Domain 3: Information Security Program

Which of the following will the data backup policy contain? a. Criteria for data backup b.Personnel responsible for backup c. A data backup schedule d. A list of systems to be backed up

A is the correct answer. Justification A policy is a high-level statement of management intent and will essentially contain the criteria to be followed for backing up any data such as critical data, confidential data and project data, and the frequency of backup. A list of personnel responsible for backup is a procedural detail and will not be included in the data backup policy. A data backup schedule is a procedural detail and will not be included in the data backup policy. A list of systems to be backed up is a procedural detail and will not be included in the data backup policy.

An account with full administrative privileges over a production file is found to be accessible by a member of the software development team. This account was set up to allow the developer to download nonsensitive production data for software testing purposes. Assuming all options are possible, which of the following should the information security manager recommend? Restrict account access to read-only. Log all usage of this account. Suspend the account and activate only when needed. Require that a change request be submitted for each download.

A is the correct answer. Justification Administrative accounts have permission to change data. This is not required for the developers to perform their tasks. Unauthorized change will damage the integrity of the data. Restricting the account to read-only access will ensure that file integrity can be maintained while permitting access. Logging all usage of the account is a detective control and will not reduce the exposure created by this excessive level of access. Suspending the account and activating only when needed will not reduce the exposure created by this excessive level of access. Requiring that a change request be submitted for each download would be excessively burdensome and will not reduce the exposure created by this excessive level of access.

A web-based business application is being migrated from test to production. Which of the following is the MOST important management sign-off for this migration? a. User b. Network c. Operations d. Database

A is the correct answer. Justification As owners of the system, user management sign-off is the most important. If a system does not meet the needs of the business, then it has not met its primary objective. The needs of the network are secondary to the needs of the business. The needs of operations are secondary to the needs of the business. The needs of database management are secondary to the needs of the business.

Several business units reported problems with their systems after multiple security patches were deployed. What is the FIRST step to handle this problem? Assess the problems and institute rollback procedures, if needed. Disconnect the systems from the network until the problems are corrected. Uninstall the patches from these systems.

A is the correct answer. Justification Assessing the problems and instituting rollback procedures as needed would be the best course of action. Disconnecting the systems from the network would not identify where the problem was and may make the problem worse. Uninstalling the patches would not identify where the problem was and would recreate the risk the patches were meant to address. Contacting the vendor regarding the problems that occurred is part of the assessment.

Which of the following vulnerabilities allowing attackers access to the application database is the MOST serious? Validation checks are missing in data input pages. Password rules do not allow sufficient complexity. Application transaction log management is weak. Application and database share a single access ID.

A is the correct answer. Justification Attackers are able to exploit the weaknesses that exist in the application layer. For example, they can submit a part of a structured query language (SQL) statement (SQL injection attack) to illegally retrieve application data. Validation control is an effective countermeasure. Noncomplex passwords may make accounts vulnerable to brute force attacks, but there are other ways to counter them besides complexity (e.g., lockout thresholds). There is a chance that confidential information is inadvertently written to the application transaction log; therefore, sufficient care should be given to log management. However, it is uncommon for attackers to use the log server to steal database information. Although developers may embed a single ID in the program to establish a connection from application to database, if the original account is sufficiently secure, then the overall risk is low.

What is the MAIN advantage of implementing automated password synchronization? It reduces the overall administrative workload. It increases security between multi-tier systems. It allows passwords to be changed less frequently. It reduces the need for two-factor authentication.

A is the correct answer. Justification Automated password synchronization reduces the overall administrative workload of resetting passwords. Automated password synchronization does not increase security between multi-tier systems. Automated password synchronization does not allow passwords to be changed less frequently. Automated password synchronization does not reduce the need for two-factor authentication.

A critical device is delivered with a single user ID and password that is required to be shared for multiple users to access the device. An information security manager has been tasked with ensuring all access to the device is authorized. Which of the following would be the MOST efficient means to accomplish this? Enable access through a separate device that requires adequate authentication Implement manual procedures that require a password change after each use. Request the vendor to add multiple user IDs. Analyze the logs to detect unauthorized access.

A is the correct answer. Justification Enabling access through a separate device that requires adequate authentication allows authentication tokens to be provisioned and terminated for individuals and also introduces the possibility of logging activity by individuals. Implementing manual procedures that require a password change after each use is not effective because users can circumvent the manual procedures. Vendor enhancements may take time and require development, and this is a critical device. Analyzing the logs to detect unauthorized access could, in some cases, be an effective complementary control, but because such a control is detective, it would not be the most effective in this instance.

What is a desirable sensitivity setting for a biometric access control system that protects a high-security data center? a. A high false reject rate b. A high false acceptance rate c. Lower than the crossover error rate d. The exact crossover error rate

A is the correct answer. Justification Biometric access control systems are not infallible. When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (FRR) (type I error rate) making the system more prone to err denying access to a valid user, or to err allow access to an invalid user. The preferable setting will be in the FRR region of sensitivity. A high false acceptance rate (FAR) will marginalize security by allowing too much unauthorized access. In systems in which the possibility of false rejects is a problem, it may be necessary to reduce sensitivity and thereby increase the number of false accepts. As the sensitivity of the biometric system is adjusted, the FRR and FAR change inversely. At one point, the two values intersect and are equal. This condition creates the crossover error rate, which is a measure of the system accuracy. Lower than the crossover error rate will create too high a FAR for a high-security data center. The crossover rate is sometimes referred to as equal error rate. In a very sensitive system, it may be desirable to minimize the number of false accepts—the number of unauthorized persons allowed access. To do this, the system is tuned to be more sensitive with a lower FAR, which causes the FRR—the number of authorized persons disallowed access—to increase.

Which of the following training mechanisms is the MOST effective means of promoting an organizational security culture? Choose a subset of influential people to promote the benefits of the security program. Hold structured training in small groups on an annual basis. Require each employee to complete a self-paced training module once per year. Deliver training to all employees across the enterprise via streaming video.

A is the correct answer. Justification Certain people are either individually inclined or required by their positions to have greater interest in promoting security than others. By selecting these people and offering them broad, diverse opportunities for security education, they are able to act as ambassadors to their respective teams and departments, imparting a gradual and significant change in an organizational culture toward better security. Structured training rarely aligns with the interests of individual employees when chosen at random to fill a small group setting. Computer-based training is a common approach to annual information awareness, but there is limited evidence that employees retain the information or adopt it into their regular activities. Streaming-video webinars are among the least effective means of presenting information, requiring very little interaction from end users.

The MOST effective technical approach to mitigate the risk of confidential information being disclosed in outgoing email attachments is to implement: a. content filtering. b. data classification. c. information security awareness. d. encryption for all attachments.

A is the correct answer. Justification Content filtering provides the ability to examine the content of attachments and prevent information containing certain words or phrases, or of certain identifiable classifications, from being sent out of the enterprise. Data classification helps identify the material that should not be transmitted via email attachments but by itself will not prevent it. Information security awareness training also helps limit confidential material from being disclosed via email as long as personnel are aware of what information should not be exposed and willingly comply with the requirements, but it is not as effective as outgoing content filtering. Encrypting all attachments is not effective because it does not limit the content and may actually obscure confidential information contained in the email.

The information classification scheme should: a. consider possible impact of a security breach. b. classify personal information in electronic form. c. be performed by the information security manager. d. be based on a risk assessment.

A is the correct answer. Justification Data classification is determined by the business value of the asset (i.e., the potential impact on the business of the loss, corruption or disclosure of information). Classification of personal information in electronic form is an incomplete answer because it addresses a subset of organizational data. Information classification is performed by the data owner based on accepted security criteria. The risk to a particular asset is not the basis for classification, rather the potential impact from compromise is the basis.

An information security manager has implemented an automated process to compare physical access using swipe cards operated by the physical security department with logical access in the single sign-on (SSO) system. What is the MOST likely use for this information? Monitoring a key risk indicator Determining whether staff is piggybacking Overseeing the physical security department Evaluating the SSO process

A is the correct answer. Justification Discrepancies between physical and logical access can occur for a variety of reasons, but all are indications that something is wrong and risk is elevated. Discrepancies could indicate piggybacking, shared passwords or attempts at unauthorized access, and therefore, this monitoring can serve as a key risk indicator (KRI). Potential piggybacking can be flagged if more individuals log in from within the network than physically enter the facility; however, this is just one KRI. Although this information could indicate that the physical access control is not functioning properly, the responsibility for oversight of the physical security department is not usually a function of the information security manager. Comparing physical access and logical access is not an effective way to monitor the single sign-on (SSO) system, and there are other methods more specific and useful for this purpose.

What is the PRIMARY benefit of a security awareness training program? To reduce the likelihood of an information security event To encourage compliance with information security policy To comply with the local and industry-specific regulation and legislation To provide employees with expectations for information security

A is the correct answer. Justification Employees should know how information security relates to their job roles and how to perform work tasks appropriately to protect the enterprise and its assets. Although compliance with the information security policy is important, security awareness training goes beyond to include cultural and behavioral elements of information security. Industry-specific regulation and legislation are not the primary drivers of security awareness training programs. Employee expectations do not necessarily ensure understanding of information security or influence cultural or behavioral attitudes directly.

Which of the following BEST ensures that information transmitted over the Internet will remain confidential? a.A virtual private network b.Firewalls and routers c. Biometric authentication d. Two-factor authentication

A is the correct answer. Justification Encryption of data in a virtual private network ensures that transmitted information is not readable, even if intercepted. Firewalls and routers protect access to data resources inside the network but do not protect traffic in the public network. Biometric authentication alone would not prevent a message from being intercepted and read. Two-factor authentication alone would not prevent a message from being intercepted and read.

Which of the following choices is a MAJOR concern with using the database snapshot of the audit log function? Degradation of performance Loss of data integrity Difficulty maintaining consistency Inflexible configuration change

A is the correct answer. Justification Evidential capability increases if data are taken from a location that is close to the origination point. For database auditing, activation of a built-in log may be ideal. However, there is a trade-off. The more elaborate logging becomes, the slower the performance. It is important to strike a balance. If database recovery log is impaired, there is a chance that data integrity may be lost. However, it is unlikely that audit logging will impair the integrity of the database. Database replication functionality will control the consistency between database instances. It is difficult to judge whether configuration change will become complex as the result of audit log activation. It depends on many factors. Therefore, this is not the best option.

What is the MOST critical success factor of the patch management procedure in an enterprise where availability is a primary concern? Testing time window prior to deployment Technical skills of the team responsible Certification of validity for deployment Automated deployment to all the servers

A is the correct answer. Justification Having the patch tested prior to implementation on critical systems is an absolute prerequisite if availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch. A high level of technical skills is not required because patches are usually applied via automated tools. Validation of the patch is essential but is unrelated to the testing, which is the primary area of concern. It makes no sense to deploy patches on every system. Vulnerable systems should be the only candidates for patching.

Which of the following is the MOST important consideration when implementing an intrusion detection system? Tuning Patching Encryption Packet filtering

A is the correct answer. Justification If an intrusion detection system is not properly tuned it will generate an unacceptable number of false positives and/or fail to sound an alarm when an actual attack is underway. Patching is more applicable to operating system hardening. Encryption would not be as relevant as tuning.

An additional security control request was submitted by a business after the user requirements phase had just been closed. Which of the following would the information security manager MOST likely recommend to avoid this type of inefficiency? a. Relevant stakeholders are invited to requirements analysis. b. An adequate system development method is applied to the project. c. Deliverables are aligned with business objectives. d. Escalation procedures are supported by project staff.

A is the correct answer. Justification If key stakeholders are not invited to the requirements analysis, it may not be possible to identify key security control features. In such cases, the lack of security controls may surface in a later stage of project. To prevent this type of problem, it is best to ensure that key stakeholders are all invited at the start of the project. Assuring the presence and the participation of the stockholders is a necessity regardless of which development method will be used. Although deliverables are aligned with business objectives, late requirements will continue to arise unless key stakeholders are invited to the project from the start. This could result in focusing on functionality aspects while disregarding security aspects. Escalation steps are required when any suspicious activities are observed among project staff. Additional requirements are more likely an indication of missing involvement than suspicious activity.

