16. C. The Advanced Encryption Standard uses a 128-bit block size, even though the Rijndael algorithm it is based on allows a variable block size.
16. What disaster recovery planning tool can be used to protect an organization against the failure of a critical software firm to provide appropriate support for their products? A. Differential backups B. Business impact assessment C. Incremental backups D. Software escrow agreement
16. D. Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a "safety net" in the event a developer goes out of business or fails to honor the terms of a service agreement.
17. Which of the following steps would not be included in a change management process? A. Immediately implement the change if it will improve performance. B. Request the change. C. Create a rollback plan for the change. D. Document the change.
17. A. Change management processes may need to be temporarily bypassed to respond to an emergency, but they should not be bypassed simply because someone thinks it can improve performance. Even when a change is implemented in response to an emergency, it should still be documented and reviewed after the incident. Requesting changes, creating rollback plans, and documenting changes are all valid steps within a change management process.
17. What database security technology involves creating two or more rows with seemingly identical primary keys that contain different data for users with different security clearances? A. Polyinstantiation B. Cell suppression C. Aggregation D. Views
17. A. Database developers use polyinstantiation, the creation of multiple records that seem to have the same primary key, to protect against inference attacks.
17. What type of backup involves always storing copies of all files modified since the most recent full backup? A. Differential backups B. Partial backup C. Incremental backups D. Database backup
17. A. Differential backups involve always storing copies of all files modified since the most recent full backup regardless of any incremental or differential backups created during the intervening time period.
17. What are the two common data classification schemes? A. Military and private sector B. Personal and government C. Private sector and unrestricted sector D. Classified and unclassified
17. A. Military (or government) and private sector (or commercial business) are the two common data classification schemes.
17. What would detect when a user has more privileges than necessary? A. Account management B. User entitlement audit C. Logging D.
17. B. A user entitlement audit can detect when users have more privileges than necessary. Account management practices attempt to ensure that privileges are assigned correctly. The audit detects whether the management practices are followed. Logging records activity, but the logs need to be reviewed to determine if practices are followed. Reporting is the result of an audit.
17. In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against PBX fraud and abuse? A. Encrypting communications B. Changing default passwords C. Using transmission logs D. Taping and archiving all conversations
17. B. Changing default passwords on PBX systems provides the most effective increase in security.
17. During what type of penetration test does the tester always have access to system configuration information? A. Black box penetration test B. White box penetration test C. Gray box penetration test D. Red box penetration test
17. B. During a white box penetration test, the testers have access to detailed configuration information about the system being tested.
17. What is the function of the network access server within a RADIUS architecture? A. Authentication server B. Client C. AAA server D. Firewall
17. B. The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn't the primary function.
17. Which of the following would provide the best protection against rainbow table attacks? A. Hashing passwords with MD5 B. Salt and pepper with hashing C. Account lockout D. Implement RBAC
17. B. Using both a salt and pepper when hashing passwords provides strong protection against rainbow table attacks. MD5 is no longer considered secure, so it isn't a good choice for hashing passwords. Account lockout helps thwart online password brute-force attacks, but a rainbow table attack is an offline attack. Role Based Access Control (RBAC) is an access control model and unrelated to password attacks.
17. Which wireless frequency access method offers the greatest throughput with the least interference? A. FHSS B. DSSS C. OFDM D. OSPF
17. C. Orthogonal Frequency-Division Multiplexing (OFDM) offers high throughput with the least interference. OSPF is a routing protocol, not a wireless frequency access method.
17. What kind of attack makes the Caesar cipher virtually unusable? A. Meet-in-the-middle attack B. Escrow attack C. Frequency analysis attack D. Transposition attack
17. C. The Caesar cipher (and other simple substitution ciphers) are vulnerable to frequency analysis attacks that analyze the rate at which specific letters appear in the ciphertext.
17. Which of the following links would be protected by WPA encryption? A. Firewall to firewall B. Router to firewall C. Client to wireless access point D. Wireless access point to router
17. C. The Wi-Fi Protected Access protocol encrypts traffic passing between a mobile client and the wireless access point. It does not provide end-to-end encryption.
17. What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination
17. C. Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.
17. What is the standard duration of patent protection in the United States? A. 14 years from the application date B. 14 years from the date the patent is granted Review Questions 157 C. 20 years from the application date D. 20 years from the date the patent is granted
17. C. U.S. patent law provides for an exclusivity period of 20 years beginning at the time the patent application is submitted to the Patent and Trademark Office.
17. What form of attack abuses a program's lack of length limitation on the data it receives before storing the input in memory, which can lead to arbitrary code execution? A. ARP poisoning B. XSS C. Domain hijacking D. Buffer overflow
17. D. A buffer overflow attack occurs when an attacker submits data to a process that is larger than the input variable is able to contain. Unless the program is properly coded to handle excess input, the extra data is dropped into the system's execution stack and may execute as a fully privileged operation.
17. When a trusted subject violates the star property of Bell-LaPadula in order to write an object into a lower level, what valid operation could be taking place? A. Perturbation B. Polyinstantiation C. Aggregation D. Declassification
17. D. Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.
17. At what voltage level can static electricity cause destruction of data stored on hard drives? A. 4,000 B. 17,000 C. 40 D. 1,500
17. D. Destruction of data stored on hard drives can be caused by 1,500 volts of static electricity.
17. What phase of the Electronic Discovery Reference Model examines information to remove information subject to attorney-client privilege? A. Identification B. Collection C. Processing D. Review
17. D. Review examines the information resulting from the processing phase to determine what information is responsive to the request and remove any information protected by attorney-client privilege.
17. An organization is implementing a preselected baseline of security controls, but finds that some of the controls aren't relevant to their needs. What should they do? A. Implement all the controls anyway. B. Identify another baseline. C. Re-create a baseline. D. Tailor the baseline to their needs.
17. D. Scoping and tailoring processes allow an organization to tailor security baselines to its needs. There is no need to implement security controls that do not apply, and it is not necessary to identify or re-create a different baseline.
17. What type of mitigation provision is utilized when redundant communications links are installed? A. Hardening systems B. Defining systems C. Reducing systems D. Alternative systems
17. D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.
18. What security concept encourages administrators to install firewalls, malware scanners, and an IDS on every host? A. Endpoint security B. Network access control (NAC) C. VLAN D. RADIUS
18. A. Endpoint security is the security concept that encourages administrators to install firewalls, malware scanners, and an IDS on every host.
18. Which of the following is not specifically or directly related to managing the security function of an organization? A. Worker job satisfaction B. Metrics C. Information security strategies D. Budget
18. A. Managing the security function often includes assessment of budget, metrics, resources, and information security strategies, and assessing the completeness and effectiveness of the security program.
18. A Type B fire extinguisher may use all except which of the following suppression mediums? A. Water B. CO2 C. Halon or an acceptable halon substitute D. Soda acid
18. A. Water is never the suppression medium in Type B fire extinguishers because they are used on liquid fires.
18. What security method, mechanism, or model reveals a capabilities list of a subject across multiple objects? A. Separation of duties B. Access control matrix C. Biba D. Clark-Wilson
18. B. An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list.
18. What is the major disadvantage of using certificate revocation lists? A. Key management B. Latency C. Record keeping D. Vulnerability to brute-force attacks
18. B. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.
18. Which of the following AAA protocols is based on RADIUS and supports Mobile IP and VoIP? A. Distributed access control B. Diameter C. TACACS+ D. TACACS
18. B. Diameter is based on Remote Authentication Dial-in User Service (RADIUS), and it supports Mobile IP and Voice over IP (VoIP). Distributed access control systems such as a federated identity management system are not a specific protocol, and they don't necessarily provide authentication, authorization, and accounting. TACACS and TACACS+ are authentication, authorization, and accounting (AAA) protocols, but they are alternatives to RADIUS, not based on RADIUS.
18. Which of the following is the lowest military data classification for classified data? A. Sensitive B. Secret C. Proprietary D. Private
18. B. Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.
18. What type of cryptosystem commonly makes use of a passage from a well-known book for the encryption key? A. Vernam cipher B. Running key cipher C. Skipjack cipher D. Twofish cipher
18. B. Running key (or "book") ciphers often use a passage from a commonly available book as the encryption key.
18. What port is typically open on a system that runs an unencrypted HTTP server? A. 22 B. 80 C. 143 D. 443
18. B. Unencrypted HTTP communications take place over TCP port 80 by default.
18. What combination of backup strategies provides the fastest backup creation time? A. Full backups and differential backups B. Partial backups and incremental backups C. Full backups and incremental backups D. Incremental backups and differential backups
18. C. Any backup strategy must include full backups at some point in the process. Incremental backups are created faster than differential backups because of the number of files it is necessary to back up each time.
18. While troubleshooting a network problem, a technician realized the problem could be resolved by opening a port on a firewall. The technician opened the port and verified the system was now working. However, an attacker accessed this port and launched a successful attack. What could have prevented this problem? A. Patch management processes B. Vulnerability management processes C. Configuration management processes D. Change management processes
18. D. Change management processes would ensure that changes are evaluated before being implemented to prevent unintended outages or needlessly weakening security. Patch management ensures that systems are up-to-date, vulnerability management checks systems for known vulnerabilities, and configuration management ensures that systems are deployed similarly, but these other processes wouldn't prevent problems caused by an unauthorized change.
18. What are ethics? A. Mandatory actions required to fulfill job requirements B. Laws of professional conduct C. Regulations set forth by a professional organization D. Rules of personal behavior
18. D. Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.
An organization has an incident response plan that requires reporting incidents after verifying them. For security purposes, the organization has not published the plan. Only members of the incident response team know about the plan and its contents. Recently, a server administrator noticed that a web server he manages was running slower than normal. After a quick investigation, he realized an attack was coming from a specific IP address. He immediately rebooted the web server to reset the connection and stop the attack. He then used a utility he found on the internet to launch a protracted attack against this IP address for several hours. Because attacks from this IP address stopped, he didn't report the incident. 18. What should have been done before rebooting the web server? A. Review the incident B. Perform remediation steps C. Take recovery steps D. Gather evidence
18. D. Security personnel should have gathered evidence for possible prosecution of the attacker. However, the incident response plan wasn't published, so the server administrator was unaware of the requirement. The first response after detecting and verifying an incident is to contain the incident, but it could have been contained without rebooting the server. The lessons learned stage includes review, and it is the last stage. Remediation includes a root cause analysis to determine what allowed the incident, but this is done late in the process. In this scenario, rebooting the server performed the recovery.
