Information Security and Assurance - C725 - final Study

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Explain the steps of the business impact assessment process.

The five steps of the business impact assessment process are identification of priorities, risk identification, likelihood assessment, impact assessment, and resource prioritization.

Rogue code:

The user inadvertently launches software that can log a user's keystrokes and either send them to a remote server or perform other undesirable activities, such as deleting files or destroying the operating system, rendering the computer useless.

What is the major difference between a virus and a worm?

Viruses and worms both travel from system to system attempting to deliver their malicious payloads to as many machines as possible. However, viruses require some sort of human intervention, such as sharing a file, network resource, or email message, to propagate. Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well-connected network.

Remote Access Dial-In User Service (RADIUS)

is a client/server protocol and software that enables remote access users to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. For example, you might need to dial up an external network to gain access so that you can perform work, deposit a file, or pick up a file. The earliest versions of America Online (AOL) used RADIUS, or RADIUS-like technology, to authenticate legitimate AOL users.

transposition cipher

is a method of encryption by which the characters or groups of characters are shifted according to a regular system so that the order of the units is changed or reordered. Substitution is based on the principle of replacing each letter in the message with another letter.

NIST Cybersecurity Framework (CSF)

is a set of standards designed to serve as a voluntary risk-based framework for securing information and systems.

secure facility plan

outlines the security needs of your organization and emphasizes methods or mechanisms to employ to provide security. Such a plan is developed through a process known as critical path analysis.

Patent Law

protect the intellectual property rights of inventors. They provide a period of 20 years during which the inventor is granted exclusive rights to use the invention (whether directly or via licensing agreements).

Rate-of-rise detection systems

trigger suppression when the speed at which the temperature changes reaches a specific level. Flame-actuated systems trigger suppression based on the infrared energy of flames.

Explain the importance of fully documenting an organization's business continuity plan.

Committing the plan to writing provides the organization with a written record of the procedures to follow when disaster strikes. It prevents the "it's in my head" syndrome and ensures the orderly progress of events in an emergency.

Know the three basic alternatives for confiscating evidence and when each one is appropriate.

First, the person who owns the evidence could voluntarily surrender it. Second, a subpoena could be used to compel the subject to surrender the evidence. Third, a search warrant is most useful when you need to confiscate evidence without giving the subject an opportunity to alter it.

Understand uses of digital rights management (DRM).

Digital rights management (DRM) solutions allow content owners to enforce restrictions on the use of their content by others. DRM solutions commonly protect entertainment content, such as music, movies, and e-books but are occasionally found in the enterprise, protecting sensitive information stored in documents.

countermeasures and safeguards against DoS and DDoS attack

Disable echo replies on external systems. Disable broadcast features on border systems. Keep all systems patched with the most current security updates from vendors. Block spoofed packets from entering or leaving your network. Maintain good contact with your service provider in order to request filtering services when a DoS occurs.

Know what denial-of-service (DoS) attacks are

DoS attacks prevent a system from responding to legitimate requests for service. A common DoS attack is the SYN flood attack, which disrupts the TCP three-way handshake. Even though older attacks are not as common today because basic precautions block them, you may still be tested on them because many newer attacks are often variations on older methods. Smurf attacks employ an amplification network to send numerous response packets to a victim. Ping-of-death attacks send numerous oversized ping packets to the victim, causing the victim to freeze, crash, or reboot.

What are some security issues with email and options for safeguarding against them?

Email is inherently insecure because it is primarily a plaintext communication medium and employs non-encrypted transmission protocols. This allows for email to be easily spoofed, spammed, flooded, eavesdropped on, interfered with, and hijacked. Defenses against these issues primarily include having stronger authentication requirements and using encryption to protect the content while in transit.

OSI model eight security mechanisms

Encipherment: The conversion of plain-text messages into ciphers or encoded messages that only the person with the cipher key can unlock. Digital signature: In general, the use of public and private key encryption that allows the sender to encrypt a message and the intended recipient to decrypt the message. Access control: See the earlier description. Data integrity: See the earlier description. Authentication: See the earlier description. Traffic padding: The technique by which spurious data is generated to disguise the amount of real data being sent, thus making data analysis or decryption more difficult for the attacker. Routing control: The Internet has routes between networks. When a network drops, the routing control processor determines in real time the optimal path, to reduce downtime. Notarization: Digital notarizations, the counterpart to the paper notary, prove that electronic files have not been altered after they were digitally notarized. (See Lesson 11, "Cryptography," for more information on digital signatures.)

concerns of evidence storage

Evidence storage is used to retain logs, drive images, virtual machine snapshots, and other datasets for recovery, internal investigations, and forensic investigations. Protections include dedicated/isolated storage facilities, offline storage, activity tracking, hash management, access restrictions, and encryption.

list administrative physical security controls

Examples of administrative physical security controls are facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.

Explain how expert systems, machine learning, and neural networks function

Expert systems consist of two main components: a knowledge base that contains a series of "if/then" rules and an inference engine that uses that information to draw conclusions about other data. Machine learning techniques attempt to algorithmically discover knowledge from datasets. Neural networks simulate the functioning of the human mind to a limited extent by arranging a series of layered calculations to solve problems. Neural networks require extensive training on a particular problem before they are able to offer solutions.

TEMPEST countermeasure

Faraday cage: A building designed with an external metal skin, often a wire mesh that fully surrounds an area on all sides White noise: Consists of a jam signal that causes interception equipment to fail Control zone: An area where emanation signals are supported and used by necessary equipment's, such as mobile phones, radios, and televisions

Know how fax security works

Fax security is primarily based on using encrypted transmissions or encrypted communication lines to protect the faxed materials. The primary goal is to prevent interception. Activity logs and exception reports can be used to detect anomalies in fax activity that could be symptoms of attack.

importance of fire detection and suppression

Fire detection and suppression must not be overlooked. Protecting personnel from harm should always be the most important goal of any security or protection system. In addition to protecting people, fire detection and suppression is designed to keep damage caused by fire, smoke, heat, and suppression materials to a minimum, especially in regard to the IT infrastructure.

Identifying Threats

Focused on Assets: This method uses asset valuation results and attempts to identify threats to the valuable assets. For example, a specific asset can be evaluated to determine if it is susceptible to an attack. If the asset hosts data, access controls can be evaluated to identify threats that can bypass authentication or authorization mechanisms. Focused on Attackers: Some organizations are able to identify potential attackers and can identify the threats they represent based on the attacker's goals. For example, a government is often able to identify potential attackers and recognize what the attackers want to achieve. They can then use this knowledge to identify and protect their relevant assets. A challenge with this approach is that new attackers can appear that weren't previously considered a threat. Focused on Software: If an organization develops software, it can consider potential threats against the software. Although organizations didn't commonly develop their own software years ago, it's common to do so today. Specifically, most organizations have a web presence, and many create their own web pages. Fancy web pages drive more traffic, but they also require more sophisticated programming and present additional threats.