What is the GREATEST risk when there are an excessive number of firewall rules? One rule may override another rule in the chain and create a loophole. Performance degradation of the whole network may occur. The firewall may not support the increasing number of rules due to limitations. The firewall may show abnormal behavior and may crash or automatically shut down.

A is the correct answer. Justification If there are many firewall rules, there is a chance that a particular rule may allow an external connection although other associated rules are overridden. Due to the increasing number of rules, it becomes complex to test them and, over time, a loophole may occur. Excessive firewall rules may impact network performance, but this is a secondary concern. It is unlikely that the capacity to support rules will exceed capacity and it is not a significant risk. There is a slight risk that the firewall will behave erratically, but that is not the greatest risk.

An outsourced service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know? Security in storage and transmission of sensitive data Provider's level of compliance with industry standards Security technologies in place at the facility Results of the latest independent security review

A is the correct answer. Justification Knowledge of how the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected. The provider's level of compliance with industry standards may or may not be important. Security technologies are not the only components to protect the sensitive customer information. An independent security review may not include analysis on how sensitive customer information would be protected.

Which of the following will BEST prevent an employee from using a universal serial bus (USB) drive to copy files from desktop computers? a. Restrict the available drive allocation on all personal computers. b. Disable USB ports on all desktop devices. c. Conduct frequent awareness training with noncompliance penalties. d. Establish strict access controls to sensitive information.

A is the correct answer. Justification Restricting the ability of a personal computer to allocate new drive letters ensures that universal serial bus (USB) drives or even compact disc-writers cannot be attached because they would not be recognized by the operating system. Disabling USB ports on all machines is not practical because mice and other peripherals depend on these connections. Awareness training does not prevent copying of information. Access controls do not prevent copying.

Which of the following challenges associated with information security documentation is MOST likely to affect a large, established enterprise? a. Standards change more slowly than the environment. b.Policies change faster than they can be distributed. c. Procedures are ignored to meet operational requirements. d. Policies remain unchanged for long periods of time.

A is the correct answer. Justification Large, established enterprises tend to have numerous layers of review and approval associated with changes to standards. These review mechanisms are likely to be outpaced by changes in technology and the risk environment. Policies are meant to reflect strategic goals and objectives. In small or immature enterprises, the policy model may be poorly implemented, resulting in rapid changes to policies that are treated more like standards, but this situation is unlikely to arise in a large, established enterprise. Large, established enterprises typically have formal training programs and internal controls that keep activities substantially in line with published procedures. Although policies should be subject to periodic review and not be regarded as static, properly written policies should require significant changes only when there are substantial changes in strategic goals and objectives. It is reasonable that a large, established enterprise would experience policy changes only rarely.

What is the MOST effective access control method to prevent users from sharing files with unauthorized users? Mandatory Discretionary Walled garden Role-based

A is the correct answer. Justification Mandatory access controls restrict access to files based on the security classification of the file. This prevents users from sharing files with unauthorized users. Discretionary access controls are not as effective as mandatory access controls in preventing file-sharing. A walled garden is an environment that controls a user's access to web content and services. In effect, the walled garden directs the user's navigation within particular areas and does not necessarily prevent sharing of other material. Role-based access controls grant access according to the role assigned to a user; they do not prevent file sharing with unauthorized users.

Enterprises implement ethics training PRIMARILY to provide guidance to individuals engaged in: monitoring user activities. implementing security controls. managing risk tolerance. assigning access.

A is the correct answer. Justification Monitoring user activities may result in access to sensitive corporate and personal information. The enterprise should implement training that provides guidance on appropriate legal behavior to reduce corporate liability and increase user awareness and understanding of data privacy and ethical behavior. While ethics training is good practice for all employees, those that implement security controls are not necessarily privy to sensitive data. Employees who manage risk tolerance may have access to high-level corporate information but not necessarily to sensitive or private information. While ethics training is good practice, it is not required to manage risk tolerance for an enterprise. Employees who manage network access do not necessarily need ethics training.

Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers? Daily Weekly Concurrently with operating system patch updates During scheduled change control updates

A is the correct answer. Justification New viruses are introduced almost daily. The effectiveness of virus detection software depends on frequent updates to virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Weekly updates may potentially allow new viruses to infect the system. Operating system updates are too infrequent for virus updates. Change control updates are sporadic and not the basis for virus updates

Which of the following control measures BEST addresses integrity? a. Nonrepudiation b. Time stamps c. Biometric scanning a. Encryption

A is the correct answer. Justification Nonrepudiation is a control technique that addresses the integrity of information by ensuring that the originator of a message or transaction cannot repudiate (deny or reject) the message, so the message or transaction can be considered authorized, authentic and valid. Using time stamps is a control that addresses only one component of message integrity. Biometric scanning is a control that addresses access. Encryption is a control that addresses confidentiality; it may be an element of a data integrity scheme, but it is not sufficient to achieve the same level of integrity as the set of measures used to ensure nonrepudiation.

Which of the following is MOST effective in preventing security weaknesses in operating systems? A.Patch management B.Change management C.Security baselines D.Configuration management

A is the correct answer. Justification Patch management corrects discovered weaknesses by applying a correction (a patch) to the original program code. Change management controls the process of introducing changes to systems. Security baselines provide minimum recommended settings. Configuration management controls the updates to the production environment.

Which of the following ensures that newly identified security weaknesses in an operating system are mitigated in a timely fashion? Patch management Change management Security baselines Acquisition management

A is the correct answer. Justification Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems. Security baselines provide minimum required settings. Acquisition management controls the purchasing process.

An enterprise has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees? a.Requiring employees to formally acknowledge receipt of the policy b.Integrating security requirements into job descriptions c. Making the policy available on the intranet d. Implementing an annual retreat for employees on information security

A is the correct answer. Justification Requiring employees to formally acknowledge receipt of the policy does not guarantee that the policy has been read or understood but establishes employee acknowledgment of the existence of the new policy. Each communication should identify a point of contact for follow-up questions. Current employees do not necessarily reread job descriptions that would contain the new policy. Making the policy available on the intranet does not ensure that the document has been read, nor does it create an audit trail that establishes that employees have been made aware of the policy. An annual event may not be timely and may not rectify significant gaps in awareness.

Which of the following is the MOST effective solution for preventing individuals external to the enterprise from modifying sensitive information on a corporate database? Screened subnets Information classification policies and procedures Role-based access control Intrusion detection system

A is the correct answer. Justification Screened subnets are demilitarized zones and are oriented toward preventing attacks on an internal network by external users. The policies and procedures to classify information will ultimately result in better protection, but they will not prevent actual modification. Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Intrusion detection systems are useful to detect invalid attempts, but they will not prevent attempts.

Which of the following would be the BEST metric for an information security manager to provide to support a request to fund new controls? Adverse yearly incident trends Audit findings of poor compliance Results of a vulnerability scan Increased external port scans

A is the correct answer. Justification Security incidents occur because either a control failed or there was no control in place. Trends are a metric providing their own points of reference. Failures of compliance with existing controls are not likely to be solved by additional controls. Also, an audit finding absent any prior findings of compliance or other reference point is a measure, not a metric. Without knowing exposure, threat and potential impact, risk cannot be determined and will be poor support for new controls. Also, results of a vulnerability scan constitute a measure, not a metric. Port scans are common and generally will not support funding of new controls.

The MOST likely reason to segment a network by trust domains is to: limit consequences of a compromise. reduce vulnerability to a breach. facilitate automated network scanning. implement a data classification scheme.

A is the correct answer. Justification Segmentation by trust domain limits the potential consequences of a successful compromise by constraining the scope of impact. Segmentation by trust domain does not substantially change vulnerability. Automated network scanning can treat a network as logically segmented without reliance on trust domains. Segmentation is not implemented primarily to facilitate data classification.

Which of the following should the information security manager implement to protect a network against unauthorized external connections to corporate systems? a. Strong authentication b. Internet Protocol anti-spoofing filtering c. Network encryption protocol d. Access lists of trusted devices

A is the correct answer. Justification Strong authentication will provide adequate assurance of user identities. Internet Protocol anti-spoofing is aimed at the device rather than the user. Encryption protocol ensures data confidentiality and authenticity. Access lists of trusted devices are easily exploited by spoofed client identities.

Which of the following devices could potentially stop a structured query language injection attack? a. An intrusion prevention system b. An intrusion detection system c. A host-based intrusion detection system d. A host-based firewall

A is the correct answer. Justification Structured query language (SQL) injection attacks occur at the application layer. Most intrusion prevention systems will detect at least basic sets of SQL injection and will be able to stop them. Intrusion detection systems will detect but not prevent. Host-based intrusion detection systems will be unaware of SQL injection problems. A host-based firewall, whether on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.

Which of the following is the BEST indicator that security controls are performing effectively? The monthly service level statistics indicate minimal impact from security issues. The cost of implementing security controls is less than the value of the assets. The percentage of systems that are compliant with security standards is satisfactory. Audit reports do not reflect any significant findings on security.

A is the correct answer. Justification The best indicator of effective security control is the evidence of acceptable disruption to business operations. The cost of implementing controls is unrelated to their effectiveness. The percentage of systems that are compliant with security standards is not an indicator of their effectiveness. Audit reports that do not reflect any significant findings on security can support this evidence, but this is generally not sufficiently frequent to be a useful management tool and is only supplemental to monthly service level statistics.

Which of the following is the MOST important reason that information security objectives should be defined? a. Tool for measuring effectiveness b. General understanding of goals c. Consistency with applicable standards d. Management sign-off and support initiatives

A is the correct answer. Justification The creation of objectives can be used in part as a source of measurement of the effectiveness of information security management by the extent those objectives have been achieved, which feeds into the overall state of governance. General understanding of goals is useful but is not the primary reasons for having clearly defined objectives. The standards should be consistent with the objectives, not the other way around. Gaining management sign-off and support is important but by itself will not provide the structure for security governance.

What is an advantage of sending messages using steganographic techniques as opposed to using encryption? a. The existence of messages is unknown b. Required key sizes are smaller. c. Traffic cannot be sniffed. d. Reliability of the data is higher in transit.

A is the correct answer. Justification The existence of messages is hidden in another file, such as a JPEG image, when using steganography. Some implementations count on security through obscurity and others require keys, which may or may not be smaller. Sniffing of steganographic traffic is possible. The reliability of the data is not relevant.

Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee? a. Security compliant servers trend report b. Percentage of security compliant servers c. Number of security patches applied d. Security patches applied trend report

A is the correct answer. Justification The overall trend of security compliant servers provides a metric of the effectiveness of the IT security program. The percentage of compliant servers will be a relevant indicator of the risk exposure of the infrastructure. However, the percentage is less relevant than the overall trend. The number of patches applied would be less relevant, as this would depend on the number of vulnerabilities identified and patches provided by vendors. The security patches applied trend report is a metric indicating the degree of improvement in patching but provides a less complete picture of the effectiveness of the security program.

Which of the following items is the BEST basis for determining the value of intangible assets? a. Contribution to revenue generation b. A business impact analysis c. Threat assessment d. Replacement costs

A is the correct answer. Justification The value of any business asset is generally based on its contribution to generating revenues for the enterprise, both in the present and in the future. A business impact analysis (BIA) is a process to determine the impact of losing the support of any resource. The BIA study will establish the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision. It may not take into account the long-term impact to revenue of losing intangible assets. Threat analysis is an evaluation of the type, scope and nature of events or actions that can result in adverse consequences; it provides identification of the threats that exist against enterprise assets. The threat analysis usually defines the level of threat and the likelihood of it materializing. Threat assessment is not concerned with asset value but with the probability of compromise. The replacement cost of intangible assets such as trade secrets typically cannot be calculated because replacement is impossible.

What should documented standards/procedures for the use of cryptography across the enterprise achieve? a. They should define the circumstances in which cryptography should be used. b. They should define cryptographic algorithms and key lengths. c. They should describe handling procedures of cryptographic keys. d. They should establish the use of cryptographic solutions.