19. What combination of backup strategies provides the fastest backup restoration time? A. Full backups and differential backups B. Partial backups and incremental backups C. Full backups and incremental backups D. Incremental backups and differential backups
19. A. Any backup strategy must include full backups at some point in the process. If a combination of full and differential backups is used, a maximum of two backups must be restored. If a combination of full and incremental backups is chosen, the number of required restorations may be unlimited.
An organization has a datacenter that processes highly sensitive information and is staffed 24 hours a day. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on internet sites, exposing the organization's internal sensitive data. 19. Which of the following administrator actions might have prevented this incident? A. Mark the tapes before sending them to the warehouse. B. Purge the tapes before backing up data to them. C. Degauss the tapes before backing up data to them. D. Add the tapes to an asset management database.
19. A. If the tapes were marked before they left the datacenter, employees would recognize their value and it is more likely someone would challenge their storage in an unstaffed warehouse. Purging or degaussing the tapes before using them will erase previously held data but won't help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn't prevent this incident.
19. What is the formula used to compute the single loss expectancy for a risk scenario? A. SLE = AV × EF B. SLE = RO × EF C. SLE = AV × ARO D. SLE = EF × ARO
19. A. The single loss expectancy (SLE) is computed as the product of the asset value (AV) and the exposure factor (EF). The other formulas displayed here do not accurately reflect this calculation.
19. What function does ARP perform? A. It is a routing protocol. B. It resolves IP addresses into MAC addresses. C. It resolves physical addresses into logical addresses. D. It manages multiplex streaming.
19. B. Address Resolution Protocol (ARP) resolves IP addresses (logical addresses) into MAC addresses (physical addresses).
19. Which AES finalist makes use of prewhitening and postwhitening techniques? A. Rijndael B. Twofish C. Blowfish D. Skipjack
19. B. The Twofish algorithm, developed by Bruce Schneier, uses prewhitening and postwhitening.
19. Which commercial business/private sector data classification is used to control information about individuals within an organization? A. Confidential B. Private C. Sensitive D. Proprietary
19. B. The commercial business/private sector data classification of private is used to protect information about individuals.
19. According to the (ISC)2 Code of Ethics, how are CISSPs expected to act? A. Honestly, diligently, responsibly, and legally B. Honorably, honestly, justly, responsibly, and legally C. Upholding the security policy and protecting the organization D. Trustworthy, loyally, friendly, courteously
19. B. The second canon of the (ISC)2 Code of Ethics states how a CISSP should act, which is honorably, honestly, justly, responsibly, and legally.
19. While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information
19. B. The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment.
An organization has recently suffered a series of security breaches that have damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks. 19. What would the consultant use to identify potential attackers? A. Asset valuation B. Threat modeling C. Vulnerability analysis D. Access review and audit
19. B. Threat modeling helps identify, understand, and categorize potential threats. Asset valuation identifies the value of assets, and vulnerability analysis identifies weaknesses that can be exploited by threats. An access review and audit ensures that account management practices support the security policy.
19. Which of the following is not a denial-of-service attack? A. Exploiting a flaw in a program to consume 100 percent of the CPU B. Sending malformed packets to a system, causing it to freeze C. Performing a brute-force attack against a known user account when account lockout is not present D. Sending thousands of emails to a single address
19. C. A brute-force attack is not considered a DoS.
19. What is the best type of water-based fire suppression system for a computer facility? A. Wet pipe system B. Dry pipe system C. Preaction system D. Deluge system
19. C. A preaction system is the best type of water-based fire suppression system for a computer facility.
An organization has an incident response plan that requires reporting incidents after verifying them. For security purposes, the organization has not published the plan. Only members of the incident response team know about the plan and its contents. Recently, a server administrator noticed that a web server he manages was running slower than normal. After a quick investigation, he realized an attack was coming from a specific IP address. He immediately rebooted the web server to reset the connection and stop the attack. He then used a utility he found on the internet to launch a protracted attack against this IP address for several hours. Because attacks from this IP address stopped, he didn't report the incident. 19. Which of the following indicates the most serious mistake the server administrator made in this incident? A. Rebooting the server B. Not reporting the incident C. Attacking the IP address D. Resetting the connection
19. C. Attacking the IP address was the most serious mistake because it is illegal in most locations. Additionally, because attackers often use spoofing techniques, it probably isn't the actual IP address of the attacker. Rebooting the server without gathering evidence and not reporting the incident were mistakes but won't have a potential lasting negative effect on the organization. Resetting the connection to isolate the incident would have been a good step if it was done without rebooting the server.
19. Which of the following is not a part of a patch management process? A. Evaluate patches. B. Test patches. C. Deploy all patches. D. Audit patches.
19. C. Only required patches should be deployed, so an organization will not deploy all patches. Instead, an organization evaluates the patches to determine which patches are needed, tests them to ensure that they don't cause unintended problems, deploys the approved and tested patches, and audits systems to ensure that patches have been applied.
19. Which one of the following is the final step of the Fagin inspection process? A. Inspection B. Rework C. Follow-up D. None of the above
19. C. The Fagin inspection process concludes with the follow-up phase.
19. What compliance obligation relates to the processing of credit card information? A. SOX B. HIPAA C. PCI DSS D. FERPA
19. C. The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in storing, transmitting, and processing credit card information.
19. What transaction management principle ensures that two transactions do not interfere with each other as they operate on the same data? A. Atomicity B. Consistency C. Isolation D. Durability
19. C. The isolation principle states that two transactions operating on the same data must be temporarily separated from each other such that one does not interfere with the other.
19. What security model has a feature that in theory has one name or label, but when implemented into a solution, takes on the name or label of the security kernel? A. Graham-Denning model B. Deployment modes C. Trusted computing base D. Chinese Wall
19. C. The trusted computing base (TCB) has a component known as the reference monitor in theory, which becomes the security kernel in implementation.
19. Which one of the following encryption algorithms is now considered insecure? A. El Gamal B. RSA C. Elliptic Curve Cryptography D. Merkle-Hellman Knapsack
19. D. The Merkle-Hellman Knapsack algorithm, which relies on the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.
19. Which security principle mandates that only a minimum number of operating system processes should run in supervisory mode? A. Abstraction B. Layering C. Data hiding D. Least privilege
19. D. The principle of least privilege states that only processes that absolutely need kernellevel access should run in supervisory mode. The remaining processes should run in user mode to reduce the number of potential security vulnerabilities.
An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he's had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter. 19. Which of the following basic principles was violated during the administrator's employment? A. Implicit deny B. Loss of availability C. Defensive privileges D. Least privilege
19. D. The principle of least privilege was violated because he retained privileges from all his previous administrator positions in different divisions. Implicit deny ensures that only access that is explicitly granted is allowed, but the administrator was explicitly granted privileges. While the administrator's actions could have caused loss of availability, loss of availability isn't a basic principle. Defensive privileges aren't a valid security principle.
2. What is system accreditation? A. Formal acceptance of a stated system configuration B. A functional evaluation of the manufacturer's goals for each hardware and software component to meet integration standards C. Acceptance of test results that prove the computer system enforces the security policy D. The process to specify secure communication between machines
2. A. Accreditation is the formal acceptance process. Option B is not an appropriate answer because it addresses manufacturer standards. Options C and D are incorrect because there is no way to prove that a configuration enforces a security policy, and accreditation does not entail secure communication specification.
2. John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message? A. Nonrepudiation B. Confidentiality C. Availability D. Integrity
2. A. Nonrepudiation prevents the sender of a message from later denying that they sent it.
2. Which law governs information security operations at federal agencies? A. FISMA B. FERPA C. CFAA D. ECPA
2. A. The Federal Information Security Management Act (FISMA) includes provisions regulating information security at federal agencies. It places authority for classified systems in the hands of the National Security Agency (NSA) and authority for all other systems with the National Institute for Standards and Technology (NIST).
2. When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request résumés.
2. A. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.
2. Vulnerabilities and risks are evaluated based on their threats against which of the following? A. One or more of the CIA Triad principles B. Data usefulness C. Due care D. Extent of liability
2. A. Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.
2. List three elements to identify when attempting to identify and prevent access control attacks.
2. Assets, threats, and vulnerabilities should be identified through asset valuation, threat modeling, and vulnerability analysis.
2. What is the main purpose of a military and intelligence attack? A. To attack the availability of military systems B. To obtain secret and restricted information from military or law enforcement sources C. To utilize military or intelligence agency systems to attack other nonmilitary sites D. To compromise military systems for use in attacks against other systems
2. B. A military and intelligence attack is targeted at the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.
2. What method can be used to map out the needs of an organization for a new facility? A. Log file audit B. Critical path analysis C. Risk analysis D. Inventory
2. B. Critical path analysis can be used to map out the needs of an organization for a new facility. A critical path analysis is the process of identifying relationships between missioncritical applications, processes, and operations and all of the supporting elements.
2. When determining the classification of data, which one of the following is the most important consideration? A. Processing system B. Value C. Storage media D. Accessibility
2. B. Data is classified based on its value to the organization. In some cases, it is classified based on the potential negative impact if unauthorized personnel can access it. It is not classified based on the processing system, but the processing system is classified based on the data it processes. Similarly, the storage media is classified based on the data classification, but the data is not classified based on where it is stored. Accessibility is affected by the classification, but the accessibility does not determine the classification. Personnel implement controls to limit accessibility of sensitive data.
2. What is encapsulation? A. Changing the source and destination addresses of a packet B. Adding a header and footer to data as it moves down the OSI stack C. Verifying a person's identity D. Protecting evidence until it has been properly collected
2. B. Encapsulation is adding a header and footer to data as it moves down the OSI stack.
2. Bob is developing a software application and has a field where users may enter a date. He wants to ensure that the values provided by the users are accurate dates to prevent security issues. What technique should Bob use? A. Polyinstantiation B. Input validation C. Contamination D. Screening
2. B. Input validation ensures that the input provided by users matches the design parameters.
2. What technology provides an organization with the best control over BYOD equipment? A. Application whitelisting B. Mobile device management C. Encrypted removable storage D. Geotagging
2. B. Mobile device management (MDM) is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting. Not all mobile devices support removable storage, and even fewer support encrypted removable storage. Geotagging is used to mark photos and social network posts, not for BYOD management. Application whitelisting may be an element of BYOD management but is only part of a full MDM solution.