Know the requirements for successful use of a one-time pad.

For a one-time pad to be successful, the key must be generated randomly without any known pattern. The key must be at least as long as the message to be encrypted. The pads must be protected against physical disclosure, and each pad must be used only one time and then discarded.

Licensing

Four common types of license agreements are in use today. Contractual license agreements use a written contract between the software vendor and the customer, outlining the responsibilities of each. These agreements are commonly found for high-priced and/or highly specialized software packages. Shrink-wrap license agreements are written on the outside of the software packaging. They commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package. Click-through license agreements are becoming more commonplace than shrink-wrap agreements. In this type of agreement, the contract terms are either written on the software box or included in the software documentation. During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them. This adds an active consent to the process, ensuring that the individual is aware of the agreement's existence prior to installation. Cloud services license agreements take click-through agreements to the extreme. Most cloud services do not require any form of written agreement and simply flash legal terms on the screen for review. In some cases, they may simply provide a link to legal terms and a check box for users to confirm that they read and agree to the terms. Most users, in their excitement to access a new service, simply click their way through the agreement without reading it and may unwittingly bind their entire organization to onerous terms and conditions.

types of denial of service attacks

Fraggle: Spoofed UDP packets are sent to a network's broadcast address Ping of Death: Uses oversized ICMP datagram to crash IP devices SYN flood: A communication between two computers initially established by a three-way handshake Buffer overflow: Occurs when more data is put into a buffer than it can hold

Information Security Governance and Risk Management

Governance and Risk Management domain emphasizes the importance of a comprehensive security plan that includes security policies and procedures for protecting data and how it is administered. Understanding and aligning security functions with the goals, mission, and objectives of the organization Understanding and applying security governance Understanding and applying concepts of confidentiality, integrity, and availability Developing and implementing security policies Managing the information life cycle (classification, categorization, and ownership) Managing third-party governance (on-site assessments, document exchange and review, process and policy reviews) Understanding and applying risk management concepts Managing personnel security Developing and managing security education, training, and awareness Managing the security function (budgets, metrics, and so on)

What is the problem with halon-based fire suppression technology?

Halon degrades into toxic gases at 900 degrees Fahrenheit. Also, it is not environmentally friendly (it is an ozone-depleting substance). Recycled halon is available, but production of halon ceased in developed countries in 2003. Halon is often replaced by a more ecologically friendly and less toxic medium.

flag bit designators to match them with their descriptions

Here are the flag bit designators: CWR (Congestion Window Reduced): Manages transmission over congested links FIN (Finish): Requests graceful shutdown of TCP session URG (Urgent): Indicates urgent data RST (Reset): Causes immediate disconnect of TCP session SYN (Synchronization): Requests synchronization with new sequencing numbers

Click to select the steps that Carrier-Sense Multiple Access (CSMA) technology follows while communicating, and then drag them into the correct order. The host listens to the LAN media to determine whether it is in use. If the LAN media is not being used, the host transmits its communication. The host waits for an acknowledgment. If no acknowledgment is received after a time-out period, the host starts over again.

Here are the steps that Carrier-Sense Multiple Access (CSMA) technology follows while communicating: The host listens to the LAN media to determine whether it is in use. If the LAN media is not being used, the host transmits its communication. The host waits for an acknowledgment. If no acknowledgment is received after a time-out period, the host starts over again.

types of WAN connection

Here are the types of WAN connection technology: ATM (asynchronous transfer mode): It is a cell-switching WAN communication technology that fragments communications into fixed-length 53-byte cells. Frame Relay: It uses packet-switching technology to establish virtual circuits between communication endpoints. X.25: It uses permanent virtual circuits to establish specific point-to-point connections between two systems or networks. SMDS (switched multimegabit data service): It is a connectionless packet-switching technology used to connect multiple LANs to form a MAN or a WAN.

Understand intrusion detection and intrusion prevention

IDSs and IPSs are important detective and preventive measures against attacks. Know the difference between knowledge-based detection (using a database similar to anti-malware signatures) and behavior-based detection. Behavior-based detection starts with a baseline to recognize normal behavior and compares activity with the baseline to detect abnormal activity. The baseline can be outdated if the network is modified, so it must be updated when the environment changes.

Be able to describe IPsec.

IPsec is a security architecture framework that supports secure communication over IP. IPsec establishes a secure channel in either transport mode or tunnel mode. It can be used to establish direct communication between computers or to set up a VPN between networks. IPsec uses two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP).

Describe the differences between transport mode and tunnel mode of IPsec.

IPsec's transport mode is used for host-to-host links and encrypts only the payload, not the header. IPsec's tunnel mode is used for host-to-LAN and LAN-to-LAN links and encrypts the entire original payload and header and then adds a link header

ITSEC and TCSEC

ITSEC classes are hierarchical; each class adds to the class above it and contains specific functions and mechanisms that correspond to TCSEC. ITSEC also supports other specialized classes that stand alone (nonhierarchical): F-IN for high-integrity F-AV for high-availability F-DI for high data integrity F-DC for high data confidentiality F-DX for networks that require high demands for confidentiality and integrity during data exchanges

Be able to explain how identification works

Identification is the process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability.

What are the actions an antivirus software package might take when it discovers an infected file?

If possible, antivirus software may try to disinfect an infected file, removing the virus's malicious code. If that fails, it might either quarantine the file for manual review or automatically delete it to prevent further infection.

Health Insurance Portability and Accountability Act of 1996

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), which made numerous changes to the laws governing health insurance and health maintenance organizations (HMOs). Among the provisions of HIPAA are privacy and security regulations requiring strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.

Children's Online Privacy Protection Act of 1998

In April 2000, provisions of the Children's Online Privacy Protection Act (COPPA) became the law of the land in the United States. COPPA makes a series of demands on websites that cater to children or knowingly collect information from children.

Understand the difference between packet switching and circuit switching

In circuit switching, a dedicated physical pathway is created between the two communicating parties. Packet switching occurs when the message or communication is broken up into small segments and sent across the intermediary networks to the destination. Within packet-switching systems are two types of communication paths, or virtual circuits: permanent virtual circuits (PVCs) and switched virtual circuits (SVCs).

What is the difference between an interview and an interrogation?

Interviews are conducted with the intention of gathering information from individuals to assist with your investigation. Interrogations are conducted with the intent of gathering evidence from suspects to be used in a criminal prosecution.

Describe the primary types of intrusion detection systems.

Intrusion detection systems can be described as host based or network based, based on their detection methods (knowledge based or behavior based), and based on their responses (passive or active). Host-based IDSs examine events on individual computers in great detail, including file activities, accesses, and processes. Network-based IDSs examine general network events and anomalies through traffic evaluation. A knowledge-based IDS uses a database of known attacks to detect intrusions. A behavior-based IDS starts with a baseline of normal activity and measures network activity against the baseline to identify abnormal activity. A passive response will log the activity and often provide a notification. An active response directly responds to the intrusion to stop or block the attack.