A is the correct answer. Justification There should be documented standards/procedures for the use of cryptography across the enterprise; they should define the circumstances in which cryptography should be used. Procedures should cover the selection of cryptographic algorithms and key lengths but should not define them precisely. Procedures should address the handling of cryptographic keys. However, this is secondary to how and when cryptography should be used. The use of cryptographic solutions should be addressed but this is a secondary consideration.

Which of the following choices is the BEST indication that the information security manager is achieving the objective of value delivery? a. Having a high resource utilization b. Reducing the budget requirements c. Utilizing the lowest cost vendors d. Minimizing the loaded staff cost

A is the correct answer. Justification Value delivery means that good rates of return and a high utilization of resources are achieved. The budget level is not an indication of value delivery. The lowest cost vendors may not present the best value. Staff-associated overhead costs by themselves are not an indicator of value delivery.

Which of the following will require the MOST effort when supporting an operational information security program? a. Reviewing and modifying procedures b. Modifying policies to address changing technologies c. Writing additional policies to address new regulations d. Drafting standards to address regional differences

A is the correct answer. Justification When an information security program is operational, few changes to policies or standards will be needed. Procedures, however, are designed at a more granular level and will require reasonably frequent modification. Because procedures are more detailed and can be technology specific, there are generally far more procedures than standards or policies. Consequently, review and modification of procedures will consume the majority of effort. While technology does change, it is relatively rare for a technology shift to be so disruptive as to require a modification of policy. Most technological changes should be addressed at lower levels (e.g., in standards or procedures). New regulations may require the creation of a new policy, but this does not happen nearly as often or consume as much time in an operational program as the review and modification of procedures. Global enterprises may need to customize policy through the use of regional standards, but an operational program will already have most of these standards in place. Even where they need to be drafted, the level of effort required to customize policy by region is less than what will be needed to review and modify the vast body of procedures that change more frequently.

An enterprise has commissioned an information security expert to perform network penetration testing and has provided the expert with information about the infrastructure to be tested. The benefit of this approach is: more time is devoted to exploitation than to fingerprinting and discovery. this accurately simulates an external hacking attempt. the ability to exploit Transmission Control Protocol/Internet Protocol vulnerabilities. the elimination of the need for penetration testing tools.

A is the correct answer. Justification When information is provided to the penetration tester (white box testing), less time is spent on discovering and understanding the target to be penetrated. A black box approach, where no information is provided, better simulates an actual hacking attempt. Both white box and black box approaches could exploit Transmission Control Protocol/Internet Protocol vulnerabilities. Both white box and black box approaches would require use of penetration testing tools.

The protection of sensitive data stored at a third-party location requires: assurances that the third party will comply with the requirements of the contract. commitments to completion of periodic independent security audits. security awareness training and background checks of all third-party employees. periodic review of third-party contracts and policies to ensure compliance.

A is the correct answer. Justification When storing data with a third party, the ownership and responsibility for the adequate protection of the data remains with the outsourcing enterprise. The outsourcing enterprise should have measures in place to provide assurance of compliance with the terms of the contract, which should be written on the basis of the organizational risk appetite. Independent security audits are one assurance mechanism that an enterprise may use to verify compliance with contractual requirements, but whether they are appropriate is situational and based on the organizational risk appetite. Awareness training and background checks are assurance mechanisms but may or may not be appropriate or important in all cases. Review of contracts and policies is important, but it does not assure compliance.

What human resources (HR) activity is MOST crucial in managing mobile devices supplied by the enterprise? HR provides: a. termination notices. b. background checks. c. reporting structures. d. awareness support.

A is the correct answer. Justification When the human resources (HR) department provides staff termination notices, security management can perform deprovisioning of mobile devices. Background checks generally do not help the management of mobile devices. Reporting structures generally do not affect the management of mobile devices. HR could support information security awareness programs. However, from the management perspective, device deprovisioning upon staff termination will be more important.

What is the MOST important reason for formally documenting security procedures? a. Ensure processes are repeatable and sustainable. b. Ensure alignment with business objectives. c. Ensure auditability by regulatory agencies. d. Ensure objective criteria for the application of metrics.

A is the correct answer. Justification Without formal documentation, it would be difficult to ensure that security processes are performed correctly and consistently. Alignment with business objectives is not a function of formally documenting security procedures. Processes should not be formally documented merely to satisfy an audit requirement. Although potentially useful in the development of metrics, creating formal documentation to assist in the creation of metrics is a secondary objective.

Which one of the following factors affects the extent to which controls should be layered? Impact on productivity Common failure modes Maintenance cost of controls Controls that fail in a closed condition

B is the correct answer. Justification A negative impact on productivity could indicate that controls may be too restrictive, but it is not a consideration for layering. Common failure modes in existing controls must be addressed by adding or modifying controls so they fail under different conditions. This is done to manage the aggregate risk of total control failure. Excessive maintenance costs will probably increase and not be addressed by layering additional controls. Controls that fail closed pose a risk to availability, but layering would not always address this risk.

Which of the following is MOST important for measuring the effectiveness of a security awareness program? Reduced number of security violation reports A quantitative evaluation to ensure user comprehension Increased interest in focus groups on security issues Increased number of security violation reports

B is the correct answer. Justification A reduction in the number of violation reports may not be indicative of a high level of security awareness. To truly judge the effectiveness of security awareness training, some means of measurable testing is necessary to confirm user comprehension. Focus groups may or may not provide meaningful feedback but in and of themselves do not provide metrics. An increase in the number of violation reports is a possible indication of increased awareness but is not as useful as direct testing of awareness levels.

Which of the following is the BEST way to mitigate the risk of the database administrator reading sensitive data from the database? Log all access to sensitive data. Employ application-level encryption. Install a database monitoring solution. Develop a data security policy.

B is the correct answer. Justification Access logging can be easily turned off by the database administrator. Data encrypted at the application level that is stored in a database cannot be viewed in cleartext by the database administrator. A database monitoring solution can be bypassed by the database administrator. A security policy will only be effective if the database administrator chooses to adhere to the policy.

If a security incident is not the result of the failure of a control, then it is MOST likely the result of which of the following choices? An incomplete risk analysis The absence of a control A zero-day attack A user error

B is the correct answer. Justification An incomplete risk analysis may have the effect of a suitable control not being implemented, but it is not the reason that a compromise occurs. A security incident is inevitably the result of a control failure or the lack of a suitable control. A zero-day attack is difficult to predict, but it will only be successful if a control fails or does not exist. A user error will only result in a security incident because of control failure or the absence of a control.

Which of the following authentication methods prevents authentication replay? Password hash implementation Challenge/response mechanism Wired equivalent privacy encryption usage Hypertext Transfer Protocol basic authentication

B is the correct answer. Justification Capturing the authentication handshake and replaying it through the network will not work. Using hashes by itself will not prevent a replay. A challenge/response mechanism prevents replay attacks by sending a different random challenge in each authentication event. The response is linked to that challenge. A wired equivalent privacy key will not prevent sniffing, but it will take the attacker longer to break the WEP key if they do not already have it. Therefore, it will not be able to prevent recording and replaying an authentication handshake. Hypertext Transfer Protocol basic authentication is cleartext and has no mechanisms to prevent replay.

Which of the following BEST mitigates a situation in which an application programmer requires access to production data? Create a separate account for the programmer as a power user. Log all the programmers' activity for review by supervisor. Have the programmer sign a letter accepting full responsibility. Perform regular audits of the application.

B is the correct answer. Justification Creating a separate account for the programmer as a power user does not solve the problem. It is not always possible to provide adequate segregation of duties between programming and operations in order to meet certain business requirements. A mitigating control is to record all the programmers' actions for later review by their supervisor, which would detect any inappropriate action on the part of the programmer. Having the programmer sign a letter accepting full responsibility is not an effective control. Performing regular audits of the application is not relevant to determine if programmer activities are appropriate.

Which of the following represents a PRIMARY area of interest when conducting a penetration test? Data mining Network mapping Intrusion detection system Customer data

B is the correct answer. Justification Data mining is associated with ad hoc reporting and is a potential target after the network is penetrated. Network mapping is the process of determining the topology of the network one wishes to penetrate. It is one of the first steps toward determining points of attack in a network. The intrusion detection mechanism in place is not an area of focus because one of the objectives is to determine how effectively it protects the network or how easy it is to circumvent. Customer data, together with data mining, is a potential target after the network is penetrated.

Which of the following is an advantage of a centralized information security organizational structure? a. It is easier to promote security awareness. b. It is easier to manage and control. c. It is more responsive to business unit needs. d. It provides a faster turnaround for security requests.

B is the correct answer. Justification Decentralization allows the of use field security personnel as security missionaries or ambassadors to spread the security awareness message. It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? a. Ethics b. Proportionality c. Integration d. Accountability

B is the correct answer. Justification Ethics is expected to be part of all job roles but has no relation to types of data access. Ethics has no relevance to mapping a job description to types of data access. Information security controls, including access, should be proportionate to the criticality and/or sensitivity of the asset (i.e., the potential impact of compromise). This is termed the principle of proportionality. Principles of integration are not relevant to mapping a job description to types of data access. The principle of accountability would be the second most-adhered-to principle because people with access to data may not always be accountable.

Assuming all options are technically feasible, which of the following would be the MOST effective approach for the information security manager to address excessive exposure of a critical customer-facing server? Develop an incident response plan Reduce the attack vectors Initiate compartmentalization Implement compensating controls

B is the correct answer. Justification Even the most effective incident response plan is unlikely to reduce exposure as effectively as reducing the attack surface. The attack vectors determine the extent of exposure. Reducing the attack vectors by limiting entry points, ports and protocols and taking other precautions reduces the exposure. Compartmentalization may limit the degree to which impact sustained by one customer results in increased vulnerability or impact for another customer, but the per-customer exposure would not be affected. Compensating controls are appropriate if existing controls are incapable of reducing risk to acceptable levels.

Which of the following tasks should the information security manager do FIRST when business information has to be shared with external entities? a. Execute a nondisclosure agreement. b. Review the information classification. c. Establish a secure communication channel. d. Enforce encryption of information

B is the correct answer. Justification Execution of a nondisclosure agreement may be needed after the classification of the data to be shared is determined. The information security manager should first determine whether sharing the information poses a risk for the enterprise based on the information classification. Whether a secure channel is needed is a function of the classification of data to be shared. Encryption requirements will be determined as a function of the classification of data to be shared.

What is the BEST method for mitigating against network denial-of-service (DoS) attacks? Ensure all servers are up to date on operating system patches. Employ packet filtering to drop suspect packets. Implement network address translation to make internal addresses non-routable. Implement load balancing for Internet-facing devices.

B is the correct answer. Justification In general, patching servers will not affect network traffic. Packet filtering techniques are the only ones which reduce network congestion caused by a network denial-of-service (DoS) attack. Implementing network address translation would not be effective in mitigating most network DoS attacks. Load balancing would not be as effective in mitigating most network DoS attacks.

In what circumstances should mandatory access controls be used? When the enterprise has a high risk tolerance When delegation of rights is contrary to policy When the control policy specifies continuous oversight When access is permitted, unless explicitly denied

B is the correct answer. Justification Mandatory access controls (MACs) are a restrictive control employed in situations of low risk tolerance. With MAC, the security policy is centrally controlled by a security policy administrator, and users do not have the ability to delegate rights. A requirement for continuous oversight is not related to MACs. MACs do not allow access as a default condition.

Assuming that the value of information assets is known, which of the following gives the information security manager the MOST objective basis for determining that the information security program is delivering value? a. Number of controls b. Cost of achieving control objectives c. Effectiveness of controls d. Test results of controls

B is the correct answer. Justification Number of controls has no correlation with the value of assets unless the effectiveness of the controls and their cost are also evaluated. A comparison of the cost of achievement of control objectives with the corresponding value of assets sought to be protected would provide a sound basis for the information security manager to measure value delivery. Effectiveness of controls has no correlation with the value of assets unless their costs are also evaluated. Test results of controls may determine their effectiveness but has no correlation with the value of assets.