2. You are the security administrator for an e-commerce company and are placing a new web server into production. What network zone should you use? A. Internet B. DMZ C. Intranet D. Sandbox
2. B. The DMZ (demilitarized zone) is designed to house systems like web servers that must be accessible from both the internal and external networks.
2. Once the BCP team is selected, what should be the first item placed on the team's agenda? A. Business impact assessment B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment
2. B. The first task of the BCP team should be the review and validation of the business organization analysis initially performed by those individuals responsible for spearheading the BCP effort. This ensures that the initial effort, undertaken by a small group of individuals, reflects the beliefs of the entire BCP team.
2. Which one of the following is an example of a man-made disaster? A. Tsunami B. Earthquake C. Power outage D. Lightning strike
2. C. A power outage is an example of a man-made disaster. The other events listed— tsunamis, earthquakes, and lightning strikes—are all naturally occurring events.
2. What is the intent of least privilege? A. Enforce the most restrictive rights required by users to run system processes. B. Enforce the least restrictive rights required by users to run system processes. C. Enforce the most restrictive rights required by users to complete assigned tasks. D. Enforce the least restrictive rights required by users to complete assigned tasks.
2. C. The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don't execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.
2. Which of the following is true related to a subject? A. A subject is always a user account. B. The subject is always the entity that provides or hosts the information or data. C. The subject is always the entity that receives information about or data from an object. D. A single entity can never change roles between subject and object.
2. C. The subject is active and is always the entity that receives information about, or data from, the object. A subject can be a user, a program, a process, a file, a computer, a database, and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.
2. Tunnel connections can be established over all except for which of the following? A. WAN links B. LAN pathways C. Dial-up connections D. Stand-alone systems
2. D. A stand-alone system has no need for tunneling because no communications between systems are occurring and no intermediary network is present.
2. Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker's perspective on the scan. Which one of the following results is the greatest cause for alarm? A. 80/open B. 22/filtered C. 443/open D. 1433/open
2. D. Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network.
2. Which of the following would security personnel do during the remediation stage of an incident response? A. Contain the incident B. Collect evidence C. Rebuild system D. Root cause analysis
2. D. Security personnel perform a root cause analysis during the remediation stage. A root cause analysis attempts to discover the source of the problem. After discovering the cause, the review will often identify a solution to help prevent a similar occurrence in the future. Containing the incident and collecting evidence is done early in the incident response process. Rebuilding a system may be needed during the recovery stage.
2. An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users in the organization? A. Read B. Modify C. Full access D. No access
2. D. The default level of access should be no access. The principle of least privilege dictates that users should only be granted the level of access they need for their job, and the question doesn't indicate that new users need any access to the database. Read access, modify access, and full access grants users some level of access, which violates the principle of least privilege.
2. What is the problem with halon-based fire suppression technology?
2. Halon degrades into toxic gases at 900 degrees Fahrenheit. Also, it is not environmentally friendly (it is an ozone-depleting substance). Recycled halon is available, but production of halon ceased in developed countries in 2003. Halon is often replaced by a more ecologically friendly and less toxic medium.
2. Describe the differences between identification, authentication, authorization, and accountability.
2. Identification occurs when a subject claims an identity, such as with a username. Authentication occurs when the subject provides information to verify the claimed identity is the subject's identity. For example, a user can provide the correct password matched to the user's name. Authorization is the process of granting the subject rights and permissions based on the subject's proven identity. Accountability is accomplished by logging actions of subjects and is reliable only if the identification and authentication processes are strong and secure.
2. Describe the primary types of intrusion detection systems.
2. Intrusion detection systems can be described as host based or network based, based on their detection methods (knowledge based or behavior based), and based on their responses (passive or active). Host-based IDSs examine events on individual computers in great detail, including file activities, accesses, and processes. Network-based IDSs examine general network events and anomalies through traffic evaluation. A knowledge-based IDS uses a database of known attacks to detect intrusions. A behavior-based IDS starts with a baseline of normal activity and measures network activity against the baseline to identify abnormal activity. A passive response will log the activity and often provide a notification. An active response directly responds to the intrusion to stop or block the attack.
2. Name the common methods used to manage sensitive information.
2. Managing sensitive information includes properly marking, handling, storing, and destroying it based on its classification.
2. Discuss the benefits of NAT.
2. Network Address Translation (NAT) allows for the identity of internal systems to be hidden from external entities. Often NAT is used to translate between RFC 1918 private IP addresses and leased public addresses. NAT serves as a one-way firewall because it allows only inbound traffic that is a response to a previous internal query. NAT also allows a few leased public addresses to be used to grant internet connectivity to a larger number of internal systems.
2. Name three problems with cabling and the methods to counteract those issues.
2. Problems with cabling and their countermeasures include attenuation (use repeaters or don't violate distance recommendations), using the wrong CAT cable (check the cable specifications against throughput requirements, and err on the side of caution), crosstalk (use shielded cables, place cables in separate conduits, or use cables of different twists per inch), cable breaks (avoid running cables in locations where movement occurs), interference (use cable shielding, use cables with higher twists per inch, or switch to fiber-optic cables), and eavesdropping (maintain physical security over all cable runs or switch to fiber-optic cables).
2. Describe the best method to sanitize SSDs.
2. Solid state drives (SSDs) should be destroyed (such as with a disintegrator) to sanitize them. Traditional methods used for hard drives are not reliable. While it doesn't sanitize the drives, encrypting all data stored on the drive does provide an extra layer of protection.
2. What are some common questions that organizations should ask when considering outsourcing information storage, processing, or transmission?
2. Some common questions that organizations may ask about outsourced service providers are as follows: ■ What types of sensitive information are stored, processed, or transmitted by the vendor? ■ What controls are in place to protect the organization's information? ■ How is our organization's information segregated from that of other clients? ■ If encryption is relied on as a security control, what encryption algorithms and key lengths are used? How is key management handled? ■ What types of security audits does the vendor perform, and what access does the client have to those audits? ■ Does the vendor rely on any other third parties to store, process, or transmit data? How do the provisions of the contract related to security extend to those third parties? ■ Where will data storage, processing, and transmission take place? If outside the home country of the client and/or vendor, what implications does that have? ■ What is the vendor's incident response process and when will clients be notified of a potential security breach? ■ What provisions are in place to ensure the ongoing integrity and availability of client data?
2. What is wrong with the "seat-of-the-pants" approach to business continuity planning?
2. The "seat-of-the-pants" approach is an excuse used by individuals who do not want to invest time and money in the proper creation of a BCP. This can lead to catastrophe when a firmly laid plan isn't in place to guide the response during a stressful emergency situation.
2. Encrypt the message "I will pass the CISSP exam and become certified next month" using columnar transposition with the keyword SECURE.
2. The first step in encrypting this message requires the assignment of numeric column values to the letters of the secret keyword: S E C U R E 5 2 1 6 4 3 Next, the letters of the message are written in order underneath the letters of the keyword: S E C U R E 5 2 1 6 4 3 I W I L L P A S S T H E C I S S P E X A M A N D B E C O M E C E R T I F I E D N E X T M O N T H Finally, the sender enciphers the message by reading down each column; the order in which the columns are read corresponds to the numbers assigned in the first step. This produces the following ciphertext: I S S M C R D O W S I A E E E M P E E D E F X H L H P N M I E T I A C X B C I T L T S A O T N N
2. What are the basic formulas used in quantitative risk assessment?
2. The formulas are as follows: SLE = AV * EF ARO = # / yr ALE = SLE * ARO Cost/benefit = (ALE1 - ALE2) - ACS
2. What are the four security modes for systems processing classified information?
2. The four security modes are dedicated, system high, compartmented, and multilevel.
2. Describe the primary components of TCB.
2. The primary components of the trusted computing base (TCB) are the hardware and software elements used to enforce the security policy (these elements are called the TCB), the security perimeter distinguishing and separating TCB components from non-TCB components, and the reference monitor that serves as an access control device across the security perimeter.
2. What are the requirements to hold a person accountable for the actions of their user account?
2. The requirements of accountability are identification, authentication, authorization, and auditing. Each of these components needs to be legally supportable to truly hold someone accountable for their actions.
2. What are the three port status values returned by the nmap network discovery scanning tool?
2. The three possible port status values returned by nmap are as follows: ■ Open—The port is open on the remote system and there is an application that is actively accepting connections on that port. ■ Closed—The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port. ■ Filtered—Nmap is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt.
2. List and explain the five types of disaster recovery tests.
2. There are five main types of disaster recovery tests: ■ Read-through tests involve the distribution of recovery checklists to disaster recovery personnel for review. ■ Structured walk-throughs are "tabletop" exercises that involve assembling the disaster recovery team to discuss a disaster scenario. ■ Simulation tests are more comprehensive and may impact one or more noncritical business units of the organization. ■ Parallel tests involve relocating personnel to the alternate site and commencing operations there. ■ Full-interruption tests involve relocating personnel to the alternate site and shutting down operations at the primary site.
2. What is the main motivation behind a thrill attack?
2. Thrill attacks are motivated by individuals seeking to achieve the "high" associated with successfully breaking into a computer system.
2. Explain how an attacker might construct a rainbow table.
2. To construct a rainbow table, the attacker follows this process: 1. Obtain or develop a list of commonly used passwords. 2. Determine the hashing function used by the password mechanism. 3. Compute the hash value of each password on the commonly used list and store it with the password. The result of this operation is the rainbow table.
20. What information security management task ensures that the organization's data protection requirements are met effectively? A. Account management B. Backup verification C. Log review D. Key performance indicators
20. B. The backup verification process ensures that backups are running properly and thus meeting the organization's data protection objectives.
An organization has recently suffered a series of security breaches that have damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks.20. Management wants to ensure that the consultant has the correct priorities while doing her research. Of the following, what should be provided to the consultant to meet this need? A. Asset valuation B. Threat modeling results C. Vulnerability analysis reports D. Audit trails
20. A. Asset valuation identifies the actual value of assets so that they can be prioritized. For example, it will identify the value of the company's reputation from the loss of customer data compared with the value of the secret data stolen by the malicious employee. None of the other answers is focused on high-value assets. Threat modeling results will identify potential threats. Vulnerability analysis identifies weaknesses. Audit trails are useful to recreate events leading up to an incident.