Explain the basic architecture of a relational database management system (RDBMS)

Know the structure of relational databases. Be able to explain the function of tables (relations), rows (records/tuples), and columns (fields/attributes). Know how relationships are defined between tables and the roles of various types of keys. Describe the database security threats posed by aggregation and inference.

Understand the importance of change and configuration management

Know the three basic components of change control—request control, change control, and release control—and how they contribute to security. Explain how configuration management controls the versions of software used in an organization.

Understand sabotage and espionage

Malicious insiders can perform sabotage against an organization if they become disgruntled for some reason. Espionage is when a competitor tries to steal information, and they may use an internal employee. Basic security principles, such as implementing the principle of least privilege and immediately disabling accounts for terminated employees, limit the damage from these attacks.

Trusted Computer System Evaluation Criteria (TCSEC): Mandatory Protection (Categories B1, B2, B3)

Mandatory Protection (Categories B1, B2, B3): Mandatory protection systems provide more security controls than category C or D systems. More granularity of control is mandated, so security administrators can apply specific controls that allow only very limited sets of subject/object access. This category of systems is based on the Bell-LaPadula model. Mandatory access is based on security labels. Class B1: Labeled Security ProtectionClass B1 systems require all the features Class C2 systems require. In addition, an informal statement of the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. Class B2: Structured ProtectionIn Class B2 systems, the TCB is based on a clearly defined and documented formal security policy model that requires extending the discretionary and mandatory access control enforcement in Class B1 systems to all subjects and objects in the system. Class B3: Security DomainsFor Class B3, the TCB must satisfy the reference monitor requirements to do the following: Mediate all accesses of subjects to objects Resist tampering Have a small enough size that it can be subjected to analysis and tests

security needs for media storage

Media storage facilities should be designed to securely store blank media, reusable media, and installation media. The concerns include theft, corruption, and data remnant recovery. Media storage facility protections include locked cabinets or safes, using a librarian/custodian, implementing a check-in/check-out process, and using media sanitization.

Know how antivirus software packages detect known viruses

Most antivirus programs use signature-based detection algorithms to look for telltale patterns of known viruses. This makes it essential to periodically update virus definition files in order to maintain protection against newly authored viruses as they emerge. Behavior-based detection is also becoming increasingly common, with antivirus software monitoring target systems for unusual activity and either blocking it or flagging it for investigation, even if the software does not match a known malware signature.

Understand need-to-know and the principle of least privilege

Need-to-know and the principle of least privilege are two standard IT security principles implemented in secure networks. They limit access to data and systems so that users and other subjects have access only to what they require. This limited access helps prevent security incidents and helps limit the scope of incidents when they occur. When these principles are not followed, security incidents result in far greater damage to an organization.

Discuss the benefits of NAT

Network Address Translation (NAT) allows for the identity of internal systems to be hidden from external entities. Often NAT is used to translate between RFC 1918 private IP addresses and leased public addresses. NAT serves as a one-way firewall because it allows only inbound traffic that is a response to a previous internal query. NAT also allows a few leased public addresses to be used to grant internet connectivity to a larger number of internal systems.

common threats to physical access controls.

No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Abuses of physical access control include propping open secured doors and bypassing locks or access controls. Masquerading is using someone else's security ID to gain entry to a facility. Piggybacking is following someone through a secured gate or doorway without being identified or authorized personally.

weakest authentication mechanism

Passwords are the weakest link in the security chain. Problems persist as people are responsible for managing their passwords. Passwords can be insecure, easily broken, and inconvenient.

Understand penetration testing

Penetration tests start by discovering vulnerabilities and then mimic an attack to identify what vulnerabilities can be exploited. It's important to remember that penetration tests should not be done without express consent and knowledge from management. Additionally, since penetration tests can result in damage, they should be done on isolated systems whenever possible. You should also recognize the differences between black-box testing (zero knowledge), white-box testing (full knowledge), and gray-box testing (partial knowledge).

Understand phishing

Phishing attacks are commonly used to try to trick users into giving up personal information (such as user accounts and passwords), click a malicious link, or open a malicious attachment. Spear phishing targets specific groups of users, and whaling targets high-level executives. Vishing uses VoIP technologies.

What is polyinstantiation?

Polyinstantiation is a database security technique that appears to permit the insertion of multiple rows sharing the same uniquely identifying information.

Understand the importance of monitoring privileged operations.

Privileged entities are trusted, but they can abuse their privileges. Because of this, it's important to monitor all assignment of privileges and the use of privileged operations. The goal is to ensure that trusted employees do not abuse the special privileges they are granted. Monitoring these operations can also detect many attacks because attackers commonly use special privileges during an attack.

Four Types of Policies

Program-level policy is used for creating a management-sponsored computer security program. A program-level policy, at the highest level, might prescribe the need for information security and can delegate the creation and management of the program to a role within the IT department. Think of this as the mission statement for the IT security program. Program-framework policy establishes the overall approach to computer security (as a computer security framework). A framework policy adds detail to the program by describing the elements and organization of the program and department that will carry out the security mission. Issue-specific policy addresses specific issues of concern to the organization. These issues could be regulatory in nature—for example, the Payment Card Industry (PCI) data security standard, Sarbanes-Oxley (SOX), or the Gramm-Leach-Bliley Act (GLBA), to name a few. System-specific policy focuses on policy issues that management has decided for a specific system.

Transport layer (layer 4)

Protocols at this level provide the point-to-point integrity of data transmissions. They determine how to address the other computer, establish communication links, handle the networking of messages, and generally control the session. The Transmission Control Protocol (TCP) operates at this level. TCP allows two computers to connect with each other and exchange streams of data while guaranteeing delivery of the data and maintaining it in the same order. Although the context of communications works at the higher layers of the protocol stack, the transport of this context over the network occurs at Layer 4. Transport Layer (host-to-host) protocols: Transmission Control Protocol: TCP is a reliable service that maintains the proper sequence of incoming packets and acknowledges receipt to the user. User Datagram Protocol (UDP): UDP is a less robust version of TCP. It does not acknowledge receipt of packets and is a connectionless and less reliable service. Its advantage over TCP is its faster speed and lower overhead.

Qualitative decision-making:

Qualitative decision-making takes non-numerical factors, such as reputation, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low). quantitative measure that the team must develop is the maximum tolerable downtime (MTD), sometimes also known as maximum tolerable outage (MTO). The MTD is the maximum length of time a business function can be inoperable without causing irreparable harm to the business. The MTD provides valuable information when you're performing both BCP and DRP planning

Understand the issues around remote access security management

Remote access security management requires that security system designers address the hardware and software components of an implementation along with issues related to policy, work tasks, and encryption.

Understand how salt and pepper thwarts password attacks

Salts add additional bits to a password before salting it and help thwart rainbow table attacks. Some algorithms such as bcrypt and Password-Based Key Derivation Function 2 (PBKDF2) add the salt and repeat the hashing functions many times. Salts are stored in the same database as the hashed password. A pepper is a large constant number used to further increase the security of the hashed password, and it is stored somewhere outside the database holding the hashed passwords.