Which of the following is MOST essential when selecting a third-party service provider? Ongoing management Contract review On-site control reviews Availability of third-party policies

B is the correct answer. Justification Ongoing management is essential after the contract is signed. Contract structuring and review is essential for selecting a third party because it provides recourse for the enterprise when there is a breach of contract. The contract also gives the enterprise access to independent audit reports, the ability to perform on-site reviews, and other requirements to protect the enterprise following a contract breach. Onsite reviews might be a requirement of the enterprise, and would be part of the contract if required. The availability of third-party policies for access and review is important, but it does not provide assurance and protections to the enterprise.

Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when: assessing overall system risk. developing a controls policy. determining treatment options. developing a classification scheme.

B is the correct answer. Justification Overall risk is not affected by determining which element of the triad is of the greatest importance because overall risk is constructed from all known risk, regardless of the components of the triad to which each risk applies. Because preventive controls necessarily must fail in either an open or closed state (i.e., fail safe or fail secure), and failing open favors availability while failing closed favors confidentiality—each at the expense of the other—a clear prioritization of the triad components is needed to develop a controls policy. Although it is feasible that establishing a control that bolsters one component of the triad may diminish another, treatment options may be determined without a clear prioritization of the triad. Classification is based on the potential impact of compromise and is not a function of prioritization within the confidentiality, integrity and availability (CIA) triad.

A virtual desktop infrastructure enables remote access. The benefit of this approach from a security perspective is to: optimize the IT resource budget by reducing physical maintenance to remote personal computers (PCs). establish segregation of personal and organizational data while using a remote PC. enable the execution of data wipe operations into a remote PC environment. terminate the update of the approved antivirus software list for remote PCs.

B is the correct answer. Justification Physical maintenance is reduced in a virtual desktop infrastructure (VDI) environment, but cost reduction is not the benefit of VDI from a security perspective. The major benefit of introducing a VDI is to establish remote desktop hosting while keeping personal areas in a client personal computer (PC) separate. This serves as a control against unauthorized copies of business data on a user PC. Remote data wiping is not possible in a VDI. Termination of antivirus updates may represent a cost savings to the enterprise, but the presence or absence of antivirus software on a remote PC is irrelevant in a VDI context

Which of the following is the MOST appropriate control to address compliance with specific regulatory requirements? a. Policies b. Standards c. Procedures d. Guidelines

B is the correct answer. Justification Policies are a statement of management intent, expectations and direction and should not address the specifics of regulatory compliance. Standards set the allowable boundaries for technologies, procedures and practices and thus are the appropriate documentation to define compliance requirements. Procedures are developed in order to provide instruction for meeting standards but cannot be developed without established standards. Guidelines are not mandatory and will not normally address issues of regulatory compliance.

A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent a successful brute force attack of the account? Prevent the system from being accessed remotely. Create a strong random password. Ask for a vendor patch. Track usage of the account by audit trails.

B is the correct answer. Justification Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risk. Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Vendor patches are not always available. Tracking usage is a detective control and will not prevent an attack.

The use of public key encryption for the purpose of providing encryption keys for a large number of individuals is preferred PRIMARILY because: a. public key encryption is computationally more efficient. b. scaling is less problematic than using a symmetrical key. c. public key encryption is less costly to maintain than symmetrical keys for small groups. d. public key encryption provides greater encryption strength than secret key options.

B is the correct answer. Justification Public key encryption is computationally intensive due to the long key lengths required. Symmetrical or secret key encryption requires a key for each pair of individuals who wish to have confidential communications resulting in an exponential increase in the number of keys resulting in intractable distribution and storage problems. Public key infrastructure is more costly for small groups but less costly to maintain as the participant numbers increase. It is the only manageable option for large groups, which is why it is preferable. Secret key encryption requires much shorter key lengths to achieve equivalent strength.

What activity BEST helps ensure that contract personnel do not obtain unauthorized access to sensitive information? Set accounts to expire. Avoid granting system administration roles. Ensure they successfully pass background checks. Ensure their access is approved by the data owner.

B is the correct answer. Justification Setting an expiration date is a positive element but will not prevent contract personnel from obtaining access to sensitive information. Contract personnel should not be given job duties that provide them with power user or other administrative roles that they could then use to grant themselves access to sensitive files. Requiring background checks is a positive element but will not prevent contract personnel from obtaining access to sensitive information. Having the data owner approve access is a marginally effective approach to limiting access to sensitive information.

What is the MAIN objective of integrating the information security process into the system development life cycle? It ensures audit compliance. It ensures that appropriate controls are implemented. It delineates roles and responsibilities. It establishes the foundation for development or acquisition.

B is the correct answer. Justification Simply integrating information security processes into the system development life cycle (SDLC) will not ensure audit success; it is merely a piece of the compliance puzzle that must be reviewed by the auditor. Establishing information security processes at the front end of any development project and using the process at each stage of the SDLC ensures that the appropriate security controls are implemented, based on the review and assessment completed by security staff. The purpose of integrating the information security process at the front end of any SDLC project is to reduce the risk of delays or rework rather than to identify roles and responsibilities for information security in the project. The information security process should be performed at each phase of the SDLC to ensure that appropriate controls are in place. However, integration of information security does not establish the foundation for the make-versus-buy decision.

Which of the following will BEST prevent external security attacks? Static Internet Protocol addressing Network address translation Background checks for temporary employees Securing and analyzing system access logs

B is the correct answer. Justification Static Internet Protocol addressing is helpful to an attacker. Network address translation is helpful by having internal addresses that are non-routable. Background checks of temporary employees are more likely to prevent an attack launched from within the enterprise. Writing all computer logs to removable media does not prevent an attack.

Which of the following choices is the WEAKEST link in the authorized user registration process? a. The certificate authority's private key b. The registration authority's private key c. The relying party's private key d. A secured communication private key

B is the correct answer. Justification The certificate authority's (CA's) private key is heavily secured both electronically and physically and is extremely difficult to access by anyone. The registration authority's (RA's) private key is in the possession of the RA, often stored on a smart card or laptop, and is typically protected by a password and, therefore, is potentially accessible. If the RA's private key is compromised, it can be used to register anyone for a certificate using any identity, compromising the entire public key infrastructure for that CA. The relying party's private key, if compromised, only puts that party at risk. The private key used for secure communication will only pose a risk to the parties communicating.

What is the PRIMARY basis for the selection of controls and countermeasures? Eliminating IT risk Cost-benefit balance Resource management The number of assets protected

B is the correct answer. Justification The focus must include procedural, operational and other risk—not just IT risk. The balance between cost and benefits should direct controls selection. Resource management is not directly related to controls. The implementation of controls is based on the impact and risk, not on the number of assets.

Active information security awareness programs PRIMARILY influence: acceptable risk. residual risk. control objectives. business objectives.

B is the correct answer. Justification The level of risk that an enterprise deems acceptable is a business decision. Controls, including active security awareness programs, are implemented to reduce risk to acceptable levels and do not influence what level of risk is acceptable. An information security awareness program is an administrative control that reduces vulnerability, thereby yielding lower residual risk. Security awareness may be a control objective, depending on the information security strategy of the enterprise, but such a program does not primarily influence the objectives of other controls. Security awareness does not primarily influence business objectives.

Who is accountable for ensuring that information is categorized and that specific protective measures are taken? a. The security officer b. Senior management c. The end user d. The custodian

B is the correct answer. Justification The security officer assumes responsibility, as this role supports and implements information security to achieve senior management objectives. While routine administration and operations of all aspects of security may be delegated, top management must retain overall accountability. The end user is not responsible for ensuring that information is categorized and that specific protective measures are taken. The custodian supports and implements information security measures as directed and is not responsible for ensuring that information is categorized and that specific protective measures are taken.

Which of the following would PRIMARILY provide the potential for users to bypass a form-based authentication mechanism in an application with a back-end database? A weak password of six characters A structured query language (SQL) injection A session time-out of long duration Lack of an account lockout after multiple wrong attempts

B is the correct answer. Justification Weak passwords can make it easy to access the application, but there is no bypass of authentication. Although structured query language injection is well understood and preventable, it still is a significant security risk for many enterprises writing code. Using SQL injection, one can pass SQL statements in a manner that bypasses the logon page and allows access to the application. Long time-out duration is not relevant to the authentication mechanism. Because the authentication mechanism is bypassed, account lockout is not initiated.

Which of the following factors will MOST affect the extent to which controls should be layered? The extent to which controls are procedural The extent to which controls are subject to the same threat The total cost of ownership for existing controls The extent to which controls fail in a closed condition

B is the correct answer. Justification Whether controls are procedural or technical will not affect layering requirements. To manage the aggregate risk of total risk, common failure modes in existing controls must be addressed by adding or modifying controls so that they fail under different conditions. The total cost of ownership is unlikely to be reduced by adding additional controls. Controls that fail in a closed condition pose a risk to availability, whereas controls that fail in an open condition may require additional control layers to prevent compromise.

A control for protecting an IT asset, such as a laptop computer, is BEST selected if the cost of the control is less than the: cost of the asset. impact on the business if the asset is lost or stolen. available budget. net present value.

B is the correct answer. Justification While the control may be more expensive than the cost of the physical asset, such as a laptop computer, the impact to the business may be much higher and thus justify the cost of the control. Controls are selected based on their impact on the business due to the nonavailability of the asset rather than on the cost of the asset or the available budget. Budget availability is a consideration; however, this is not as important as the overall impact to the business if the asset is compromised. Net present value (NPV) calculations are not useful to determine the cost of a control. While a laptop computer might be fully amortized (or even expensed), the impact of the loss of the asset may be much higher than its NPV.

A company recently developed a breakthrough technology. Because this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to be protected? a. Access control policy b. Data classification policy c. Encryption standards d. Acceptable use policy

B is the correct answer. Justification Without a mandated ranking of degree of protection, it is difficult to determine what access controls should be in place. Data classification policies define the level of protection to be provided for each category of data based on business value. Without a mandated ranking of degree of protection, it is difficult to determine what levels of encryption should be in place. An acceptable use policy is oriented more toward the end user and, therefore, would not specifically address what controls should be in place to adequately protect information.

After deciding to acquire a security information and event management system, it is MOST important for the information security manager to: perform a comparative analysis of available systems. develop a comprehensive business case for the system. use the enterprise's existing acquisition process. ensure that there is adequate network capacity for the system.

C is the correct answer. Justification A comparative analysis should have been accomplished prior to the decision to purchase. Development of a business case should have been accomplished prior to the decision to purchase. The information security manager should always use existing enterprise practices and processes whenever possible to minimize potential issues with other departments. Ensuring adequate capacity should have been accomplished prior to the decision to purchase.

The implementation of an effective change management process is an example of a: corrective control. deterrent control. preventative control. compensating control.

C is the correct answer. Justification A corrective control is designed to correct errors, omissions and unauthorized uses and intrusions once they are detected. Deterrent controls are intended to discourage individuals from intentionally violating information security policy or procedures. Change management is intended to reduce the introduction of vulnerability by unauthorized changes. An effective change management process can prevent (and detect) unauthorized changes. It requires formal approval, documentation and testing of all changes by a supervisory process. Compensating controls are meant to mitigate impact when existing controls fail. Change management is the primary control for preventing or detecting unauthorized changes. It is not compensating for another control that has that function.

Achieving compliance with a particular process in an information security standard selected by management would BEST be demonstrated by: a. key goal indicators. b. critical success factors. c. key performance indicators. d. business impact analysis.

C is the correct answer. Justification A key goal indicator defines a clear objective sought by an enterprise. A key goal indicator is defined as a measure that tells management, after the fact, whether an IT process has achieved its business requirements, usually expressed in terms of information criteria. Critical success factors are steps that must be achieved to accomplish high-level goals. A critical success factor is defined as the most important issue or action for management to achieve control over its IT processes. A key performance indicator (KPI) indicates how well a process is progressing according to expectations. Another definition for a key performance indicator is a measure that determines how well the process is performing in enabling the goal to be reached. A business impact analysis defines risk impact; its main purpose is not to achieve compliance. It is defined as an exercise that determines the impact of losing the support of any resource to an enterprise. It establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.

Which of the following measures is the MOST effective deterrent against disgruntled staff abusing their privileges? a. Layered defense strategy b. System audit log monitoring c. Signed acceptable use policy d. High-availability systems

C is the correct answer. Justification A layered defense strategy would only prevent those activities that are outside the user's privileges. System audit log monitoring is after the fact and may not be effective. A signed acceptable use policy is often an effective deterrent against malicious activities because of the stated potential for termination of employment and/or legal actions being taken against the individual. High-availability systems do not deter staff abusing privileges.