20. Which security principle takes the concept of process isolation and implements it using physical controls? A. Hardware segmentation B. Data hiding C. Layering D. Abstraction
20. A. Hardware segmentation achieves the same objectives as process isolation but takes them to a higher level by implementing them with physical controls in hardware.
20. What authentication protocol offers no encryption or protection for logon credentials? A. PAP B. CHAP C. SSL D. RADIUS
20. A. Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It simply provides a means to transport the logon credentials from the client to the authentication server.
20. What act updated the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA)? A. HITECH B. CALEA C. CFAA D. CCCA
20. A. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 amended the privacy and security requirements of HIPAA.
An organization has an incident response plan that requires reporting incidents after verifying them. For security purposes, the organization has not published the plan. Only members of the incident response team know about the plan and its contents. Recently, a server administrator noticed that a web server he manages was running slower than normal. After a quick investigation, he realized an attack was coming from a specific IP address. He immediately rebooted the web server to reset the connection and stop the attack. He then used a utility he found on the internet to launch a protracted attack against this IP address for several hours. Because attacks from this IP address stopped, he didn't report the incident. 20. What was missed completely in this incident? A. Lessons learned B. Detection C. Response D. Recovery
20. A. The administrator did not report the incident so there was no opportunity to perform a lessons learned step. It could be the incident occurred because of a vulnerability on the server, but without an examination, the exact cause won't be known unless the attack is repeated. The administrator detected the event and responded (though inappropriately). Rebooting the server is a recovery step. It's worth mentioning that the incident response plan was kept secret and the server administrator didn't have access to it and so likely does not know what the proper response should be.
20. What does IPsec define? A. All possible security classifications for a specific configuration B. A framework for setting up a secure communication channel C. The valid transition states in the Biba model D. TCSEC security categories
20. B. IPsec is a security protocol that defines a framework for setting up a secure channel to exchange information between two entities.
20. How many encryption keys are required to fully implement an asymmetric algorithm with 10 participants? A. 10 B. 20 C. 45 D. 100
20. B. In an asymmetric algorithm, each participant requires two keys: a public key and a private key.
20. What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site? A. Structured walk-through B. Parallel test C. Full-interruption test D. Simulation test
20. B. Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center.
An organization has a datacenter that processes highly sensitive information and is staffed 24 hours a day. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on internet sites, exposing the organization's internal sensitive data. 20. Of the following choices, what policy was not followed regarding the backup media? A. Media destruction B. Record retention C. Configuration management D. Versioning
20. B. Personnel did not follow the record retention policy. The scenario states that administrators purge onsite email older than six months to comply with the organization's security policy, but offsite backups included backups for the last 20 years. Personnel should follow media destruction policies when the organization no longer needs the media, but the issue here is the data on the tapes. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning is applied to applications, not backup tapes.
20. Which of the following actions are considered unacceptable and unethical according to RFC 1087, "Ethics and the Internet"? A. Actions that compromise the privacy of classified information B. Actions that compromise the privacy of users C. Actions that disrupt organizational activities D. Actions in which a computer is used in a manner inconsistent with a stated security policy
20. B. RFC 1087 does not specifically address the statements in A, C, or D. Although each type of activity listed is unacceptable, only "actions that compromise the privacy of users" are explicitly identified in RFC 1087.
20. Servers within your organization were recently attacked causing an excessive outage. You are asked to check systems for known issues that attackers may use to exploit other systems in your network. Which of the following is the best choice to meet this need? A. Versioning tracker B. Vulnerability scanner C. Security audit D. Security review
20. B. Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn't directly check systems for vulnerabilities.
20. What form of infrastructure mode wireless networking deployment supports large physical environments through the use of a single SSID but numerous access points? A. Stand-alone B. Wired extension C. Enterprise extension D. Bridge
20. C. Enterprise extended infrastructure mode exists when a wireless network is designed to support a large physical environment through the use of a single SSID but numerous access points.
20. Data classifications are used to focus security controls over all but which of the following? A. Storage B. Processing C. Layering D. Transfer
20. C. Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.
20. Which of the following is not part of the access control relationship of the Clark-Wilson model? A. Object B. Interface C. Programming language D. Subject
20. C. The three parts of the Clark-Wilson model's access control relationship (aka access triple) are subject, object, and program (or interface).
20. Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A. Vice president of business operations B. Chief information officer C. Chief executive officer D. Business continuity manager
20. C. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer is the highest ranking.
20. You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? A. Exposure factor B. Single loss expectancy (SLE) C. Asset value D. Annualized rate of occurrence
20. D. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.
An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he's had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter. 20. What could have discovered problems with this user's account while he was employed? A. Policy requiring strong authentication B. Multifactor authentication C. Logging D. Account review
20. D. Account review can discover when users have more privileges than they need and could have been used to discover that this employee had permissions from several positions. Strong authentication methods (including multifactor authentication methods) would not have prevented the problems in this scenario. Logging could have recorded activity, but a review is necessary to discover the problems.
20. Which of the following is typically not a culprit in causing damage to computer equipment in the event of a fire and a triggered suppression? A. Heat B. Suppression medium C. Smoke D. Light
20. D. Light is usually not damaging to most computer equipment, but fire, smoke, and the suppression medium (typically water) are very destructive.
3. Describe the three primary authentication factor types.
3. A Type 1 authentication factor is something you know. A Type 2 authentication factor is something you have. A Type 3 authentication factor is something you are.
3. Which of the following are DoS attacks? (Choose three.) A. Teardrop B. Smurf C. Ping of death D. Spoofing
3. A, B, C. Teardrop, smurf, and ping of death are all types of denial-of-service (DoS) attacks. Attackers use spoofing to hide their identity in a variety of attacks, but spoofing is not an attack by itself. Note that this question is an example that can easily be changed to a negative type of question such as "Which of the following is not a DoS attack?"
3. Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring? A. Preventive B. Detective C. Corrective D. Authoritative
3. A. A preventive access control helps stop an unwanted or unauthorized activity from occurring. Detective controls discover the activity after it has occurred, and corrective controls attempt to reverse any problems caused by the activity. Authoritative isn't a valid type of access control.
3. You have three applications running on a single-core single-processor system that supports multitasking. One of those applications is a word processing program that is managing two threads simultaneously. The other two applications are using only one thread of execution. How many application threads are running on the processor at any given time? A. One B. Two C. Three D. Four
3. A. A single-processor system can operate on only one thread at a time. There would be a total of four application threads (ignoring any threads created by the operating system), but the operating system would be responsible for deciding which single thread is running on the processor at any given time.
3. What type of attack targets proprietary information stored on a civilian organization's system? A. Business attack B. Denial-of-service attack C. Financial attack D. Military and intelligence attack
3. A. Confidential information that is not related to the military or intelligence agencies is the target of business attacks. The ultimate goal could be destruction, alteration, or disclosure of confidential information.
3. What is the term used to describe the responsibility of a firm's officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability? A. Corporate responsibility B. Disaster requirement C. Due diligence D. Going concern responsibility
3. C. A firm's officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place.
3. Which of the following statements best describes why separation of duties is important for security purposes? A. It ensures that multiple people can do the same job. B. It prevents an organization from losing important information when they lose important people. C. It prevents any single IT security person from making major security changes without involving other individuals. D. It helps employees concentrate their talents where they will be most useful.
3. C. A separation of duties policy prevents a single person from controlling all elements of a process, and when applied to security settings, it can prevent a person from making major security changes without assistance. Job rotation helps ensure that multiple people can do the same job and can help prevent the organization from losing information when a single person leaves. Having employees concentrate their talents is unrelated to separation of duties.
3. is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic. A. UDP B. IDEA C. IPsec D. SDLC
3. C. IPsec, or IP Security, is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic.
3. If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which key does he use to encrypt the message? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
3. C. Richard must encrypt the message using Sue's public key so that Sue can decrypt it using her private key. If he encrypted the message with his own public key, the recipient would need to know Richard's private key to decrypt the message. If he encrypted it with his own private key, any user could decrypt the message using Richard's freely available public key. Richard could not encrypt the message using Sue's private key because he does not have access to it. If he did, any user could decrypt it using Sue's freely available public key.
3. What portion of the change management process allows developers to prioritize tasks? A. Release control B. Configuration control C. Request control D. Change audit
3. C. The request control provides users with a framework to request changes and developers with the opportunity to prioritize those requests.
3. Which one of the following factors should not be taken into consideration when planning a security testing schedule for a particular system? A. Sensitivity of the information stored on the system B. Difficulty of performing the test C. Desire to experiment with new testing tools D. Desirability of the system to attackers
3. C. The sensitivity of information stored on the system, difficulty of performing the test, and likelihood of an attacker targeting the system are all valid considerations when planning a security testing schedule. The desire to experiment with new testing tools should not influence the production testing schedule.
3. What are the main differences between circuit switching and packet switching?
3. Circuit switching is usually associated with physical connections. The link itself is physically established and then dismantled for the communication. Circuit switching offers known fixed delays, supports constant traffic, is connection oriented, is sensitive only to the loss of the connection rather than the communication, and was most often used for voice transmissions. Packet switching is usually associated with logical connections because the link is just a logically defined path among possible paths. Within a packetswitching system, each system or link can be employed simultaneously by other circuits. Packet switching divides the communication into segments, and each segment traverses the circuit to the destination. Packet switching has variable delays because each segment could take a unique path, is usually employed for bursty traffic, is not physically connection oriented but often uses virtual circuits, is sensitive to the loss of data, and is used for any form of communication.
3. What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures? A. Criminal law B. Common law C. Civil law D. Administrative law
3. D. Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Congress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch.
3. Which of the following answers would not be included as sensitive data? A. Personally identifiable information (PII) B. Protected health information (PHI) C. Proprietary data D. Data posted on a website
3. D. Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.
3. According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a moderate risk of seismic activity? A. 20 percent B. 40 percent C. 60 percent D. 80 percent
3. D. Forty-one of the 50 U.S. states are considered to have a moderate, high, or very high risk of seismic activity. This rounds to 80 percent to provide the value given in option D.