Understand security management planning

Security management is based on three types of plans: strategic, tactical, and operational. A strategic plan is a long-term plan that is fairly stable. It defines the organization's goals, mission, and objectives. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.

Understand the importance of ethics to security personnel.

Security practitioners are granted a very high level of authority and responsibility to execute their job functions. The potential for abuse exists, and without a strict code of personal behavior, security practitioners could be regarded as having unchecked power. Adherence to a code of ethics helps ensure that such power is not abused.

Understand separation of duties and job rotation

Separation of duties is a basic security principle that ensures that no single person can control all the elements of a critical function or system. With job rotation, employees are rotated into different jobs, or tasks are assigned to different employees. Collusion is an agreement among multiple persons to perform some unauthorized or illegal actions. Implementing these policies helps prevent fraud by limiting actions individuals can do without colluding with others.

Understand the importance of testing

Software testing should be designed as part of the development process. Testing should be used as a management tool to improve the design, development, and production processes

security management planning team should develop three types of plans

Strategic Plan: A strategic plan is a long-term plan that is fairly stable. It defines the organization's security purpose. It also helps to understand security function and align it to the goals, mission, and objectives of the organization. It's useful for about five years if it is maintained and updated annually. The strategic plan also serves as the planning horizon. Long-term goals and visions for the future are discussed in a strategic plan. A strategic plan should include a risk assessment. Tactical Plan: The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. A tactical plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals. Some examples of tactical plans are project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans. Operational Plan: An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. Operational plans must be updated often (such as monthly or quarterly) to retain compliance with tactical plans. Operational plans spell out how to accomplish the various goals of the organization. They include resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures. Operational plans include details on how the implementation processes are in compliance with the organization's security policy. Examples of operational plans are training plans, system deployment plans, and product design plans.

TCP/IP architecture into their correct sequence (OSI Model)

The Application layer- Provides access to network resources HTTP (Hypertext Transfer Protocol Secure)FTP (File Transfer Protocol) Telnet SMTP (Simple Mail Transfer Protocol) POP3 (Post Office Protocol3) IMAP4 (Internet Message Access Protocol4) The Transport layer - Responsible for preparing data to be transported across the network TCP (Transmission Control Protocol) UDP (User Datagram Protocol) The Internet layer - Responsible for logical addressing (such as IP Addresses) and routing RIP (Routing Information Protocol) OSPF (Open Shortest Path First) IGMP (Internet Group Management Protocol) ICMP (Internet Control Message Protocol) The Network Access layer - Translates logical network address into physical machine address Consists of the network card driver and the circuitry on the network card itself. It makes use of only the ARP protocol.

Biba Integrity Model

The Biba model covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data. The Bell-LaPadula model is a confidentiality model intended to preserve the principle of least privilege. The Biba model uses a read-up, write-down approach. Subjects cannot read objects of lesser integrity and cannot write to objects of higher integrity. Think of CIA analysts and the information they need to perform their duties. Under the Biba model, an analyst with Top Secret clearance can see only information that's labeled as Top Secret with respect to integrity (confirmed by multiple sources, and so forth); likewise, this analyst can contribute information only at his or her clearance level. People with higher clearances are not "poisoned" with data from a lower level of integrity and cannot poison those with clearances higher than theirs.

Common Evaluation Methodology (CEM)

The CEM contains three parts: Part 1: Introduction and General Model: This part describes agreed-upon principles of evaluation and introduces agreed-upon evaluation terminology dealing with the process of evaluation. Part 2: CC Evaluation Methodology: This part is based on CC Part 3 evaluator actions. It uses well-defined assertions to refine CC Part 3 evaluator actions and tangible evaluator activities to determine requirement compliance. In addition, it offers guidance to further clarify the intent evaluator actions. Part 2 provides for methodologies to evaluate the following: PPs, STs, EAL1, EAL2, EAL3, EAL4, EAL5, EAL6, EAL7. Components not included in an EAL Part 3: Extensions to the Methodology: These extensions are needed to take full advantage of the evaluation results. This part includes topics such as guidance on the composition and content of evaluation document deliverables.

Know incident response steps

The CISSP Security Operations domain lists incident response steps as detection, response, mitigation, reporting, recovery, remediation, and lessons learned. After detecting and verifying an incident, the first response is to limit or contain the scope of the incident while protecting evidence. Based on governing laws, an organization may need to report an incident to official authorities, and if PII is affected, individuals need to be informed. The remediation and lessons learned stages include root cause analysis to determine the cause and recommend solutions to prevent a reoccurrence.

Testing the DRP

The Certified Information Systems Security Professional (CISSP) recognizes five methods of testing the DRP: Walk-throughs: Members of the key business units meet to trace their steps through the plan, looking for omissions and inaccuracies. Simulations: During a practice session, critical personnel meet to perform a dry run of the emergency, mimicking the response to a true emergency as closely as possible. Checklists: In a more passive type of testing, members of the key departments check off the tasks for which they are responsible and report on the accuracy of the checklist. This is typically a first step toward a more comprehensive test. Parallel testing: The backup processing occurs in parallel with production services that never stop. This is a familiar process for those who have installed complex computer systems that run in parallel with the existing production system until the new system proves to be stable. An example of this is when a company installs a new payroll system: Until the new system is deemed ready for full cut-over, the two systems operate in parallel. Full interruption: Also known as the true/false test, production systems are stopped as if a disaster occurred to see how the backup services perform. They either work (true) or fail (false), in which case the lesson learned can be as painful as a true disaster.

Be able to explain the basic operational modes of the Data Encryption Standard (DES) and Triple DES (3DES)

The Data Encryption Standard operates in five modes: Electronic Code Book (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, Output Feedback (OFB) mode, and Counter (CTR) mode. ECB mode is considered the least secure and is used only for short messages. 3DES uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits, respectively.

Rainbow Series

The Orange Book classifications, from most to least secure, are Division A, Division B, Division C, and Division D. Orange Book: Under the DOD Trusted Computer System Evaluation Criteria (TCSEC) both divisions A and B require mandatory protection. Orange Book: In Class B2 systems, the TCB is based on a clearly defined and documented formal security policy model that requires extending the discretionary and mandatory access control enforcement in Class B1 systems to all subjects and objects in the system. In addition, covert channels are addressed. Orange Book: Class B1 systems require all the features Class C2 systems require. In addition, an informal statement of the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. Orange Book: Leonard J. LaPadula and David E. Bell developed this early and popular security model in the 1970s. It forms the basis of the TCSEC. Orange Book: ITSEC added other specialized classes including integrity and availability.

Understand the differences between PPP and SLIP.