Which of the following should be included in a good privacy statement? a. A notification of liability on accuracy of information b. A notification that information will be encrypted c. A statement of what the company will do with information it collects d. A description of the information classification process

C is the correct answer. Justification A notification of liability on accuracy of information should be located in the website's disclaimer. Although encryption may be applied, this is not generally disclosed. Most privacy laws and regulations require disclosure on how information will be used. Information classification is unrelated to privacy statements and would be contained in a separate policy

Which of the following is a preventive measure? A warning banner Audit trails An access control An alarm system

C is the correct answer. Justification A warning banner is a deterrent control, which provides a warning that can deter potential compromise. Audit trails are an example of a detective control. Preventive controls inhibit attempts to violate security policies. An example of such a control is an access control. An alarm system is an example of a detective control.

nformation security policy development should PRIMARILY be based on: a. vulnerabilities. b. exposures. c. threats. d. impacts.

C is the correct answer. Justification Absent a threat, vulnerabilities do not pose a risk. Vulnerability is defined as a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse impacts from threat events. Exposure is only important if there is a threat. Exposure is defined as the potential loss to an area due to the occurrence of an adverse event. Policies are developed in response to perceived threats. If there is no perceived threat, there is no need for a policy. A threat is defined as anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Impact is not an issue if no threat exists. The impact is generally quantified as a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term

An enterprise is implementing intrusion protection in its demilitarized zone (DMZ). Which of the following steps is necessary to make sure that the intrusion prevention system (IPS) can view all traffic in the DMZ? a. Ensure that intrusion prevention is placed in front of the firewall. b. Ensure that all devices that are connected can easily see the IPS in the network. c. Ensure that all encrypted traffic is decrypted prior to being processed by the IPS. d. Ensure that traffic to all devices is mirrored to the IPS.

C is the correct answer. Justification An intrusion prevention system (IPS) placed in front of the firewall will almost certainly continuously detect potential attacks, creating endless false-positives and directing the firewall to block many sites needlessly. Most of actual attacks would be intercepted by the firewall in any case. All connected devices do not need to see the IPS. For the IPS to detect attacks, the data cannot be encrypted; therefore, all encryption should be terminated to allow all traffic to be viewed by the IPS. The encryption should be terminated at a hardware Secure Sockets Layer accelerator or virtual private network server to allow all traffic to be monitored. Traffic to all devices is not mirrored to the IPS.

An enterprise is considering a reciprocal arrangement with a similar enterprise as a recovery option. Which of the following is the GREATEST risk associated with a reciprocal arrangement? Variations between the risk and impact assessments Frequency of testing of the recovery and continuity plans Similarities in infrastructure and capacity Differences in security policies and procedures

C is the correct answer. Justification Analyses are predictive, so differences between the enterprises will not affect adequacy in the event of recovery. Enterprises must collaborate on frequency of testing to ensure that each meets its needs. However, such agreements are generally established when arranging reciprocity and do not constitute ongoing risk. If enterprises have dissimilar infrastructure or lack capacity, it may be difficult to implement recovery. Differences in security policies and procedures are generally addressed when establishing reciprocity and can be managed over time through monitoring and reporting.

Which of the following is the BEST approach for improving information security management processes? Conduct periodic security audits. Perform periodic penetration testing. Define and monitor security metrics. Survey business units for feedback.

C is the correct answer. Justification Audits will identify deficiencies in established controls; however, they are not effective in evaluating the overall performance for improvement on an ongoing basis. Penetration testing will only uncover technical vulnerabilities and cannot provide a holistic picture of information security management. Defining and monitoring security metrics is a good approach to analyze the performance of the security management process since it determines the baseline and evaluates the performance against the baseline to identify opportunities for improvement. This is a systematic and structured approach to process improvement. Feedback is subjective and not necessarily reflective of true performance.

Obtaining another party's public key is required to initiate which of the following activities? a. Authorization b. Digital signing c. Authentication d. Nonrepudiation

C is the correct answer. Justification Authorization is not a public key infrastructure function. A private key is used for signing. The counterparty's public key is used for authentication. The private key is used for nonrepudiation.

A benefit of using a full disclosure (white box) approach as compared to a blind (black box) approach to penetration testing is that: it simulates the real-life situation of an external security attack. human intervention is not required for this type of test. less time is spent on reconnaissance and information gathering. critical infrastructure information is not revealed to the tester.

C is the correct answer. Justification Blind (black box) penetration testing is closer to real life than full disclosure (white box) testing. There is no evidence to support that human intervention is not required for this type of test. Data and information required for penetration are shared with the testers, thus eliminating time that would otherwise have been spent on reconnaissance and gathering of information. A full disclosure (white box) methodology requires the knowledge of the subject being tested

Which of the following should automatically occur FIRST when a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning? The firewall should block all inbound traffic during the outage. All systems should block new logins until the problem is corrected. Access control should fall back to nonsynchronized mode. System logs should record all user activity for later analysis.

C is the correct answer. Justification Blocking traffic would be overly restrictive to the conduct of business. Blocking new logins would be overly restrictive to the conduct of business. The best mechanism is for the system to fall back to the original process of logging on individually to each system. Recording all user activity would add little value.

The output of the risk management process is an input for making: a. business plans. b. audit charters. c. security policy decisions. d. software design decisions.

C is the correct answer. Justification Business plans are an output of management translating strategic aspirations into attainable business goals. Business plans provide background, goal statements and plans for reaching those goals. Audit charters are documents describing the purpose, rights and responsibilities of the audit function. They do not rely on the risk assessment process. The risk management process detects changes in the risk landscape and leads to changes in security policy decisions. Software design decisions are based on stakeholder needs, not on the risk management process.

Why is asset classification important to a successful information security program? a. It determines the priority and extent of risk mitigation efforts. b. It determines the amount of insurance needed in case of loss. c. It determines the appropriate level of protection to the asset. d. It determines how protection levels compare to peer enterprises.

C is the correct answer. Justification Classification does not determine the priority and extent of the risk mitigation efforts; prioritization of risk mitigation efforts is generally based on risk analysis or a business impact analysis. Classification does not establish the amount of insurance needed; insurance is often not a viable option. Classification is based on the value of the asset to the enterprise and helps establish the protection level in proportion to the value of the asset. Classification schemes differ from enterprise to enterprise and are often not suitable for benchmarking.

What is the BEST method to verify that all security patches applied to servers were properly documented? a. Trace operating system (OS) patch logs to OS vendor's update documentation. b. Trace change control requests to OS patch logs. c. Trace OS patch logs to change control requests. d. Review change control documentation for key serv

C is the correct answer. Justification Comparing patches applied to those recommended by the OS vendor's website does not confirm that the security patches were properly approved and documented. Tracing from the documentation to the patch log will not indicate if some patches were applied without being documented. To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS) patch logs as a starting point and then check to see if change control documents are on file for each of the changes. Reviewing change control documents for key servers does not confirm that security patches were properly approved and documented.

Which of the following is the PRIMARY prerequisite to implementing data classification within an enterprise? a. Defining job roles b. Performing a risk assessment c. Identifying data owners d. Establishing data retention policies

C is the correct answer. Justification Defining job roles is not relevant. Performing a risk assessment is important but will require the participation of data owners (who must first be identified). Identifying the data owners is the first step and is essential to implementing data classification. Establishing data retention policies may occur at any time.

Which of the following is the MOST appropriate method to protect the delivery of a password that opens a confidential file? Delivery path tracing Reverse lookup translation Out-of-band channels Digital signatur

C is the correct answer. Justification Delivery path tracing shows the route taken but does not confirm the identity of the sender. Reverse lookup translation involves converting an Internet Protocol address to a username. It is risky to send the password to a file by the same method as the file was sent. An out-of-band channel such as the telephone reduces the risk of interception. Digital signatures prove the identity of the sender of a message and ensure integrity.

Which of the following contract terms would MOST likely lead to unintended consequences related to cybersecurity if adequate details are lacking? Service level agreements Recovery time objectives Reasonable security measures Recent risk assessments

C is the correct answer. Justification Detailed service level agreements should be included in every contract. Detailed recovery time objectives should be included in every contract. When developing a contract, avoid generalities such as "reasonable security measures" that offer little to no clarity into the practices that the vendor is expected to implement. Results of recent risk assessments are not relevant for inclusion in a contract.

Which of the following change management process steps can be bypassed to implement an emergency change? Documentation Authorization Scheduling Testing

C is the correct answer. Justification Emergency changes require documentation, although it may occur after implementation. Emergency changes require formal authorization, although it may occur after implementation. When a change is being made on an emergency basis, it generally is implemented outside the normal schedule. However, it should not bypass other aspects of the change management process. Emergency changes require testing.

When initially establishing an information security program, it is MOST important that managers: a. examine and understand the culture within the enterprise. b. analyze and understand the control system of the enterprise. c. identify and evaluate the overall risk exposure of the enterprise. d. examine and assess the security resources of the enterprise.

C is the correct answer. Justification Examining and understanding the culture within the enterprise is an important step in the overall evaluation process. Analyzing and understanding the control system is an essential step to determine what risk is addressed and what control objectives are currently in place. Identifying and evaluating the overall risk is most important, because it includes the other three elements, in addition to others. Examining and assessing security resources is important information in determining and evaluating overall risk and exposure of an enterprise.

hat is the BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk? Firewalls Bastion hosts Decoy files Screened subnets

C is the correct answer. Justification Firewalls attempt to keep the hacker out. Bastion hosts attempt to keep the hacker out. Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting security of the hacker's presence. Screened subnets or demilitarized zones provide a middle ground between the trusted internal network and the external untrusted Internet but do not help detect hacker activities.

What is the MOST appropriate change management procedure for the handling of emergency program changes? a. Formal documentation does not need to be completed. b. Business management approval must be obtained prior to the change. c. Documentation is completed with approval soon after the change. d. Emergency changes eliminate certain documentation requirements.

C is the correct answer. Justification Formal documentation is still required as soon as possible after the emergency changes have been implemented. Obtaining business approval prior to the change is ideal but not always possible. Even in the case of an emergency change, all change management procedure steps should be completed as in the case of normal changes. The difference lies in the timing of certain events. With an emergency change, it is permissible to obtain certain approvals and other documentation after the emergency has been satisfactorily resolved. Emergency changes require the same process as regular changes, but the process may be delayed until the emergency has been resolved.

When recommending a control to protect enterprise applications against structured query language injection, the information security manager is MOST likely to suggest: hardening of web servers. consolidating multiple sites into a single portal. coding standards and reviewing code. using Hypertext Transfer Protocol Secure (HTTPS) in place of HTTP.

C is the correct answer. Justification Hardening of web servers does not reduce this type of vulnerability. Consolidating multiple sites into a single portal does not reduce this type of vulnerability. Implementing secure coding standards and peer review as part of the enterprise's system development life cycle (SDLC) are controls that address structured query language injection. Using Hypertext Transfer Protocol Secure (HTTPS) instead of HTTP does not reduce this type of vulnerability.

The MOST important aspect in establishing good information security policies is to ensure that they: a. have the consensus of all concerned groups. b.are easy to access by all employees. c. capture the intent of management. d. have been approved by the internal audit department.

C is the correct answer. Justification Having the consensus of all concerned groups is desirable but is not the most important aspect of good policies, which express the intent and direction of senior management. Easy availability of policies is important but not an indicator of good information security content and guidance. Policies should reflect the intent and direction of senior management, and this is the most important aspect of establishing good information security policies. The internal audit department tests compliance with policy, but it does not write the policies.

Which of the following should be in place before a black box penetration test begins? IT management approval Proper communication and awareness training A clearly stated definition of scope An incident response plan

C is the correct answer. Justification IT management approval may not be required, based on senior management decisions. Communication, awareness and an incident response plan are not a necessary requirement. Having a clearly stated definition of scope is most important to ensure a proper understanding of risk and+ success criteria. A penetration test could help promote the creation and execution of the incident response plan.