3. Explain the differences between the three types of backup strategies discussed in this chapter.
3. Full backups create a copy of all data stored on a server. Incremental backups create copies of all files modified since the last full or incremental backup. Differential backups create copies of all files modified since the last full backup without regard to any previous differential or incremental backups that may have taken place.
3. What are the actions an antivirus software package might take when it discovers an infected file?
3. If possible, antivirus software may try to disinfect an infected file, removing the virus's malicious code. If that fails, it might either quarantine the file for manual review or automatically delete it to prevent further infection.
3. What is the difference between an interview and an interrogation?
3. Interviews are conducted with the intention of gathering information from individuals to assist with your investigation. Interrogations are conducted with the intent of gathering evidence from suspects to be used in a criminal prosecution.
3. Describe the purpose of monitoring the assignment and usage of special privileges.
3. Monitoring the assignment of special privileges detects when individuals are granted higher privileges such as when they are added to an administrator account. It can detect when unauthorized entities are granted higher privileges. Monitoring the usage of special privileges detects when entities are using higher privileges, such as creating unauthorized accounts, accessing or deleting logs, and creating automated tasks. This monitoring can detect potential malicious insiders and remote attackers.
3. Describe pseudonymization.
3. Pseudonymization is the process of replacing data with pseudonyms. In this context, pseudonyms are artificial identifiers, which the General Data Protection Regulation (GDPR) refers to as pseudonyms. The GDPR recommends the use of pseudonyms to reduce the possibility of data identifying an individual.
3. What is the difference between quantitative and qualitative risk assessment?
3. Quantitative risk assessment involves using numbers and formulas to make a decision. Qualitative risk assessment includes expertise instead of numeric measures, such as emotions, investor/consumer confidence, and workforce stability.
3. What are some common steps that employers take to notify employees of system monitoring?
3. Some common steps that employers take to notify employees of monitoring include clauses in employment contracts that state that the employee should have no expectation of privacy while using corporate equipment, similar written statements in corporate acceptable use and privacy policies, logon banners warning that all communications are subject to monitoring, and labels on computers and telephones warning of monitoring.
3. What are the various technologies employed by wireless devices to maximize their use of the available radio frequencies?
3. Some of the frequency spectrum-use technologies are spread spectrum, Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency-Division Multiplexing (OFDM).
3. Explain the difference between static and dynamic analysis of application code.
3. Static analysis performs assessment of the code itself, analyzing the sequence of instructions for security flaws. Dynamic analysis tests the code in a live production environment, searching for runtime flaws.
3. What is the difference between static and dynamic code testing techniques?
3. Static software testing techniques, such as code reviews, evaluate the security of software without running it by analyzing either the source code or the compiled application. Dynamic testing evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.
3. Describe the process or technique used to reach an anonymous consensus during a qualitative risk assessment.
3. The Delphi technique is an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants. The participants are usually gathered into a single meeting room. To each request for feedback, each participant writes down their response on paper anonymously. The results are compiled and presented to the group for evaluation. The process is repeated until a consensus is reached.
3. Describe the benefits of change control management.
3. The benefits of change control management include preventing unwanted security reduction because of uncontrolled change, documenting and tracking of all alterations in the environment, standardization, conforming with security policy, and the ability to roll back changes in the event of an unwanted or unexpected outcome.
3. Name the three pairs of aspects or features used to describe storage.
3. The three pairs of aspects or features used to describe storage are primary vs. secondary, volatile vs. nonvolatile, and random vs. sequential.
3. What are the two primary rules or principles of the Bell-LaPadula security model? Also, what are the two rules of Biba?
3. The two primary rules of Bell-LaPadula are the simple rule of no read-up and the star rule of no write-down. The two rules of Biba are the simple rule of no read-down and the star rule of no write-up.
3. Decrypt the message "F R Q J U D W X O D W L R Q V B R X J R W L W" using the Caesar ROT3 substitution cipher.
3. This message is decrypted by using the following function: P = (C - 3) mod 26 C: F R Q J U D W X O D W L R Q V B R X J R W L W P: C O N G R A T U L A T I O N S Y O U G O T I T The hidden message is "Congratulations You Got It." Congratulations, you got it!
4. What are the seven major steps or phases in the implementation of a classification scheme?
4. (1) Identify the custodian, and define their responsibilities. (2) Specify the evaluation criteria of how the information will be classified and labeled. (3) Classify and label each resource. Although the owner conducts this step, a supervisor should review it. (4) Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria. (5) Select the security controls that will be applied to each classification level to provide the necessary level of protection. (6) Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity. (7) Create an enterprise-wide awareness program to instruct all personnel about the classification system.
4. Identify the differences between a salt and a pepper (used when hashing a password).
4. A salt is different for every password in a database. A pepper is the same for every password in a database. Salts for passwords are stored in the same database as the hashed passwords. A pepper is stored somewhere external to the database such as in application code or as a configuration setting for a server.
4. What type of federal government computing system requires that all individuals accessing the system have a need to know all of the information processed by that system? A. Dedicated B. System high C. Compartmented D. Multilevel
4. A. In a dedicated system, all users must have a valid security clearance for the highest level of information processed by the system, they must have access approval for all information processed by the system, and they must have a valid need to know of all information processed by the system.
4. When an employee is to be terminated, which of the following should be done? A. Inform the employee a few hours before they are officially terminated. B. Disable the employee's network access just as they are informed of the termination. C. Send out a broadcast email informing everyone that a specific employee is to be terminated. D. Wait until you and the employee are the only people remaining in the building before announcing the termination.
4. B. You should remove or disable the employee's network user account immediately before or at the same time they are informed of their termination.
4. How does a SYN flood attack work? A. Exploits a packet processing glitch in Windows systems B. Uses an amplification network to flood a victim with packets C. Disrupts the three-way handshake used by TCP D. Sends oversized ping packets to a victim
4. C. A SYN flood attack disrupts the TCP three-way handshake process by never sending the third packet. It is not unique to any specific operating system such as Windows. Smurf attacks use amplification networks to flood a victim with packets. A ping-of-death attack uses oversized ping packets.
4. Which best describes a confined or constrained process? A. A process that can run only for a limited time B. A process that can run only during certain times of the day C. A process that can access only certain memory locations D. A process that controls access to an object
4. C. A constrained process is one that can access only certain memory locations. Options A, B, and D do not describe a constrained process.
4. Which of the following is not considered a violation of confidentiality? A. Stealing passwords B. Eavesdropping C. Hardware destruction D. Social engineering
4. C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.
4. What approach to failure management places the system in a high level of security? A. Fail-open B. Fail mitigation C. Fail-secure D. Fail clear
4. C. In a fail-secure state, the system remains in a high level of security until an administrator intervenes.
4. Which one of the following is not normally included in a security assessment? A. Vulnerability scan B. Risk assessment C. Mitigation of vulnerabilities D. Threat assessment
4. C. Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities.
4. Which federal government agency has responsibility for ensuring the security of government computer systems that are not used to process sensitive and/or classified information? A. National Security Agency B. Federal Bureau of Investigation C. National Institute of Standards and Technology D. Secret Service
4. C. The National Institute of Standards and Technology (NIST) is charged with the security management of all federal government computer systems that are not used to process sensitive national security information. The National Security Agency (part of the Department of Defense) is responsible for managing systems that do process classified and/or sensitive information.
4. If a 2,048-bit plaintext message were encrypted with the El Gamal public key cryptosystem, how long would the resulting ciphertext message be? A. 1,024 bits B. 2,048 bits C. 4,096 bits D. 8,192 bits
4. C. The major disadvantage of the El Gamal cryptosystem is that it doubles the length of any message it encrypts. Therefore, a 2,048-bit plain-text message would yield a 4,096-bit ciphertext message when El Gamal is used for the encryption process.
4. What is the most important aspect of marking media? A. Date labeling B. Content description C. Electronic labeling D. Classification
4. D. Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn't as important as marking the classification. Electronic labels or marks can be used, but they are applied to the files, not the media, and when they are used, it is still important to mark the media.
4. What will be the major resource consumed by the BCP process during the BCP phase? A. Hardware B. Software C. Processing time D. Personnel
4. D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.
4. Which of the following is not a security-focused design element of a facility or site? A. Separation of work and visitor areas B. Restricted access to areas with higher value or importance C. Confidential assets located in the heart or center of a facility D. Equal access to all locations within a facility
4. D. Equal access to all locations within a facility is not a security-focused design element. Each area containing assets or resources of different importance, value, and confidentiality should have a corresponding level of security restriction placed on it.
4. Who, or what, grants permissions to users in a DAC model? A. Administrators B. Access control list C. Assigned labels D. The data custodian
4. D. The data custodian (or owner) grants permissions to users in a Discretionary Access Control (DAC) model. Administrators grant permissions for resources they own, but not for all resources in a DAC model. A rule-based access control model uses an access control list. The Mandatory Access Control (MAC) model uses labels.
4. Explain how a data integrity assurance package like Tripwire provides some secondary virus detection capabilities.
4. Data integrity assurance packages like Tripwire compute hash values for each file stored on a protected system. If a file infector virus strikes the system, this would result in a change in the affected file's hash value and would, therefore, trigger a file integrity alert.
4. What are some security issues with email and options for safeguarding against them?
4. Email is inherently insecure because it is primarily a plaintext communication medium and employs non-encrypted transmission protocols. This allows for email to be easily spoofed, spammed, flooded, eavesdropped on, interfered with, and hijacked. Defenses against these issues primarily include having stronger authentication requirements and using encryption to protect the content while in transit.
4. Discuss the need to perform a balanced risk assessment. What are the techniques that can be used and why is this necessary?
4. Risk assessment often involves a hybrid approach using both quantitative and qualitative methods. A purely quantitative analysis is not possible; not all elements and aspects of the analysis can be quantified because some are qualitative, some are subjective, and some are intangible. Since a purely quantitative risk assessment is not possible, balancing the results of a quantitative analysis is essential. The method of combining quantitative and qualitative analysis into a final assessment of organizational risk is known as hybrid assessment or hybrid analysis.
4. Describe the difference between scoping and tailoring.
4. Scoping refers to reviewing a list of baseline security controls and selecting only those controls that apply to the IT system you're trying to protect. Tailoring refers to modifying the list of selected baseline controls for some systems that have different requirements.