The Point-to-Point Protocol (PPP) is an encapsulation protocol designed to support the transmission of IP traffic over dial-up or point-to-point links. PPP includes a wide range of communication services, including assignment and management of IP addresses, management of synchronous communications, standardized encapsulation, multiplexing, link configuration, link quality testing, error detection, and feature or option negotiation (such as compression). PPP was originally designed to support CHAP and PAP for authentication. However, recent versions of PPP also support MS-CHAP, EAP, and SPAP. PPP replaced Serial Line Internet Protocol (SLIP). SLIP offered no authentication, supported only half-duplex communications, had no error-detection capabilities, and required manual link establishment and teardown.

Spoofing of Internet Protocol (IP) addresses:

The attacker sends a message with a false originating IP address to convince the recipient that the sender is someone else. Every computer on the Internet is assigned a unique IP address. In this case, the attacker masquerades as a legitimate Internet site by using that site's IP address.

Describe the benefits of change control management.

The benefits of change control management include preventing unwanted security reduction because of uncontrolled change, documenting and tracking of all alterations in the environment, standardization, conforming with security policy, and the ability to roll back changes in the event of an unwanted or unexpected outcome.

Computer Fraud and Abuse Act(CFAA)

The major provisions of the original CCCA made it a crime to perform the following: Access classified information or financial information in a federal system without authorization or in excess of authorized privileges Access a computer used exclusively by the federal government without authorization Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself) Cause malicious damage to a federal computer system in excess of $1,000 Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system

Quantitative Risk Analysis

The six major steps or phases in quantitative risk analysis are as follows (Figure 2.5): 1. Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this lesson named "Asset Valuation.") 2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) or loss potential and single loss expectancy (SLE). 3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year—that is, the annualized rate of occurrence (ARO). 4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE). 5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure. 6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.

Name the six primary security roles as defined by (ISC)2 for CISSP.

The six security roles are senior management, IT/security staff, owner, custodian, operator/user, and auditor.

AAA services

The three A's in this abbreviation refer to authentication, authorization, and accounting (or sometimes auditing). However, what is not as clear is that although there are three letters in the acronym, it actually refers to five elements: identification, authentication, authorization, auditing, and accounting. These five elements represent the following processes of security: Identification: Claiming to be an identity when attempting to access a secured area or system Authentication: Proving that you are that identity Authorization: Defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity Auditing: Recording a log of the events and activities related to the system and subjects Accounting (aka accountability): Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions

List the three primary cloud-based service models and identify the level of maintenance provided by the cloud service provider in each of the models.

The three models are software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). The cloud service provider (CSP) provides the most maintenance and security services with SaaS, less with PaaS, and the least with IaaS. While NIST SP 800-144 provides these definitions, CSPs sometimes use their own terms and definitions in marketing materials

Security Policies

The top tier of the formalization is known as a security policy. A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. The security policy is an overview or generalization of an organization's security needs. It defines the main security objectives and outlines the security framework of an organization.

Telecommunications and Network Security

This domain covers another technical segment of the CBK. Topics include not just network topologies, but also their weaknesses and defenses. Many of the operational tools, such as firewalls, fall into this domain, along with the following subject areas: Understanding secure network architecture and design Securing network components Establishing secure communications channels (VPN, SSL, and so on) Understanding network attacks (denial of service, spoofing, and so on)

Denial of service (DoS) attacks:

This tactic overloads a computer's resources (particularly the temporary storage area in computers, called the buffers) from any number of sources (referred to as a distributed denial of service, or DDoS, attack) until the system is so bogged down that it cannot honor requests. The DDoS attack in February 2000 on Yahoo! took the site down for 3 hours. A day later, eBay, Amazon.com, Buy.com, and CNN.com were hit with the same type of attack. The following day, E*TRADE and ZDNet were struck.

Ten Commandments of Computer Ethics

Thou Shalt Not Use a Computer to Harm Other People. Thou Shalt Not Interfere with Other People's Computer Work. Thou Shalt Not Snoop Around in Other People's Computer Files. Thou Shalt Not Use a Computer to Steal. Thou Shalt Not Use a Computer to Bear False Witness. Thou Shalt Not Copy or Use Proprietary Software for Which You Have Not Paid. Thou Shalt Not Use Other People's Computer Resources Without Authorization or Proper Compensation. Thou Shalt Not Appropriate Other People's Intellectual Output. Thou Shalt Think About the Social Consequences of the Program You Are Writing or the System You Are Designing. Thou Shalt Always Use a Computer in Ways That Ensure Consideration and Respect for Your Fellow Humans.

Threat modeling

Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. In either case, the process identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat. A proactive approach to threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach. This method is based on predicting threats and designing in specific defenses during the coding and crafting process, rather than relying on post-deployment updates and patches. A reactive approach to threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach. This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing.

Thrill Attacks

Thrill attacks are the attacks launched only for the fun of it. Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. These attackers are often called script kiddies because they run only other people's programs, or scripts, to launch an attack. The main motivation behind these attacks is the "high" of successfully breaking into a system. If you are the victim of a thrill attack, the most common fate you will suffer is a service interruption. Although an attacker of this type may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. One common type of thrill attack involves website defacements, where the attacker compromises a web server and replaces an organization's legitimate web content with other pages, often boasting about the attacker's skills.

Understand VPNs.

VPNs are based on encrypted tunneling. They can offer authentication and data protection as a point-to-point solution. Common VPN protocols are PPTP, L2F, L2TP, and IPsec.

Understand virtual assets

Virtual assets include virtual machines, a virtual desktop infrastructure, software-defined networks, and virtual storage area networks. Hypervisors are the primary software component that manages virtual assets, but hypervisors also provide attackers with an additional target. It's important to keep physical servers hosting virtual assets up-to-date with appropriate patches for the operating system and the hypervisor. Additionally, all virtual machines must be kept up-to-date.

Understand the propagation techniques used by viruses

Viruses use four main propagation techniques—file infection, service injection, boot sector infection, and macro infection—to penetrate systems and spread their malicious payloads. You need to understand these techniques to effectively protect systems on your network from malicious code

Understand the security issues related to VoIP

VoIP is at risk for caller ID spoofing, vishing, SPIT, call manager software/firmware attacks, phone hardware attacks, DoS, MitM, spoofing, and switch hopping.

Explain vulnerability management

Vulnerability management includes routine vulnerability scans and periodic vulnerability assessments. Vulnerability scanners can detect known security vulnerabilities and weaknesses such as the absence of patches or weak passwords. They generate reports that indicate the technical vulnerabilities of a system and are an effective check for a patch management program. Vulnerability assessments extend beyond just technical scans and can include reviews and audits to detect vulnerabilities.