Which of the following will be MOST important in calculating accurate return on investment in information security? a.Excluding qualitative risk for accuracy in calculated figures b. Establishing processes to ensure cost reductions c. Measuring monetary values consistently d. Treating security investment as a profit center

C is the correct answer. Justification If something is an important risk factor, an attempt should be made to quantify it even though it may not be highly accurate. Establishing processes to ensure cost reductions is not relevant to calculating return on investment (ROI). There must be consistency in metrics in order to have reasonably accurate and consistent results. In assessing security risk, it is not a good idea to simply exclude qualitative risk because of the difficulties in measurement. Whether security investment is treated as a profit center does not affect ROI calculations.

The MOST effective approach to ensure the continued effectiveness of information security controls is by: ensuring inherent control strength. ensuring strategic alignment. using effective life cycle management. using effective change management.

C is the correct answer. Justification Inherent strength will not ensure that controls do not degrade over time. Maintaining strategic alignment will help identify life cycle stages of controls but by itself will not address control degradation. Managing controls over their life cycle will allow for compensation of decreased effectiveness over time. Change management strongly supports life cycle management but by itself does not address the complete cycle.

For which of the following purposes would ethical hacking MOST likely be used? a process resiliency test at an alternate site. a substitute for substantive testing. a control assessment of legacy applications. a final check in a cyberattack recovery process.

C is the correct answer. Justification It is not common to conduct ethical hacking as part of disaster recovery testing at an alternate site. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. Ethical hacking would not be used as a substitute for substantive testing. The problem with legacy applications is that there is typically not enough documentation to study their functionalities, including security controls. To assess control effectiveness, ethical hacking could be a more efficient way to find out weaknesses than reviewing program code. It is not necessarily a recommended practice to engage in ethical hacking in the last phase of a system recovery process after a cyberattack.

What would be the MOST significant security risk when using wireless local area network technology? a. Man-in-the-middle attack b. Spoofing of data packets c. Rogue access point d. Session hijacking

C is the correct answer. Justification Man-in-the-middle attacks can occur in any media and are not dependent on the use of a wireless local area network (WLAN) technology. Spoofing of data packets is not dependent on the use of a WLAN technology. A rogue access point masquerades as a legitimate access point. The risk is that legitimate users may connect through this access point and have their traffic monitored. Session hijacking is not dependent on the use of a WLAN technology.

What should metrics be based on when measuring and monitoring information security programs? a. Residual risk b. Levels of security c. Security objectives d. Statistics of security incidents

C is the correct answer. Justification Metrics are used to measure not only the results of the security controls (residual risk) but also the attributes of the control implementation. Levels of security are only relevant in relation to the security objectives. Metrics should be developed based on security objectives, so they can measure the effectiveness and efficiency of information security controls in relation to the defined objectives. Statistics of security incidents provide a general basis for determining if overall outcomes are meeting expectations, but they do not provide a basis for the achievement of individual objectives.

An enterprise's security awareness program should focus on which of the following? Establishing metrics for network backups Installing training software which simulates security incidents Communicating what employees should or should not do in the context of their job responsibilities Access levels within the enterprise for applications and the Internet

C is the correct answer. Justification Metrics for network backups is not an awareness issue. Training software simulating security incidents is suitable for incident response teams but not for general awareness training. An enterprise's security awareness program should focus on employee behavior and the consequences of both compliance and noncompliance with the security policy Access levels are specific issues, not generally the content of awareness training.

What is the MOST important reason to periodically test controls? To meet regulatory requirements To test the control design To ensure that objectives are met To achieve compliance with standard policy

C is the correct answer. Justification Not all enterprises are required to test controls periodically. Testing control design alone is insufficient if the design is not implemented and monitored effectively. Periodically testing controls ensures they continue to meet control objectives. Compliance with policy is not the most important factor for periodically testing controls.

Most standard frameworks for information security show the development of an information security program as starting with: a. policy development and implementation of process. b. an internal audit and remediation of findings. c. a risk assessment and control objectives. d. resource identification and budgetary requirements.

C is the correct answer. Justification Policies are written to support objectives, which are determined by business requirements. Audits are conducted to determine compliance with control objectives. An information security program is established to close the gap between the existing state of controls (as identified by a risk assessment) and the state desired on the basis of business requirements, which will be obtained through the meeting of control objectives. A program must have objectives before resources can be allocated in pursuit of those objectives.

What is the purpose of a corrective control? To reduce adverse events To identify a compromise To mitigate impact To ensure compliance

C is the correct answer. Justification Preventive controls, such as firewalls, reduce the occurrence of adverse events. Compromise can be detected by detective controls, such as intrusion detection systems. Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities. Compliance can be ensured by preventive controls, such as access controls

Which program element should be implemented FIRST in asset classification and control? a. Risk assessment b. Classification c. Valuation d. Risk mitigation

C is the correct answer. Justification Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation. Classification is a step following valuation. Valuation is performed first to identify and understand the value of assets needing protection. Risk mitigation is a step following valuation based on the valuation.

What is the PRIMARY purpose of segregation of duties? a. Employee monitoring b. Reduced supervisory requirements c. Fraud prevention d. Enhanced compliance

C is the correct answer. Justification Segregation of duties (SoD) is unrelated to monitoring. As a secondary benefit, some reduction in supervision may be possible. SoD is primarily used to prevent fraudulent activities. If SoD is a policy requirement, then a secondary benefit is enhanced compliance. However, the policy exists to reduce fraud.

The MOST effective way to ensure that outsourced service providers comply with the enterprise's information security policy would be: service level monitoring. penetration testing. periodically auditing. security awareness training.

C is the correct answer. Justification Service level monitoring can only pinpoint operational issues in the enterprise's operational environment. Penetration testing can identify security vulnerabilities but cannot ensure information policy compliance. Regular audit exercises can spot any gaps in information security compliance. Training can increase users' awareness of the information security policy but does not ensure compliance.

Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures? Stress testing Patch management Change management Security baselines

C is the correct answer. Justification Stress testing ensures that there are no scalability problems. Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Change management controls the process of introducing changes to systems to ensure that unintended changes are not introduced; within change management, regression testing is specifically designed to prevent the introduction of new security exposures when making modifications. Security baselines provide minimum required security settings.

The cost of implementing and operating a security control should not exceed the: annual loss expectancy. cost of an incident. asset value. acceptable loss level.

C is the correct answer. Justification The annual loss expectancy is the monetary loss for an asset due to specific risk over a single year. A security mechanism may cost more than the cost of a single incident and still be cost-effective. The cost of implementing security controls should not exceed the business value of the asset. The cost of a control may well exceed the acceptable loss level in order to achieve the loss level objective.

Who has the inherent authority to grant an exception to information security policy? a.The business process owner b. The departmental manager c. The policy approver d. The information security manager

C is the correct answer. Justification The business process owner is typically required to enforce the policy and would not normally have the authority to grant an exception. The departmental manager cannot approve an exception to policy because the role is not responsible for the policy delivering its promised results. The person or body empowered to approve a policy is empowered to grant exceptions to it because in approving it, the individual assumed responsibility for the results that it promises to deliver. The information security manager cannot approve an exception to policy because the role is not responsible for the policy delivering its promised results.

Which of the following choices is the MOST significant single point of failure in a public key infrastructure? a. A certificate authority's (CA) public key b. A relying party's private key c. A CA's private key d. A relying party's public key

C is the correct answer. Justification The certificate authority's (CA) public key is published and poses no risk. If destroyed, lost or compromised, the private key of any relying party affects only that party. The CA's private key is the single point of failure for the entire public key infrastructure (PKI) because it is unpublished and the system cannot function if the key is destroyed, lost or compromised. The public key is published and poses no risk.

What is the MOST important item to be included in an information security policy? a. The definition of roles and responsibilities b. The scope of the security program c. The key objectives of the security program d. Reference to procedures and standards of the security program

C is the correct answer. Justification The definition of roles and responsibilities is part of implementing an information security governance framework. The scope of the security program should be defined in the charter of the information security program. Stating the objectives of the security program is the most important element to ensure alignment with business goals. Reference to standards that interpret the policy may be included, but the multitude of procedures controlled by those standards would not normally be referenced.

Which one of the following phases of the application development life cycle for in-house development represents the BEST opportunity for an information security manager to influence the outcome of the development effort? System design for a new application User acceptance testing and sign-off Requirements gathering and analysis Implementation

C is the correct answer. Justification The design phase helps determine how the requirements will be implemented; however, if an information security manager first becomes involved in the design phase, the manager will likely find that influencing the outcome of the development effort will be more difficult. The user acceptance testing and sign-off phase is too late in the life cycle to effectively influence the outcome. An information security manager should be involved in the earliest phase of the application development life cycle to effectively influence the outcome of the development effort. Of the choices listed, the requirements gathering and analysis phase represents the earliest opportunity for an information security manager to have such influence. During this phase, both functional and nonfunctional requirements, including security, should be considered. The implementation phase is too late in the life cycle to effectively influence the outcome.

Which of the following is the BEST metric for evaluating the effectiveness of an intrusion detection mechanism? Number of attacks detected Number of successful attacks Ratio of false positives to false negatives Ratio of successful to unsuccessful attacks

C is the correct answer. Justification The number of attacks detected does not indicate how many attacks were not detected; therefore, it is no indication of effectiveness. The number of successful attacks cannot be used as a metric to evaluate the effectiveness of an intrusion detection mechanism. The ratio of false positives to false negatives will indicate the effectiveness of the intrusion detection system. Without knowing whether attacks were detected or not, the ratio of successful attacks to unsuccessful attacks indicates nothing about the effectiveness of the IDS.

In which of the following system development life cycle phases are access control and encryption algorithms chosen? a. Procedural design b. Architectural design c. System design specifications d. Software development

C is the correct answer. Justification The procedural design converts structural components into a procedural description of the software. The architectural design is the phase that identifies the overall system design but not the specifics The system design specifications phase that identifies security specifications. Software development is too late a stage because during this phase the system is already being coded.

A certificate authority is required for a public key infrastructure: a. in cases where confidentiality is an issue. b. when challenge/response authentication is used. c. except where users attest to each other's identity. d. in role-based access control deployments.

C is the correct answer. Justification The requirement of confidentiality is not relevant to the certificate authority (CA) other than to provide an authenticated user's public key. Challenge/response authentication is not a process used in a public key infrastructure (PKI). The role of the CA is not needed in implementations such as Pretty Good Privacy, where the authenticity of the users' public keys are attested to by others in a circle of trust. If the role-based access control is PKI-based, either a CA is required or other trusted parties will have to attest to the validity of users.

The requirement for due diligence is MOST closely associated with which of the following? a. The right to audit b. Service level agreements c. Appropriate standard of care d. Periodic security reviews

C is the correct answer. Justification The right to audit is an important consideration when evaluating an enterprise but is not as closely related to the concept of due diligence. Service level agreements are an important consideration when evaluating an enterprise but are not as closely related to the concept of due diligence. The standard of care is most closely related to due diligence. It is based on the legal notion of the steps that would be taken by a person of similar competency in similar circumstances. Periodic security reviews is not as closely related to due diligence.

Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application? System analyst Quality control manager Process owner Information security manager

C is the correct answer. Justification The system analyst does not possess the necessary knowledge or authority to implement and maintain the appropriate level of business security. Quality control managers do not implement security. Process owners implement information protection controls as determined by the business' needs. Process owners have the most knowledge about security requirements for the business application for which they are responsible. The information security manager will implement the information security framework and develop standards and controls, but the level of security required by a specific business application is determined by the process owner.

Which of the following vulnerabilities is commonly introduced when using Simple Network Management Protocol v2 (SNMP v2) to monitor networks? Remote buffer overflow Cross-site scripting Cleartext authentication Man-in-the-middle attack

C is the correct answer. Justification There have been some isolated cases of remote buffer overflows against Simple Network Management Protocol (SNMP) daemons, but generally that is not a problem. Cross-site scripting is a web application vulnerability that is not related to SNMP. One of the main problems with using SNMP v1 and v2 is the cleartext community string that it uses to authenticate. It is easy to sniff and reuse. Most times, the SNMP community string is shared throughout the enterprise's servers and routers, making this authentication problem a serious threat to security. A man-in-the-middle attack against a User Datagram Protocol makes no sense since there is no active session; every request has the community string and is answered independently.