4. Name some vulnerabilities found in distributed architectures.
4. Some vulnerabilities found in distributed architecture include sensitive data found on desktops/terminals/notebooks, lack of security understanding among users, greater risk of physical component theft, compromise of a client leading to the compromise of the whole network, greater risk from malware because of user-installed software and removable media, and data on clients less likely to be included in backups.
4. What critical components should be included in your business continuity training plan?
4. The BCP training plan should include a plan overview briefing for all employees and specific training for individuals with direct or indirect involvement. In addition, backup personnel should be trained for each key BCP role.
4. List the three primary cloud-based service models and identify the level of maintenance provided by the cloud service provider in each of the models. 5. How do change management processes help prevent outages?
4. The three models are software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). The cloud service provider (CSP) provides the most maintenance and security services with SaaS, less with PaaS, and the least with IaaS. While NIST SP 800-144 provides these definitions, CSPs sometimes use their own terms and definitions in marketing materials. 5. Change management processes help prevent outages by ensuring that proposed changes are reviewed and tested before being deployed. They also ensure that changes are documented.
4. What are the three basic requirements that evidence must meet in order to be admissible in court?
4. To be admissible, evidence must be reliable, competent, and material to the case.
5. Which of the following models is also known as an identity-based access control model? A. DAC B. RBAC C. Rule-based access control D. MAC
5. A. A Discretionary Access Control (DAC) model is an identity-based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the owner. The Role Based Access Control (RBAC) model is based on role or group membership. The rule-based access control model is based on rules within an ACL. The Mandatory Access Control (MAC) model uses assigned labels to identify access.
5. Which of the following does not need to be true in order to maintain the most efficient and secure server room? A. It must be human compatible. B. It must include the use of nonwater fire suppressants. C. The humidity must be kept between 40 and 60 percent. D. The temperature must be kept between 60 and 75 degrees Fahrenheit.
5. A. A computer room does not need to be human compatible to be efficient and secure. Having a human-incompatible server room provides a greater level of protection against attacks.
5. A financial organization commonly has employees switch duty responsibilities every six months. What security principle are they employing? A. Job rotation B. Separation of duties C. Mandatory vacations D. Least privilege
5. A. A job rotation policy has employees rotate jobs or job responsibilities and can help detect incidences of collusion and fraud. A separation of duties policy ensures that a single person doesn't control all elements of a specific function. Mandatory vacation policies ensure that employees take an extended time away from their job, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. Least privilege ensures that users have only the permissions they need to perform their job and no more.
5. Which of the following best expresses the primary goal when controlling access to assets? A. Preserve confidentiality, integrity, and availability of systems and data. B. Ensure that only valid objects can authenticate on a system. C. Prevent unauthorized access to subjects. D. Ensure that all subjects are authenticated.
5. A. A primary goal when controlling access to assets is to protect against losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system, but objects do not authenticate. Subjects access objects, but objects do not access subjects. Identification and authentication is important as a first step in access control, but much more is needed to protect assets.
5. What is an access object? A. A resource a user or process wants to access B. A user or process that wants to access a resource C. A list of valid access rules D. The sequence of valid access types
5. A. An object is a resource a user or process wants to access. Option A describes an access object.
5. What advanced virus technique modifies the malicious code of a virus on each system it infects? A. Polymorphism B. Stealth C. Encryption D. Multipartitism
5. A. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.
5. Who is the intended audience for a security assessment report? A. Management B. Security auditor C. Security professional D. Customers
5. A. Security assessment reports should be addressed to the organization's management. For this reason, they should be written in plain English and avoid technical jargon.
5. Which one of the following is not a possible key length for the Advanced Encryption Standard Rijndael cipher? A. 56 bits B. 128 bits C. 192 bits D. 256 bits
5. A. The Rijndael cipher allows users to select a key length of 128, 192, or 256 bits, depending on the specific security requirements of the application.
5. Acme Widgets currently uses a 1,024-bit RSA encryption standard companywide. The company plans to convert from RSA to an elliptic curve cryptosystem. If it wants to maintain the same cryptographic strength, what ECC key length should it use? A. 160 bits B. 512 bits C. 1,024 bits D. 2,048 bits
5. A. The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 1,024-bit RSA key is cryptographically equivalent to a 160-bit elliptic curve cryptosystem key.
5. What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment? A. Monetary B. Utility C. Importance D. Time
5. A. The quantitative portion of the priority identification should assign asset values in monetary units.
5. Which one of the following attacks is most indicative of a terrorist attack? A. Altering sensitive trade secret documents B. Damaging the ability to communicate and respond to a physical attack C. Stealing unclassified information D. Transferring funds to other countries
5. B. A terrorist attack is launched to interfere with a way of life by creating an atmosphere of fear. A computer terrorist attack can reach this goal by reducing the ability to respond to a simultaneous physical attack.
5. A web server hosted on the internet was recently attacked, exploiting a vulnerability in the operating system. The operating system vendor assisted in the incident investigation and verified that the vulnerability was not previously known. What type of attack was this? A. Botnet B. Zero-day exploit C. Denial of service D. Distributed denial of service
5. B. A zero-day exploit takes advantage of a previously unknown vulnerability. A botnet is a group of computers controlled by a bot herder that can launch attacks, but they can exploit both known vulnerabilities and previously unknown vulnerabilities. Similarly, denial-ofservice (DoS) and distributed DoS (DDoS) attacks could use zero-day exploits or use known methods.
5. Which one of the following controls provides fault tolerance for storage devices? A. Load balancing B. RAID C. Clustering D. HA pairs
5. B. Redundant arrays of inexpensive disks (RAID) are fault tolerance controls that allow an organization's storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and HA pairs are all fault tolerance services designed for servers, not storage.
5. What software development model uses a seven-stage approach with a feedback loop that allows progress one step backward? A. Boyce-Codd B. Waterfall C. Spiral D. Agile
5. B. The waterfall model uses a seven-stage approach to software development and includes a feedback loop that allows development to return to the previous phase to correct defects discovered during the subsequent phase.
5. If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security? A. Asset identification B. Third-party governance C. Exit interview D. Qualitative analysis
5. B. Third-party governance is the application of security oversight on third parties that your organization relies on.
5. What is a security risk of an embedded system that is not commonly found in a standard PC? A. Software flaws B. Access to the internet C. Control of a mechanism in the physical world D. Power loss
5. C. Because an embedded system is in control of a mechanism in the physical world, a security breach could cause harm to people and property. This typically is not true of a standard PC. Power loss, internet access, and software flaws are security risks of both embedded systems and standard PCs.
5. Which would an administrator do to classified media before reusing it in a less secure environment? A. Erasing B. Clearing C. Purging D. Overwriting
5. C. Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.
5. What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended? A. Government-owned systems B. Federal interest systems C. Systems used in interstate commerce D. Systems located in the United States
5. C. The original Computer Fraud and Abuse Act of 1984 covered only systems used by the government and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, including a large portion (but not all) of the computer systems in the United States.
5. Which of the following is not true? A. Violations of confidentiality include human error. B. Violations of confidentiality include management oversight. C. Violations of confidentiality are limited to direct intentional attacks. D. Violations of confidentiality can occur when a transmission is not properly encrypted.
5. C. Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.
5. Which of the following is not an example of network segmentation? A. Intranet B. DMZ C. Extranet D. VPN
5. D. A VPN is a secure tunnel used to establish connections across a potentially insecure intermediary network. Intranet, extranet, and DMZ are examples of network segmentation.
5. Which of the following cannot be linked over a VPN? A. Two distant internet-connected LANs B. Two systems on the same LAN C. A system connected to the internet and a LAN connected to the internet D. Two systems without an intermediary network connection
5. D. An intermediary network connection is required for a VPN link to be established.
5. Name the LAN shared media access technologies and examples of their use, if known.
5. The LAN shared media access technologies are CSMA, CSMA/CA (used by 802.11 and AppleTalk), CSMA/CD (used by Ethernet), token passing (used by Token Ring and FDDI/ CDDI), and polling (used by SDLC, HDLC, and some mainframe systems).
6. Which of the following describes a community cloud? A. A cloud environment maintained, used, and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange B. A cloud service within a corporate network and isolated from the internet C. A cloud service that is accessible to the general public typically over an internet connection D. A cloud service that is partially hosted within an organization for private use and that uses external services to offer resources to outsiders
6. A. A community cloud is a cloud environment maintained, used, and paid for by a group of users or organizations for their shared benefit, such as collaboration and data exchange. A private cloud is a cloud service within a corporate network and isolated from the internet. A public cloud is a cloud service that is accessible to the general public typically over an internet connection. A hybrid cloud is a cloud service that is partially hosted within an organization for private use and that uses external services to offer recourses to outsiders.
6. What form of access control is concerned primarily with the data stored by a field? A. Content-dependent B. Context-dependent C. Semantic integrity mechanisms D. Perturbation
6. A. Content-dependent access control is focused on the internal data of each field.
6. Which one of the following tools provides a solution to the problem of users forgetting complex passwords? A. LastPass B. Crack C. Shadow password files D. Tripwire 946 Chapter 21 ■ Malicious Code and Application Attacks
6. A. LastPass is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all.
6. Which one of the following cannot be achieved by a secret key cryptosystem? A. Nonrepudiation B. Confidentiality Review Questions 233 C. Authentication D. Key distribution
6. A. Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message.
6. Of the following choices, which is the most common method of distributing malware? A. Drive-by downloads B. USB flash drives C. Ransomware D. Unapproved software
6. A. Of the choices offered, drive-by downloads are the most common distribution method for malware. USB flash drives can be used to distribute malware, but this method isn't as common as drive-by downloads. Ransomware is a type of malware infection, not a method of distributing malware. If users can install unapproved software, they may inadvertently install malware, but all unapproved software isn't malware.
6. John wants to produce a message digest of a 2,048-byte message he plans to send to Mary. If he uses the SHA-1 hashing algorithm, what size will the message digest for this particular message be? A. 160 bits B. 512 bits C. 1,024 bits D. 2,048 bits
6. A. The SHA-1 hashing algorithm always produces a 160-bit message digest, regardless of the size of the input message. In fact, this fixed-length output is a requirement of any secure hashing algorithm.
6. Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy? A. To rotate job responsibilities B. To detect fraud C. To increase employee productivity D. To reduce employee stress levels
6. B. Mandatory vacation policies help detect fraud. They require employees to take an extended time away from their job, requiring someone else to perform their job responsibilities, and this increases the likelihood of discovering fraud. It does not rotate job responsibilities. While mandatory vacations might help employees reduce their overall stress levels, and in turn increase productivity, these are not the primary reasons for mandatory vacation policies.