Determining the likelihood of a risk

Vulnerability refers to a known problem within a system or program. A common example in InfoSec is called the buffer overflow or buffer overrun vulnerability. Programmers tend to be trusting and not worry about who will attack their programs, but instead worry about who will use their programs legitimately. One feature of most programs is the capability for a user to "input" information or requests. The program instructions (source code) then contain an "area" in memory (buffer) for these inputs and act upon them when told to do so. Sometimes the programmer doesn't check to see if the input is proper or innocuous. A malicious user, however, might take advantage of this weakness and overload the input area with more information than it can handle, crashing or disabling the program. This is called buffer overflow, and it can permit a malicious user to gain control over the system. This common vulnerability with software must be addressed when developing systems. Lesson 13, "Software Development Security," covers this in greater detail. An exploit is a program or "cookbook" on how to take advantage of a specific vulnerability. It might be a program that a hacker can download over the Internet and then use to search for systems that contain the vulnerability it's designed to exploit. It might also be a series of documented steps on how to exploit the vulnerability after an attacker finds a system that contains it. An attacker, then, is the link between a vulnerability and an exploit. The attacker has two characteristics: skill and will. Attackers either are skilled in the art of attacking systems or have access to tools that do the work for them. They have the will to perform attacks on systems they do not own and usually care little about the consequences of their actions.

why there is no security without physical security

Without control over the physical environment, no amount of administrative or technical/logical access controls can provide adequate security. If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure and alteration.

Know the various types of access controls

You should be able to identify the type of any given access control. Access controls may be preventive (to stop unwanted or unauthorized activity from occurring), detective (to discover unwanted or unauthorized activity), or corrective (to restore systems to normal after an unwanted or unauthorized activity has occurred). Deterrent access controls attempt to discourage violation of security policies, by encouraging people to decide not to take an unwanted action. Recovery controls attempt to repair or restore resources, functions, and capabilities after a security policy violation. Directive controls attempt to direct, confine, or control the action of subjects to force or encourage compliance with security policy. Compensating controls provide options or alternatives to existing controls to aid in enforcement and support of a security policy.

To develop a comprehensive set of system security policies

a management process is required that derives security rules from security goals, such as a three-level model for system security policy: Security objectives Operational security Policy implementation

Administrative physical security controls

include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.

trusted computing base (TCB)

is a combination of software, hardware, and controls that form a trusted base ensuring security policy.

Bell-LaPadula Model

is a confidentiality model intended to preserve the principle of least privilege. It is a formal description of allowable paths of information flow in a secure system and defines security requirements for systems handling data at different sensitivity levels. The model defines a secure state and access between subjects and objects in accordance with specific security policy.

TCB: Process isolation

is a design objective in which each process has its own distinct address space for its application code and data. Such a design makes it possible to prevent each process from accessing another process's data.

TCB: Data hiding, also known as information hiding

is a mechanism used to ensure that information available at one processing level is not available in another, regardless of whether it is higher or lower. It is also a concept in the object-oriented programming (OOP) technique when information is encapsulated within an object and can be directly manipulated only by the services provided within the object.

type I hypervisor

is a native or bare-metal hypervisor. In this configuration, there is no host OS; instead, the hypervisor installs directly onto the hardware where the host OS would normally reside. Type 1 hypervisors are often used to support server virtualization. This allows for maximization of the hardware resources while eliminating any risks or resource reduction caused by a host OS.

TCB: Abstraction

is a process that defines a specific set of permissible values for an object and the operations that are permissible on that object. This involves ignoring or separating implementation details to concentrate on what is important to maintain security.

Critical path analysis

is a systematic effort to identify relationships between mission-critical applications, processes, and operations and all the necessary supporting elements. For example, an e-commerce server used to sell products over the web relies on internet access, computer hardware, electricity, temperature control, storage facility, and so on.

Visual, Agile, and Simple Threat (VAST)

is a threat modeling concept based on Agile project management and programming principles. The goal of VAST is to integrate threat and risk management into an Agile programming environment on a scalable basis.

Pretty Good Privacy (PGP)

is an encryption program that provides cryptographic privacy and authentication for data communication. PGP supports message authentication and integrity checking. The sender uses PGP to create a digital signature for the message with either the RSA or DSA algorithms. PGP computes a hash called a message digest from the plaintext and then creates the digital signature from that hash using the sender's private key. A web of trust in cryptography is a concept used in PGP. The compatible system establishes the authenticity of the binding between a public key and its owner.

security kernel

is an implementation of a reference monitor for a specific hardware base, such as Sun Solaris, Red Hat Linux, or Mac OS X.

Open Software Assurance Maturity Model (OpenSAMM)

is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. OpenSAMM offers a roadmap and well-defined maturity model for secure software development and deployment, along with useful tools for self-assessment and planning.

software development life cycle (SDLC)

is an outline of tasks performed at each step in the software development process. SDLC is a structure followed by a development team with a detailed plan describing how to develop, maintain, and replace specific software.

Radio-frequency interference (RFI)

is another source of noise and interference that can affect many of the same systems as EMI. A wide range of common electrical appliances generate RFI, including fluorescent lights, electrical cables, electric space heaters, computers, elevators, motors, and electric magnets, so it's important to locate all such equipment when deploying IT systems and infrastructure elements.

Building Security in Maturity Model (BSIMM)

is designed to help you understand, measure, and plan a software security initiative. It was created through a process of understanding and analyzing real-world data from nine leading software security initiatives; it was then validated and adjusted with data from 21 additional leading software security initiatives. is a benchmarking tool that gives you an objective, data-driven view into your current software security initiative.

Internet Security Association and Key Management Protocol (ISAKMP)

is not usable on its own because it defines a general framework or structure to use one of any number of possible key exchange protocols. To make ISAKMP useful, IPSec associates it with other session key exchange and establishment mechanisms. The Oakley Key Determination Protocol is one such mechanism. Together, ISAKMP and Oakley result in a new protocol, called Internet Key Exchange (IKE).

Protection Profile Organization

is organized as follows: Introduction section, which provides descriptive information needed to identify, catalog, register, and cross-reference a PP. The overview provides a summary of the PP as a narrative. Target of evaluation (TOE) description, which describes the TOE to aid in understanding its security requirements and addresses the product type and general features of the TOE, providing a context for the evaluation. Security environment, which consists of three subsections: Assumptions Threats Organizational security policies

Operations security

is primarily concerned with the processes, personnel, and technology of data center operations. It is needed to protect assets from threats during normal use.

Declassification

is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. In other words, if the asset were new, it would be assigned a lower sensitivity label than it currently is assigned.

Session layer (layer 5)

is responsible for establishing, maintaining, and terminating communication sessions between two computers. When you request information about your checking account balance from your bank's web application, the Session Layer makes the initial contact with the host computer, formats the data you are sending for transmission, establishes the necessary communication links, and handles recovery and restart functions.

chief security officer (CSO) or information security officer (ISO)

is sometimes used as an alternative to CISO, but in many organizations the CSO position is a subposition under the CISO that focuses on physical security. Another potential term for the CISO is information security officer (ISO), but this also can be used as a subposition under the CISO. reports directly to seinor mgmt.

Fault tolerance

is the ability of a system to suffer a fault but continue to operate. Fault tolerance is achieved by adding redundant components such as additional disks within a redundant array of inexpensive disks (RAID) array, or additional servers within a failover clustered configuration.