Which of the following BEST protects confidentiality of information? a. Information classification b. Segregation of duties c. Least privilege d. Systems monitoring

C is the correct answer. Justification While classifying information can help focus the assignment of privileges, classification itself does not provide enforcement. Only in very specific situations does segregation of duties safeguard confidentiality of information. Restricting access to information to those who need to have access is the most effective means of protecting confidentiality. Systems monitoring is a detective control rather than a preventive control.

A newly hired information security manager notes that existing information security practices and procedures appear ad hoc. Based on this observation, the next action should be to: a. assess the commitment of senior management to the program. b. assess the maturity level of the enterprise. c. review the corporate standards. d. review corporate risk management practices.

C is the correct answer. Justification While management may not be exercising due care, it is concerned enough to engage a new information security manager. Assessing the commitment of senior management will not address the immediate concern of ad hoc practices and procedures. It is evident from the initial review that maturity is very low and efforts required for a complete assessment are not warranted. It may be better to address the immediate problem of ad hoc practices and procedures. The absence of current, effective standards is a concern that must be addressed promptly. It is apparent that risk management is not being practiced; establishing an effective program will take time. A more

A control policy is MOST likely to address which of the following implementation requirements? a. Specific metrics b. Operational capabilities c. Training requirements d. Failure modes

D is the correct answer. Justification A control policy may specify a requirement for monitoring or metrics but will not define specific metrics. Operational capabilities will likely be defined in specific requirements or in a design document rather than in the control policy. There may be a general requirement for training but not control-specific training, which will be dependent on the particular control. A control policy will state the required failure modes in terms of whether a control fails open or fails closed, which has implications for safety, confidentiality and availability.

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? Use an intrusion detection system. Establish minimum security baselines. Implement vendor-recommended settings. Perform periodic penetration testing.

D is the correct answer. Justification An intrusion detection system may detect an attempted attack, but it will not confirm whether the perimeter is secure. Minimum security baselines are beneficial, but they will not provide the level of assurance that is provided by penetration testing. Vendor-recommended settings may be used to harden systems but provide little assurance that other vulnerabilities do not exist, which may be exposed by penetration testing. Penetration testing is the best way to assure that perimeter security is adequate.

Which of the following is the MOST effective method for ensuring that outsourced operations comply with the company's information security posture? The vendor is provided with audit documentation. A comprehensive contract is written with service level metrics and penalties. Periodic onsite visits are made to the vendor's site. An onsite audit and compliance review is performed.

D is the correct answer. Justification Audit documentation may not show whether the vendor meets the company's needs; the company needs to know the testing procedures. While comprehensive contracts set minimum service levels, contracts do not ensure that vendors will perform without confirming oversight. On-site visits to the vendor's site are not sufficient by themselves; they should be coupled with an audit approach to gauge information security compliance. Audits and compliance reviews are the most effect way to ensure compliance.

When performing a review of risk treatment options, the MOST important benefit to consider is: maximum risk mitigation. savings in control options. alignment with regulatory requirements. achieving control objectives.

D is the correct answer. Justification Control objectives are established on the basis of organizational risk appetite, so maximizing mitigation beyond the control objectives means incurring unnecessary cost. Cost is always a consideration, but an option cannot be considered to have saved money unless it also meets an objective. Regulatory requirements are considered no differently from any other consideration in the risk assessment process. Control objectives are established on the basis of risk appetite, which may or may not include accepting the risk of not complying with a regulation. Controls are designed and implemented to mitigate the risk. Hence, achievement of control objective is the most important benefit. No other benefit can offset failure to meet the control objectives.

Which of the following is the BEST justification to convince management to invest in an information security program? a. Cost reduction b. Compliance with company policies c. Protection of business assets d. Increased business value

D is the correct answer. Justification Cost reduction by itself is rarely the motivator for implementing an information security program. Compliance is secondary to business value and cannot be the best justification, as the company may already be in compliance as managed by the legal team. Protection of business assets is not the best justification, as management can counter it by stating that it can ensure protection of assets. Investing in an information security program would increase business value as a result of fewer business disruptions, fewer losses, increased productivity and stronger brand reputation.

Who should be responsible for enforcing access rights to application data? Data owners Business process owners The security steering committee Security administrators

D is the correct answer. Justification Data owners are responsible for approving access rights. Business process owners are sometimes also the data owners and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement. As custodians, security administrators are responsible for enforcing access rights to data.

Which of the following activities is MOST effective for developing a data classification schema? a. Classifying critical data based on protection levels b. Classifying data based on the possibility of leakage c. Aligning the schema with data leak prevention tools d. Building awareness of the benefit of data classification

D is the correct answer. Justification Data protection levels are decided based on classification or business value. Data are classified on business value and not on the possibility of leakage. Protection of the data may well be based on the possibility of leakage. Aligning the schema with data leak prevention (DLP) tools may help while automating protection, but the data classification schema already has to exist for it to align with DLP. While developing a data classification schema, it is most important that all users are made aware of the need for accurate data classification to reduce the cost of overprotection and the risk of underprotection of information assets.

A social media application system has a process to scan posted comments in search of inappropriate disclosures. Which of the following choices would circumvent this control? An elaborate font setting Use of a stolen identity An anonymous posting A misspelling in the text

D is the correct answer. Justification Depending on the font style, text messages may become illegible; however, character codes stay the same behind the scenes. Therefore, scanning may not be affected by font settings. Even when a message is posted using a stolen identity, scanning will be able to catch an inappropriate posting by checking text against a predefined vocabulary table. Absence of the identity of the user who posted an inappropriate message may not be a major issue in conducting the scanning of posted information. Intentional misspellings are hard to detect by fixed rules or keyword search because it is difficult for the system to consider the possible misspellings. The computer may ignore misspelled items. Because humans can understand the context, it is rather easy for humans to sense the true intention hidden behind the misspelling.

Which of the following information security metrics is the MOST difficult to quantify? a. Percentage of controls mapped to industry frameworks b. Extent of employee security awareness c. Proportion of control costs to asset value d. Cost of security incidents prevented

D is the correct answer. Justification Determining the percentage of controls mapped to industry frameworks is relatively easy to do by reviewing the controls portfolio and checking controls documentation. While security awareness can be challenging to measure, focusing on behavior change is an option. For example, conducting phishing simulations can help measure how well employees identify and report those types of attacks. A business impact analysis combined with a financial analysis can facilitate a comparison of asset values to the costs of those assets. Measuring something that does not occur is inherently difficult, if not impossible. So many variables are theoretical that arriving at a reliable estimate is a guessing game.

When implementing a cloud computing solution that will provide software as a service (SaaS) to the enterprise, what is the GREATEST concern for the information security manager? The possibility of disclosure of sensitive data in transit or storage The lack of clear regulations regarding the storage of data with a third party The training of the users to access the new technology properly The risk of network failure and the resulting loss of application availability

D is the correct answer. Justification Disclosure of sensitive data is a primary concern of the information security manager. Many jurisdictions have regulations regarding data privacy. The concern of the information security manager is compliance with those regulations, not the lack of regulations. The training of how to use software as a service (SaaS) is no different from the need for training required for more traditional solutions. In most cases, the use of SaaS is fairly simple and requires minimal technology but is not within the scope of the information security manager's responsibility in any case. Loss of application availability as a result of network failure is an inherent risk associated with SaaS and must be taken into account by the enterprise as part of the decision to move to cloud computing, but this is a business decision rather than a principal concern of the information security manager.

Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise? a. Ease of installation b. Product documentation c. Available support d. System overhead

D is the correct answer. Justification Ease of installation, while important, would be secondary. Product documentation, while important, would be secondary. Available support, while important, would be secondary. Monitoring products can impose a significant impact on system overhead for servers and networks.

An enterprise is planning to deliver subscription-based educational services to customers online that will require customers to log in with their user IDs and passwords. Which of the following is the BEST method to validate passwords entered by a customer before access to educational resources is granted? a. Encryption b. Content filtering c. Database hardening d. Hashing

D is the correct answer. Justification Encryption is the application of an algorithm that converts the plaintext password to the encrypted form, but using encrypted passwords requires that they be decrypted for authentication—this would expose the actual password. Also, the authentication mechanism would need to have access to the encryption key in order to decrypt the password for authentication. This would allow anyone with the appropriate access to the server to decrypt user passwords, which is not typically acceptable and is not a secure practice. Content filtering is not a component of password validation. Database hardening helps in enhancing the security of a database but does not assist with password validation. Hashing refers to a one-way algorithm that always creates the same output if applied to the same input. When hashing passwords, only the password's hash value (output) is stored, not the actual password (input). When a user logs in and enters the password, the hash is applied to the password by the authentication mechanism and compared to the stored hash. If the hash matches, then access is granted. The actual password cannot be derived from the hash (because it is a one-way algorithm), so there is no chance of the password being compromised from the hash values stored on the server.

The MOST effective way to limit actual and potential impacts of e-discovery in the event of litigation is to: a. implement strong encryption of all sensitive documentation. b. ensure segregation of duties and limited access to sensitive data. c. enforce a policy of not writing or storing potentially sensitive information. d. develop and enforce comprehensive retention policies.

D is the correct answer. Justification Encryption will not prevent the legal requirements to produce documents in the event of legal conflicts. Limiting access to sensitive information based on the need to know may limit which personnel can testify during legal proceedings but will not limit the requirement to produce existing documents. While some enterprises have practiced a policy of not committing to writing issues of dubious legality, it is not a sound practice and may violate a variety of laws. Compliance with legally acceptable defined retention policies will limit exposure to the often difficult and costly demands for documentation during legal proceedings such as lawsuits.

What action should be taken concerning data classification requirements before engaging outsourced providers? Ensure the data classification requirements: are compatible with the provider's own classification. are communicated to the provider. exceed those of the outsourcer. are stated in the contract.

D is the correct answer. Justification Ensuring the data classification requirements are compatible with the provider's own classification is an acceptable option but does not provide a requirement for the handling of classified data. Ensuring the data classification requirements are communicated to the provider does not provide a requirement for appropriate handling of classified data. Ensuring the data classification requirements exceed those of the outsourcer is an acceptable option but not as comprehensive or as binding as a legal contract. The most effective mechanism to ensure that the enterprise's security standards are met by a third party would be a legal agreement stating the handling requirements for classified data and including the right to inspect and audit.

When a user employs a client-side digital certificate to authenticate to a web server through Secure Sockets Layer, confidentiality is MOST vulnerable to which of the following? a. Internet Protocol spoofing b. Man-in-the-middle attack c. Repudiation d. Trojan

D is the correct answer. Justification Internet Protocol spoofing will not work because the IP is not used as an authentication mechanism. Man-in-the-middle attacks are not possible if using Secure Sockets Layer with client-side certificates. Repudiation is unlikely because client-side certificates authenticate the user. A Trojan is a program that can give the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user.

Who would be the PRIMARY user of metrics regarding the number of email messages quarantined due to virus infection versus the number of infected email messages that were not caught? a. The security steering committee b. The board of directors c. IT managers d. The information security manager

D is the correct answer. Justification Metrics support decisions. Knowing the number of email messages blocked due to viruses would not on its own be an actionable piece of information for the steering committee. The board of directors would have no use for the information. IT managers would be interested, but it would not be in their purview to address the issue. Information regarding the effectiveness of the current email antivirus control is most useful to the information security manager and staff because they can use the information to initiate an investigation to determine why the control is not performing as expected and to determine whether there are other factors contributing to the failure of the control. When these determinations are made, the information security manager can use these metrics, along with data collected during the investigation, to support decisions to alter processes or add to (or change) the controls in place.

Which of the following is the MOST important action to take when engaging third-party consultants to conduct an attack and penetration test? Request a list of the software to be used. Provide clear directions to IT staff. Monitor intrusion detection system and firewall logs closely. Establish clear rules of engagement.

D is the correct answer. Justification Not as important, but still useful, is to request a list of what software will be used. IT staff should not be alerted in order to maximize effectiveness of the penetration test. Monitoring personnel should not be alerted in order to effectively test their activities. It is critical to establish a clear understanding of what is permissible during the engagement. Otherwise, the tester may inadvertently trigger a system outage or inadvertently corrupt files.