6. What is a field-powered technology that can be used for inventory management without requiring direct physical contact? A. IPX B. RFID C. SSID D. SDN 518
6. B. Radio-frequency identification (RFID) is a tracking technology based on the ability to power a radio transmitter using current generated in an antenna when placed in a magnetic field. RFID can be triggered/powered and read from a considerable distance away (often hundreds of meters).
6. What is needed to allow an external client to initiate a communication session with an internal system if the network uses a NAT proxy? A. IPsec tunnel B. Static mode NAT C. Static private IP address D. Reverse DNS
6. B. Static mode NAT is needed to allow an outside entity to initiate communications with an internal system behind a NAT proxy.
6. What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities? A. Privacy Act B. Fourth Amendment Review Questions 155 C. Second Amendment D. Gramm-Leach-Bliley Act
6. B. The Fourth Amendment to the U.S. Constitution sets the "probable cause" standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property.
6. Beth would like to run an nmap scan against all of the systems on her organization's private network. These include systems in the 10.0.0.0 private address space. She would like to scan this entire private address space because she is not certain what subnets are used. What network address should Beth specify as the target of her scan? A. 10.0.0.0/0 B. 10.0.0.0/8 C. 10.0.0.0/16 D. 10.0.0.0/24
6. B. The use of an 8-bit subnet mask means that the first octet of the IP address represents the network address. In this case, that means 10.0.0.0/8 will scan any IP address beginning with 10.
6. Which of the following is not a typical security measure implemented in relation to a media storage facility containing reusable removable media? A. Employing a librarian or custodian B. Using a check-in/check-out process C. Hashing D. Using sanitization tools on returned media
6. C. Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, while data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media.
6. Which of the following statements correctly identifies a problem with sanitization methods? A. Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data. B. Even fully incinerated media can offer extractable data. C. Personnel can perform sanitization steps improperly. D. Stored data is physically etched into the media.
6. C. Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.
6. Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year? A. ARO B. SLE C. ALE D. EF 122
6. C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.
6. What is a security control? A. A security component that stores attributes that describe an object B. A document that lists all data classification types C. A list of valid access rules D. A mechanism that limits access to an object
6. D. A control limits access to an object to protect it from misuse by unauthorized users.
6. A central authority determines which files a user can access. Which of the following best describes this? A. An access control list (ACL) B. An access control matrix C. Discretionary Access Control model D. Nondiscretionary access control model
6. D. A nondiscretionary access control model uses a central authority to determine which objects (such as files) that users (and other subjects) can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model. An access control matrix includes multiple objects, and it lists the subject's access to each of the objects.
6. A portion of the is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, and cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk. A. Hybrid assessment B. Risk aversion process C. Countermeasure selection D. Documentation review
6. D. A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.
6. A user logs in with a login ID and a password. What is the purpose of the login ID? A. Authentication B. Authorization C. Accountability D. Identification
6. D. A user professes an identity with a login ID. The combination of the login ID and the password provides authentication. Subjects are authorized access to objects after authentication. Logging and auditing provide accountability.
6. Which of the following would not be a primary goal of a grudge attack? A. Disclosing embarrassing personal information B. Launching a virus on an organization's system C. Sending inappropriate email with a spoofed origination address of the victim organization D. Using automated tools to scan the organization's systems for vulnerable ports
6. D. Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to "get back" at someone.
6. STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE? A. Spoofing B. Elevation of privilege C. Repudiation D. Disclosure
6. D. Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
6. What are the four components of a complete organizational security policy and their basic purpose?
6. The four components of a security policy are policies, standards, guidelines, and procedures. Policies are broad security statements. Standards are definitions of hardware and software security compliance. Guidelines are used when there is not an appropriate procedure. Procedures are detailed step-by-step instructions for performing work tasks in a secure manner.
7. An organization wants to reduce vulnerabilities against fraud from malicious employees. Of the following choices, what would help with this goal? (Choose all that apply.) A. Job rotation B. Separation of duties C. Mandatory vacations D. Baselining
7. A, B, C. Job rotation, separation of duties, and mandatory vacation policies will all help reduce fraud. Baselining is used for configuration management and would not help reduce collusion or fraud.
7. Which of the following VPN protocols do not offer native data encryption? (Choose all that apply.) A. L2F B. L2TP C. IPsec D. PPTP
7. A, B, D. L2F, L2TP, and PPTP all lack native data encryption. Only IPsec includes native data encryption.
7. What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.) A. Bragging rights B. Money from the sale of stolen documents C. Pride of conquering a secure system D. Retaliation against a person or organization
7. A, C. Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).
8. Which of the following is the most secure method of deleting data on a DVD? A. Formatting B. Deleting C. Destruction D. Degaussing
8. C. Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux, so degaussing a DVD doesn't destroy data.
7. Of the following choices, what indicates the primary purpose of an intrusion detection system (IDS)? A. Detect abnormal activity B. Diagnose system failures C. Rate system performance D. Test a system for vulnerabilities
7. A. An IDS automates the inspection of audit logs and real-time system events to detect abnormal activity indicating unauthorized system access. Although IDSs can detect system failures and monitor system performance, they don't include the ability to diagnose system failures or rate system performance. Vulnerability scanners are used to test systems for vulnerabilities.
7. Matthew recently authored an innovative algorithm for solving a mathematical problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property protection. Which type of protection is best suited to his needs? A. Copyright B. Trademark C. Patent D. Trade secret
7. A. Copyright law is the only type of intellectual property protection available to Matthew. It covers only the specific software code that Matthew used. It does not cover the process or ideas behind the software. Trademark protection is not appropriate for this type of situation. Patent protection does not apply to mathematical algorithms. Matthew can't seek trade secret protection because he plans to publish the algorithm in a public technical journal.
7. For what type of information system security accreditation are the applications and systems at a specific, self-contained location evaluated? A. System accreditation B. Site accreditation C. Application accreditation D. Type accreditation
7. B. The applications and systems at a specific, self-contained location are evaluated for DITSCAP and NIACAP site accreditation.
7. Alan ran an nmap scan against a server and determined that port 80 is open on the server. What tool would likely provide him the best additional information about the server's purpose and the identity of the server's operator? A. SSH B. Web browser C. telnet D. ping
7. B. The server is likely running a website on port 80. Using a web browser to access the site may provide important information about the site's purpose.
7. What does the term "100-year flood plain" mean to emergency preparedness officials? A. The last flood of any kind to hit the area was more than 100 years ago. B. The odds of a flood at this level are 1 in 100 in any given year. C. The area is expected to be safe from flooding for at least 100 years. D. The last significant flood to hit the area was more than 100 years ago.
7. B. The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.
7. If you are the victim of a bluejacking attack, what was compromised? A. Your firewall B. Your switch C. Your cell phone D. Your web cookies
7. C. A bluejacking attack is a wireless attack on Bluetooth, and the most common device compromised in a bluejacking attack is a cell phone.
7. Which of the following is a double set of doors that is often protected by a guard and is used to contain a subject until their identity and authentication are verified? A. Gate B. Turnstile C. Mantrap D. Proximity detector
7. C. A mantrap is a double set of doors that is often protected by a guard and used to contain a subject until their identity and authentication is verified.
7. If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can the data, objects, and resources. A. Control B. Audit C. Access D. Repudiate
7. C. Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.
7. Which one of the following key types is used to enforce referential integrity between database tables? A. Candidate key B. Primary key C. Foreign key D. Super key
7. C. Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship.
7. Which of the following statements is not true? A. IT security can provide protection only against logical or technical attacks. B. The process by which the goals of risk management are achieved is known as risk analysis. C. Risks to an IT infrastructure are all computer based. D. An asset is anything used in a business process or task.
7. C. Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.
7. Which one of the following technologies is considered flawed and should no longer be used? A. SHA-3 B. PGP C. WEP D. TLS
7. C. The WEP algorithm has documented flaws that make it trivial to break. It should never be used to protect wireless networks.
7. What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization? A. SLE B. EF C. MTD D. ARO
7. C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.
7. A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this? A. DAC model B. An access control list (ACL) C. Rule-based access control model D. RBAC model
7. D. A Role Based Access Control (RBAC) model can group users into roles based on the organization's hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects that subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.
7. Accountability requires all of the following items except one. Which item is not required for accountability? A. Identification B. Authentication C. Auditing D. Authorization
7. D. Accountability does not include authorization. Accountability requires proper identification and authentication. After authentication, accountability requires logging to support auditing.
7. What is the concept of a computer implemented as part of a larger system that is typically designed around a limited set of specific functions (such as management, monitoring, and control) in relation to the larger product of which it's a component? A. IoT B. Application appliance C. SoC D. Embedded system
7. D. An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it's a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller.
7. When correctly implemented, what is the only cryptosystem known to be unbreakable? A. Transposition cipher B. Substitution cipher C. Advanced Encryption Standard D. One-time pad
7. D. Assuming that it is used properly, the onetime pad is the only known cryptosystem that is not vulnerable to attacks.
7. What type of application vulnerability most directly allows an attacker to modify the contents of a system's memory? A. Rootkit B. Back door C. TOC/TOU D. Buffer overflow
7. D. Buffer overflow attacks allow an attacker to modify the contents of a system's memory by writing beyond the space allocated for a variable.
7. Which of the following choices is the most reliable method of destroying data on a solid state drive (SSD)? A. Erasing B. Degaussing C. Deleting D. Purging
7. D. Purging is the most reliable method of the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure that data is removed. While not an available answer choice, destruction of the drive is a more reliable method. Erasing or deleting processes rarely remove the data from media, but instead mark it for deletion. Solid state drives (SSDs) do not have magnetic flux, so degaussing an SSD doesn't destroy data.
8. Which networking technology is based on the IEEE 802.3 standard? A. Ethernet B. Token Ring C. FDDI D. HDLC
8. A. Ethernet is based on the IEEE 802.3 standard.
8. Which of the following statements is true related to the RBAC model? A. A RBAC model allows users membership in multiple groups. B. A RBAC model allows users membership in a single group. C. A RBAC model is nonhierarchical. D. A RBAC model uses labels.