Encapsulation / Deencapsulation

is the addition of a header, and possibly a footer, to the data received by each layer from the layer above before it's handed off to the layer below. As the message is encapsulated at each layer, the previous layer's header and payload combine to become the payload of the current layer. Encapsulation occurs as the data moves down through the OSI model layers from Application to Physical. The inverse action occurring as data moves up through the OSI model layers from Physical to Application is known as deencapsulation. The encapsulation /deencapsulation process is as follows:

exposure factor (EF)

is the amount of damage that the risk poses to the asset, expressed as a percentage of the asset's value. For example, if the BCP team consults with fire experts and determines that a building fire would cause 70 percent of the building to be destroyed, the exposure factor of the building to fire is 70 percent.

cloud shared responsibility model

is the concept that when an organization uses a cloud solution, there is a division of security and stability responsibility between the provider and the customer. The different forms of cloud service (such as SaaS, PaaS, and IaaS) may each have different levels or division points of shared responsibility. A SaaS solution places most of the management burden on the shoulders of the cloud provider, while IaaS management leans more toward the customer. When electing to use a cloud service, it is important to consider the specifics of the management, troubleshooting, and security management and how those responsibilities are assigned, divided, or shared between the cloud provider and the customer. Grid Computing

Annualized Loss Expectancy (ALE)

is the monetary loss that the business expects to occur as a result of the risk harming the asset over the course of a year. You already have all the data necessary to perform this calculation. The SLE is the amount of damage you expect each time a disaster strikes, and the ARO (from the likelihood analysis) is the number of times you expect a disaster to occur each year. You compute the ALE by simply multiplying those two numbers: ALE = SLE x ARO

A virtual private network (VPN)

is the more common means for remote users to access corporate networks. With a VPN, a user connects to the Internet via his or her ISP and initiates a connection to the protected network, creating a private tunnel between the endpoints that prevents eavesdropping or data modification. VPNs often use strong cryptography to both authenticate senders and receivers of messages and to encrypt traffic so that it's invulnerable to a man-in-the-middle (MitM) attack.

Cloud computing

is the popular term referring to a concept of computing where processing and storage are performed elsewhere over a network connection rather than locally.

Technology convergence

is the tendency for various technologies, solutions, utilities, and systems to evolve and merge over time. Often this results in multiple systems performing similar or redundant tasks or one system taking over the feature and abilities of another. While in some instances this can result in improved efficiency and cost savings, it can also represent a single point of failure and become a more valuable target for hackers and intruders.

Trusted Computing Base (TCB)

is the totality of protection mechanisms within a computer system, including hardware, firmware, and software. The Trusted Computer Base utilizes extra security mechanisms that must be navigated to move from an outer ring into an inner ring. The operating system (OS) enforces how communications flow between layers using the reference monitor (within the kernel) to mediate all access and protect resources. Due to this process, protection rings do not allow users to have direct access to peripherals. A Trusted Computer Base utilizes layering, abstraction and data hiding to protect subjects, objects, and data within the objects.

A business case

is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. To make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task. A business case is often made to justify the start of a new project, especially a project related to security.

Platform as a service (PaaS)

s the concept of providing a computing platform and software solution stack as a virtual or cloud-based service. Essentially, this type of cloud solution provides all the aspects of a platform (that is, the operating system and complete solution package). The primary attraction of PaaS is the avoidance of having to purchase and maintain high-end hardware and software locally.

Privacy Laws in the United States

1970 U.S. Fair Credit Reporting Act: Regulates the activities of credit bureaus. 1986 U.S. Electronic Communications Act: Protects the confidentiality of private message systems through unauthorized eavesdropping. 1987 U.S. Computer Security Act: Congressional declaration to improve the security and privacy of sensitive information in federal computer systems and establish minimum acceptable security practices for such systems. 1996 U.S. Kennedy-Kassenbaum Health Insurance and Portability Accountability Act (HIPAA): Protects the confidentiality and portability of personal health care information. 2000 National Security Directive 42 (NSD-42): Established the Committee on National Security Systems (CNSS), which provides guidance on the security of national defense systems, among other roles. 2001 U.S. Patriot Act HR 3162: Also known as "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001." The Act was passed by Congress and the Senate to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes related to international terrorism. 2002 Federal Information Security Management Act: Defines the basic statutory requirements for protecting federal computer systems. 2010 Fair Debt Collection Practices Act: Addresses unfair or unconscionable means to collect or attempt to collect any debt.

How many domains are contained within the CBK (Information Security Common Body of Knowledge)

8 Domains: Information Security Governance and Risk Management The Governance and Risk Management domain (see Lesson 4, "Governance and Risk Management,") emphasizes the importance of a comprehensive security plan that includes security policies and procedures for protecting data and how it is administered. Security Architecture and Design The Security Architecture and Design domain (see Lesson 5, "Security Architecture and Design"), one of the more technical areas of study within the CBK, discusses concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and other controls to enforce various levels of confidentiality, integrity, and availability. Business Continuity and Disaster Recovery Planning Business Continuity Planning (BCP), along with the Business Impact Assessment (BIA) and the Disaster Recovery Plan (DRP), is the core of this domain. Legal Regulations, Investigations, and Compliance This domain covers the different targets of computer crimes, bodies of law, and the different types of laws and regulations as they apply to computer security. Physical (Environmental) Security Topics covered in this domain include securing the physical site using policies and procedures coupled with the appropriate alarm and intrusion detection systems, monitoring systems, and so forth. Operations Security This domain covers the kind of operational procedures and tools that eliminate or reduce the capability to exploit critical information. It includes defining the controls over media, hardware, and operators with special systems privileges. Access Control Who may access the system, and what can they do after they are signed on? That is the focus of this CBK domain. Cryptography This domain contains the stuff of espionage and spy novels. It involves encrypting data so that authorized individuals may view the sensitive data and unauthorized individuals may not. Cryptography is a highly complex topic. The InfoSec specialist needs to understand the function but not necessarily the mechanics of cryptography. Telecommunications and Network Security This domain covers another technical segment of the CBK. Topics include not just network topologies, but also their weaknesses and defenses. Many of the operational tools, such as firewalls, fall into this domain Software Development Security Application development in a networked environment (see Lesson 13, "Software Development Security") focuses on sound and secure application development techniques. This domain requires a good understanding of the controls needed for the software development life cycle (SDLC), and how they're applied during each phase.

Fire Extinguishers

A Common combustiblesWater, soda acid (a dry powder or liquid chemical) B LiquidsCO2, halon*, soda acid C ElectricalCO2, halon* D MetalDry powder

Describe the primary difference between discretionary and nondiscretionary access control models.

A discretionary access control (DAC) model allows the owner, creator, or data custodian of an object to control and define access. Administrators centrally administer nondiscretionary access controls and can make changes that affect the entire environment.

Be able to explain the concept of abstraction.

Abstraction is used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.

Explain the process Alice should use to verify the digital signature on the message from Bob in question 3.