What does the effectiveness of virus detection software MOST depend on? Packet filtering Intrusion detection Software upgrades Definition files

D is the correct answer. Justification Packet filtering does not focus on virus detection. Intrusion detection does not address virus detection. Software upgrades are related to the periodic updating of the program code, which would not be critical. The effectiveness of virus detection software depends on virus signatures, which are stored in virus definition files.

Which of the following is MOST effective in preventing disruptions to production systems? Patch management Security baselines Virus detection Change management

D is the correct answer. Justification Patch management involves the correction of software vulnerabilities as they are discovered by modifying the software with a "patch," which may or may not prevent production system disruptions. Security baselines provide minimum recommended settings and do not necessarily prevent introduction of control weaknesses. Virus detection is an effective tool but primarily focuses on malicious code from external sources. Change management controls the process of introducing changes to systems. Changes that are not properly reviewed before implementation can disrupt or alter established controls in an otherwise secure, stable environment.

Which of the following is the BEST way to erase confidential information stored on magnetic tapes? Performing a low-level format Rewriting with zeros Burning them Degaussing them

D is the correct answer. Justification Performing a low-level format may be adequate but is a slow process, and with the right tools, data can still be recovered. Rewriting with zeros will not overwrite information located in the disk slack space. Burning destroys the tapes and does not allow their reuse. Degaussing the magnetic tapes would quickly dispose of all information because the magnetic domains are thoroughly scrambled and would not allow reuse.

To improve the security of an enterprise's human resources system, an information security manager was presented with a choice to either implement an additional packet filtering firewall OR a heuristics-based intrusion detection system. How should the security manager with a limited budget choose between the two technologies? Risk analysis Business impact analysis Return on investment analysis Cost-benefit analysis

D is the correct answer. Justification Risk analysis identifies the risk and treatment options. A business impact analysis identifies the impact from the loss of systems or enterprise functions. Return on investment analysis compares the magnitude and timing of investment gains directly with the magnitude and timing of investment costs. Cost-benefit analysis measures the cost of a safeguard versus the benefit it provides and includes risk assessment. The cost of a control should not exceed the benefit to be derived from it. The degree of control employed is a matter of good business judgment.

The enactment of policies and procedures for preventing hacker intrusions is an example of an activity that belongs to: a. risk management. b. compliance. c. IT management. d. governance.

D is the correct answer. Justification Risk management is about identifying risk and adequate countermeasures and would be concerned if such policies and procedures were necessary, based on a risk analysis. However, the enactment does not fall into the area of risk management. Compliance would be concerned with the adequacy of the policies and procedures to achieve the control objectives and whether employees acted according to the policies and procedures. IT management would be concerned about setting the policies into operation (e.g., by providing training and resources). Governance is concerned with implementing adequate mechanisms for ensuring that organizational goals and objectives can be achieved. Policies and procedures are common governance mechanisms.

An enterprise has implemented an enterprise resource planning system used by 500 employees from various departments. Which of the following access control approaches is MOST appropriate? Rule-based Mandatory Discretionary Role-based

D is the correct answer. Justification Rule-based access control needs to define the individual access rules, which is troublesome and error prone in large enterprises. In mandatory access control, the individual's access to information resources is based on a clearance level that needs to be defined, which is troublesome in large enterprises. In discretionary access control, users have access to resources based on delegation of rights by someone with the proper authority, which requires a significant amount of administration and overhead. Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles.

Which of the following is the BEST approach for an enterprise desiring to protect its intellectual property? a. Conduct awareness sessions on intellectual property policy. b. Require all employees to sign a nondisclosure agreement. c. Promptly remove all access when an employee leaves the enterprise. d. Restrict access to a need-to-know basis.

D is the correct answer. Justification Security awareness regarding intellectual property policy will not prevent violations of this policy. Requiring all employees to sign a nondisclosure agreement is a good control but not as effective as restricting access to a need-to-know basis. Removing all access on termination does not protect intellectual property prior to an employee leaving. Restricting access to a need-to-know basis is the most effective approach to protecting intellectual property.

Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project? a. Design b. Implementation c. Application security testing d. Feasibility

D is the correct answer. Justification Security requirements must be defined before doing design specification, although changes in design may alter these requirements later on. Security requirements defined during system implementation are typically costly add-ons that are frequently ineffective. Application security testing occurs after security has been implemented. Information security should be considered at the earliest possible stage because it may affect feasibility of the project.

Which one of the following types of detection is NECESSARY to mitigate a denial or distributed denial-of-service attack? a. Signature-based detection b. Deep packet inspection c. Virus detection d. Anomaly-based detection

D is the correct answer. Justification Signature-based detection cannot react to a distributed denial-of-service (DDoS) attack because it does not have any insight into increases in traffic levels. Deep packet inspection allows a protocol to be inspected and is not related to denial-of-service (DoS) attacks. Virus detection would have no effect on DDoS detection or mitigation. Anomaly-based detection establishes normal traffic patterns and then detects any deviation from that baseline. Traffic baselines are greatly exceeded when under a DDoS attack and are quickly identified by anomaly-based detection

Which of the following BEST ensures nonrepudiation? a. Strong passwords b. A digital hash c. Symmetric encryption d. Digital signatures

D is the correct answer. Justification Strong passwords only ensure authentication to the system and cannot be used for nonrepudiation involving two or more parties. A digital hash in itself helps in ensuring integrity of the contents but not nonrepudiation. Symmetric encryption would not help in nonrepudiation because the keys are always shared between parties. Digital signatures use a private and public key pair, authenticating both parties. The integrity of the contents exchanged is controlled through the hashing mechanism that is signed by the private key of the exchanging party.

Business management is finalizing the contents of a segregation of duties matrix to be loaded in a purchase order system. Which of the following should the information security manager recommend in order to BEST improve the effectiveness of the matrix? Ensure approvers are aligned with the organizational chart Trace approvers' paths to eliminate routing deadlocks Set triggers to go off in the event of exceptions Identify conflicts in the approvers' authority limits

D is the correct answer. Justification The approver's structure in a purchase order system may not necessarily be in sync with the organizational structure. Depending on business requirements, modified hierarchy is acceptable purely in terms of approving certain transactions. It is rare that the structure of an approver's routing path will end up with deadlocks. If a highly complicated approval structure is developed, something similar to deadlock may occur (e.g., it takes very long time until request is approved). Even so, it is unlikely that routing effectiveness becomes a primary driver for quality improvement. Setting triggers to go off in the event of exceptions is a technical feature to be implemented inside the database. It is not relevant advice to be given to business management. In order to make the segregation of duties matrix complete, it is best to ensure that no conflicts exist in approvers' authorities. If there are any, it will introduce a flaw in the control, resulting the successful execution of unauthorized transactions.

Controls that fail closed (secure) will present a risk to: confidentiality integrity. authenticity availability.

D is the correct answer. Justification The blocked access will not generally impact confidentiality. The blocked access will not generally impact integrity. The blocked access will not generally impact authenticity. A control (such as a firewall) that fails in a closed condition will typically prevent access to resources behind it, thus impacting availability.

Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files? Verify the date that signature files were last pushed out. Use a recently identified benign virus to test if it is quarantined. Research the most recent signature file and compare to the console. Check a sample of servers that the signature files are current.

D is the correct answer. Justification The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server. Personnel should never release a virus, no matter how benign. Checking the vendor information to the management console would still not indicate whether the file was properly loaded on the server. The only accurate way to check the signature files is to look at a sample of servers.

Which of the following roles is MOST appropriately responsible for ensuring that security awareness and training material is effectively deployed to reach the intended audience? The human resources department The business manager The subject matter experts The information security department

D is the correct answer. Justification The human resources department may assist in disseminating security awareness material but the primary responsibility rests with the information security department. The business manager may also assist in information dissemination but is not primarily responsible. Subject matter experts are not normally involved with security awareness activities. The information security department oversees the information security program. This includes ensuring

To establish the contractual relationship between entities using public key infrastructure, the certificate authority must provide which of the following? A registration authority A digital certificate A nonrepudiation capability A certification practice statement

D is the correct answer. Justification The registration authority is responsible for authentication of users prior to the issuance of a certificate. A digital certificate is the electronic credentials of individual entities but does not provide the contractual relationship of users and the certificate authority. Nonrepudiation is an inherent capability of a public key infrastructure by the virtue of the signing capability. The certification practice statement provides the contractual requirements between the relying parties and the certificate authority.

Which of the following metrics is the MOST useful for the effectiveness of a controls monitoring program? The percentage of key controls being monitored The time between detection and initiating remediation The monitoring cost versus incidents detected The time between an incident and detection

D is the correct answer. Justification While the percentage of key controls being monitored is an important metric, it is not an indication of effectiveness. The time between detection and remediation is an indication of the effectiveness of the incident response activity. The monitoring cost per incident is an indicator of efficiency rather than effectiveness. The time it takes to detect an incident after it has occurred is a good indication of the effectiveness of the control monitoring effort.

Which one of the following combinations offers the STRONGEST encryption and authentication method for 802.11 wireless networks? a.Wired equivalent privacy with 128-bit pre-shared key authentication b. Temporal Key Integrity Protocol-Message Integrity Check with the RC4 cipher c.Wi-Fi Protected Access 2 (WPA2) and pre-shared key authentication d. WPA2 and 802.1x authentication

D is the correct answer. Justification Wired Equivalent Privacy (WEP) with 128-bit pre-shared key authentication can be easily cracked with open source tools. WEP is easily compromised and is no longer recommended for secure wireless networks. Temporal Key Integrity Protocol-Message Integrity Check (TKIP-MIC) with the RC4 cipher is not as strong as WPA2 with 802.1x authentication. Wi-Fi Protected Access 2 (WPA2) with pre-shared keys uses the strongest level of encryption, but the authentication is more easily compromised. WPA2 and 802.1x authentication is the strongest form of wireless authentication currently available. WPA2 combined with 802.1x forces the user to authenticate using strong Advanced Encryption Standard encryption.

Which of the following is the MOST cost-effective type of access control? Centralized Role-based Decentralized Discretionary

b

Which of the following approaches is the BEST for designing role-based access controls? Create a matrix of work functions. Apply persistent data labels. Enable multifactor authentication. Use individual logon scripts.

is the correct answer. Justification A matrix that documents the functions associated with particular kinds of work, typically referred to as a segregation of duties matrix, shows which roles are required or need various permissions. Persistent data labels apply to mandatory access control environments where permissions are brokered by the classification levels of objects themselves. They do not factor into role-based access controls. Multifactor authentication deals with how users authenticate their identities, which helps to ensure that people are who they claim to be. It does not determine the permissions that they are assigned, particularly in a role-based access control model, where permissions are assigned to roles rather than individual users. Using automated logon scripts is practical in some environments, but assigning permissions to individual accounts is contrary to the intent of role-based access controls.

What is the BIGGEST concern for an information security manager reviewing firewall rules? The firewall allows source routing. The firewall allows broadcast propagation. The firewall allows unregistered ports. The firewall allows nonstandard protocols.

is the correct answer. Justification If the firewall allows source routing, any outsider can carry out spoofing attacks by stealing the internal (private) Internet Protocol addresses of the enterprise. Broadcast propagation does not create a significant security exposure. Unregistered ports are a poor practice but do not necessarily create a significant security exposure. Nonstandard protocols can be filtered and do not necessarily create a significant security exposure.

The BEST reason for an enterprise to implement two discrete firewalls connected directly to the Internet and the same demilitarized zone would be to: provide in-depth defense. separate test and production. permit traffic load balancing. prevent a denial-of-service attack.

is the correct answer. Justification Two firewalls in parallel provide two concurrent paths for compromise and, therefore, do not provide defense in depth. If they were connected in a series, one behind the other, they would provide defense in depth. As both entry points connect to the Internet and to the same demilitarized zone, such an arrangement is not practical for separating testing from production. Having two entry points, each guarded by a separate firewall, is desirable to permit traffic load balancing. Firewalls are not effective at preventing denial-of-service attacks.