8. A. The Role Based Access Control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The Mandatory Access Control (MAC) model uses assigned labels to identify access.
8. What encryption technique does WPA use to protect wireless communications? A. TKIP B. DES C. 3DES D. AES
8. A. Wi-Fi Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to protect wireless communications. WPA2 uses AES encryption.
8. Which of the following is true for a host-based intrusion detection system (HIDS)? A. It monitors an entire network. B. It monitors a single system. C. It's invisible to attackers and authorized users. D. It cannot detect malicious code.
8. B. An HIDS monitors a single system looking for abnormal activity. A network-based IDS (NIDS) watches for abnormal activity on a network. An HIDS is normally visible as a running process on a system and provides alerts to authorized users. An HIDS can detect malicious code similar to how anti-malware software can detect malicious code.
8. What is the output value of the mathematical function 16 mod 3? A. 0 B. 1 C. 3 D. 5
8. B. Option B is correct because 16 divided by 3 equals 5, with a remainder value of 1.
8. What can you use to prevent users from rotating between two passwords? A. Password complexity B. Password history C. Password age D. Password length
8. B. Password history can prevent users from rotating between two passwords. It remembers previously used passwords. Password complexity and password length help ensure that users create strong passwords. Password age ensures that users change their password regularly.
8. Of the following choices, what is not a valid security practice related to special privileges? A. Monitor special privilege assignments. B. Grant access equally to administrators and operators. C. Monitor special privilege usage. D. Grant access to only trusted employees.
8. B. Special privileges should not be granted equally to administrators and operators. Instead, personnel should be granted only the privileges they need to perform their job. Special privileges are activities that require special access or elevated rights and permissions to perform administrative and sensitive job tasks. Assignment and usage of these privileges should be monitored, and access should be granted only to trusted employees.
8. You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches? A. $3,000,000 B. $2,700,000 C. $270,000 D. $135,000
8. B. The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on the fact that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.
8. What port is typically used to accept administrative connections using the SSH utility? A. 20 B. 22 C. 25 D. 80
8. B. The SSH protocol uses port 22 to accept administrative connections to a server.
8. What is the most important rule to follow when collecting evidence? A. Do not turn off a computer until you photograph the screen. B. List all people present while collecting evidence. C. Never modify evidence during the collection process. D. Transfer all equipment to a secure storage location.
8. C. Although the other options have some merit in individual cases, the most important rule is to never modify, or taint, evidence. If you modify evidence, it becomes inadmissible in court.
8. refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. A. Seclusion B. Concealment C. Privacy D. Criticality
8. C. Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion is to store something in an out-of-the-way location. Concealment is the act of hiding or preventing disclosure. The level to which information is mission critical is its measure of criticality.
8. Which of the following is not an element of the risk analysis process? A. Analyzing an environment for risks B. Creating a cost/benefit report for safeguards to present to upper management C. Selecting appropriate safeguards and implementing them D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage
8. C. Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.
8. Which one of the following types of memory might retain information after being removed from a computer and, therefore, represent a security risk? A. Static RAM B. Dynamic RAM C. Secondary memory D. Real memory
8. C. Secondary memory is a term used to describe magnetic, optical, or flash media. These devices will retain their contents after being removed from the computer and may later be read by another user.
8. How many major categories do the TCSEC criteria define? A. Two B. Three C. Four D. Five
8. C. TCSEC defines four major categories: Category A is verified protection, Category B is mandatory protection, Category C is discretionary protection, and Category D is minimal protection.
8. Which one of the following passwords is least likely to be compromised during a dictionary attack? A. mike B. elppa C. dayorange D. fsas3alG
8. D. Except option D, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backward, and dayorange combines two dictionary words. Crack and other utilities can easily see through these "sneaky" techniques. Option D is simply a random string of characters that a dictionary attack would not uncover.
8. At which OSI model layer does the IPsec protocol function? A. Data Link B. Transport C. Session D. Network
8. D. IPsec operates at the Network layer (layer 3).
8. Richard believes that a database user is misusing his privileges to gain information about the company's overall business trends by issuing queries that combine data from a large number of records. What process is the database user taking advantage of? A. Inference B. Contamination C. Polyinstantiation D. Aggregation
8. D. In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal.
8. What is the most common form of perimeter security devices or mechanisms? A. Security guards B. Fences C. CCTV D. Lighting
8. D. Lighting is the most common form of perimeter security device or mechanism. Your entire site should be clearly lit. This provides for easy identification of personnel and makes it easier to notice intrusions.
8. Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection best suits their needs? A. Copyright B. Trademark C. Patent D. Trade secret
8. D. Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely.
8. In which one of the following database recovery techniques is an exact, up-to-date copy of the database maintained at an alternative location? A. Transaction logging B. Remote journaling C. Electronic vaulting D. Remote mirroring
8. D. When you use remote mirroring, an exact copy of the database is maintained at an alternative location. You keep the remote copy up-to-date by executing all transactions on both the primary and remote site at the same time.
9. Which of the following identifies vendor responsibilities and can include monetary penalties if the vendor doesn't meet the stated responsibilities? A. Service-level agreement (SLA) B. Memorandum of understanding (MOU) C. Interconnection security agreement (ISA) D. Software as a service (SaaS)
9. A. A service-level agreement identifies responsibilities of a third party such as a vendor and can include monetary penalties if the vendor doesn't meet the stated responsibilities. A MOU is an informal agreement and does not include monetary penalties. An ISA defines requirements for establishing, maintaining, and disconnecting a connection. SaaS is one of the cloud-based service models and does not specify vendor responsibilities.
9. Which of the following is not a disadvantage of using security guards? A. Security guards are usually unaware of the scope of the operations within a facility. B. Not all environments and facilities support security guards. C. Not all security guards are themselves reliable. D. Prescreening, bonding, and training do not guarantee effective and reliable security guards.
9. A. Security guards are usually unaware of the scope of the operations within a facility, which supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information.
9. What block size is used by the 3DES encryption algorithm? A. 32 bits B. 64 bits C. 128 bits D. 256 bits
9. B. 3DES simply repeats the use of the DES algorithm three times. Therefore, it has the same block length as DES: 64 bits.
9. Which of the following is a fake network designed to tempt intruders with unpatched and unprotected security vulnerabilities and false data? A. IDS B. Honeynet C. Padded cell D. Pseudo flaw
9. B. Honeypots are individual computers, and honeynets are entire networks created to serve as a trap for intruders. They look like legitimate networks and tempt intruders with unpatched and unprotected security vulnerabilities as well as attractive and tantalizing but false data. An intrusion detection system (IDS) will detect attacks. In some cases, an IDS can divert an attacker to a padded cell, which is a simulated environment with fake data intended to keep the attacker's interest. A pseudo flaw (used by many honeypots and honeynets) is a false vulnerability intentionally implanted in a system to tempt attackers.
9. What technique may be used to limit the effectiveness of rainbow table attacks? A. Hashing B. Salting C. Digital signatures D. Transport encryption
9. B. Salting passwords adds a random value to the password prior to hashing, making it impractical to construct a rainbow table of all possible values.
9. Richard received an encrypted message sent to him from Sue. Which key should he use to decrypt the message? A. Richard's public key B. Richard's private key C. Sue's public key D. Sue's private key
9. B. Sue would have encrypted the message using Richard's public key. Therefore, Richard needs to use the complementary key in the key pair, his private key, to decrypt the message.
9. What is the most effective means of reducing the risk of losing the data on a mobile device, such as a notebook computer? A. Defining a strong logon password B. Minimizing sensitive data stored on the mobile device C. Using a cable lock D. Encrypting the hard drive
9. B. The risk of a lost or stolen notebook is the data loss, not the loss of the system itself. Thus, keeping minimal sensitive data on the system is the only way to reduce the risk. Hard drive encryption, cable locks, and strong passwords, although good ideas, are preventive tools, not means of reducing risk. They don't keep intentional and malicious data compromise from occurring; instead, they encourage honest people to stay honest.
9. What technology allows for phone conversations to occur over an existing TCP/IP network and internet connection? A. IPsec B. VoIP C. SSH D. TLS
9. B. Voice over IP (VoIP) allows for phone conversations to occur over an existing TCP/IP network and internet connection.
9. What database technique can be used to prevent unauthorized users from determining classified information by noticing the absence of information normally available to them? A. Inference B. Manipulation C. Polyinstantiation D. Aggregation
9. C. Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels.
9. What disaster recovery principle best protects your organization against hardware failure? A. Consistency B. Efficiency C. Redundancy D. Primacy
9. C. Redundant systems/components provide protection against the failure of one particular piece of hardware.
9. Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status? A. © B. ® C. ™ D. †
9. C. Richard's product name should be protected under trademark law. Until his registration is granted, he can use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark, and Richard can begin using the ® symbol.
9. What is a trusted computing base (TCB)? A. Hosts on your network that support secure transmissions B. The operating system kernel and device drivers C. The combination of hardware, software, and controls that work together to enforce a security policy D. The software and controls that certify a security policy
9. C. The TCB is the combination of hardware, software, and controls that work together to enforce a security policy.
9. Which of the following is the best choice for a role within an organization using a RBAC model? A. Web server B. Application C. Database D. Programmer
9. D. A programmer is a valid role in a Role Based Access Control (RBAC) model. Administrators would place programmers' user accounts into the Programmer role and assign privileges to this role. Roles are typically used to organize users, and the other answers are not users.
9. Which one of the following tests provides the most accurate and detailed information about the security state of a server? A. Unauthenticated scan B. Port scan C. Half-open scan D. Authenticated scan
9. D. Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.
9. Which of the following does not erase data? A. Clearing B. Purging C. Overwriting D. Remanence
9. D. Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data.
9. What would be a valid argument for not immediately removing power from a machine when an incident is discovered? A. All of the damage has been done. Turning the machine off would not stop additional damage. B. There is no other system that can replace this one if it is turned off. C. Too many users are logged in and using the system. D. Valuable evidence in memory will be lost.
9. D. The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.
9. Which of the following would generally not be considered an asset in a risk analysis? A. A development process B. An IT infrastructure C. A proprietary system resource D. Users' personal files
9. D. The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.
9. Referring to the scenario in question 8, what is the annualized loss expectancy? A. $3,000,000 B. $2,700,000 C. $270,000 D. $135,000
9. D. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an SLE of $135,000.