Alice should decrypt the digital signature in Bob's message using Bob's public key. She should then create a message digest from the plaintext message using the same hashing algorithm Bob used to create the digital signature. Finally, she should compare the two message digests. If they are identical, the signature is authentic.

Explain the process Alice would use to decrypt the message Bob sent in question 1

Alice should decrypt the message using her private key

Know the (ISC)2 Code of Ethics and RFC 1087, "Ethics and the Internet."

All CISSP candidates should be familiar with the entire (ISC)2 Code of Ethics because they have to sign an agreement that they will adhere to it. In addition, be familiar with the basic statements of RFC 1087.

steps from the right to make the correct sequence in which the IDS (Intrusion Detection System) instructs the TCP (Transmission Control Protocol) to reset all connections.

An active response involves acting appropriately in response to an attack or threat. The goal of an active response is to take the quickest action possible to reduce such an event's potential impact. The correct sequence in which the IDS instructs the TCP to reset all connections is: Network Attack IDS Alert Detected IDS Command (Reset TCP)

Change Control/Management

Another important aspect of security management is the control or management of change. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities.

What type of chart provides a graphical illustration of a schedule that helps to plan, coordinate, and track project tasks? A Gantt B PERT C Bar D Venn

Answer A is correct. A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project.

A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this? A RBAC model B Rule-based access control model C An access control list (ACL) D DAC model

Answer A is correct. A Role Based Access Control (RBAC) model can group users into roles based on the organization's hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects that subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

How does a SYN flood attack work? A Disrupts the three-way handshake used by TCP B Sends oversized ping packets to a victim C Exploits a packet processing glitch in Windows systems D Uses an amplification network to flood a victim with packets

Answer A is correct. A SYN flood attack disrupts the TCP three-way handshake process by never sending the third packet. It is not unique to any specific operating system such as Windows. Smurf attacks use amplification networks to flood a victim with packets. A ping-of-death attack uses oversized ping packets.

You are the security administrator for an organization. Management decides that all communication on the network should be encrypted using the data encryption standard (DES) algorithm. Which statement is true of this algorithm? A A Triple DES (3DES) algorithm uses 48 rounds of computation. B The effective key size of DES is 64 bits. C A DES algorithm uses 32 rounds of computation. D A 56-bit DES encryption is 256 times more secure than a 40-bit DES encryption.

Answer A is correct. A Triple DES (3DES) algorithm uses 48 rounds of computation. It offers high resistance to differential cryptanalysis because it uses so many rounds. The encryption and decryption process performed by 3DES takes longer due to the higher processing power required. The actual key size of the Data Encryption Standard (DES) is 64 bits. A key size of 8 bits is used for a parity check. Therefore, the effective key size of DES is 56 bits. The DES algorithm uses 16 rounds of computation. The order and the type of computations performed depends upon the value supplied to the algorithm through the cipher blocks. According to the following calculation, a 56-bit DES encryption is 65,536 times more secure than a 40-bit DES encryption: 240 = 1099511627776 and 256 = 72057594037927936Therefore, 72057594037927936 divided by 1099511627776 = 65,536.

Which of the following access controls modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred? A Corrective B Deterrent C Preventive D Detective

Answer A is correct. A corrective access control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems that occurred as a result of a security incident. This control can be simple, such as terminating malicious activity or rebooting a system. It consists of the following security services: Alarm Mantrap Security policy Answer D is incorrect because a detective access control is deployed to discover or detect unwanted or unauthorized activity. Answer C is incorrect because a preventive access control is deployed to thwart or stop an unwanted or unauthorized activity from occurring. Answer B is incorrect because a deterrent access control is deployed to discourage violation of security policies.

Which one of the following tasks would a custodian most likely perform? A Back up data B Access the data C Classify the data D Assign permissions to the data

Answer A is correct. A data custodian performs day to day tasks to protect the integrity and security of data, and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.

In which of the following are the results of data mining stored? A Data mart B Cache RAM C Data warehouse D Data dictionary

Answer A is correct. A data mart is a highly secure storage system where the results of data mining, metadata, are securely stored. Answer D is incorrect. A data dictionary is used to store critical information about data, including type, sources, usage, relationships, and formats. Answer B is incorrect. A cache RAM takes data from slower devices and temporarily stores it in higher performance devices when its repeated use is expected. Answer C is incorrect. A data warehouse stores a large amount of information from various databases to be used with specialized analysis techniques.

Which of the following types of attack is only intended to make a computer resource unavailable to its users? A Denial of service attack B Teardrop attack C Replay attack D Land attack

Answer A is correct. A denial of service attack is only intended to make a computer resource unavailable to its users. It is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as network saturation attack or bandwidth consumption attack. Attackers make denial of service attacks by sending a large number of protocol packets to a network. Answer D is incorrect. In a land attack, the attacker sends the spoofed TCP SYN packet in which the IP address of the target host is filled in both the source and destination fields. On receiving the spoofed packet, the target system becomes confused and goes into a frozen state. Now-a-days, antivirus can easily detect such attacks. Answer C is incorrect. A replay attack is a type of attack in which attackers capture packets containing passwords or digital signatures whenever packets pass between two hosts on a network. In an attempt to obtain an authenticated connection, the attackers then resend the captured packet to the system. In this type of attack, the attacker does not know the actual password, but can simply replay the captured packet. Answer B is incorrect. In a teardrop attack, a series of data packets are sent to the target system with overlapping offset field values. As a result, the target system is unable to reassemble these packets and is forced to crash, hang, or reboot.

Which of the following devices is a network interconnectivity device that translates different communication protocols and is used to connect dissimilar network technologies? A Gateway B Switch C Repeater D Router

Answer A is correct. A gateway is a network interconnectivity device that translates different communication protocols and is used to connect dissimilar network technologies. It provides greater functionality than a router or bridge because a gateway functions as a translator and a router. It is an application layer device. Answer B is incorrect. A switch is a network connectivity device that brings media segments together in a central location. It reads the destination's MAC address or hardware address from each incoming data packet and forwards the data packet to its destination. Answer D is incorrect. A router is a device that routes data packets between computers in different networks. It is used to connect multiple networks, and it determines the path to be taken by each data packet to its destination computer. Answer C is incorrect. A repeater is a basic LAN connection device. It allows a network cabling system to extend beyond its maximum allowed length and reduces distortion by amplifying or regenerating network signals.

When should you install a software patch on a production server? A after the patch has been tested B before the patch has been tested C when the patch is in beta format D immediately after the patch is released

Answer A is correct. A patch should be installed on a server after the patch has been tested on a non-production server and by the computing community. A security patch is a major, crucial update for an OS or product for which it is intended and consists of a collection of patches released to date since the OS or product was shipped. A security patch is mandatory for all users, addresses a new vulnerability, and should be deployed as soon as possible. Security patches are usually small in size. A patch should not be installed immediately after it is released or when it is in beta format because a patch that is not thoroughly tested might contain bugs that could be detrimental to server operation. A patch should typically not be deployed before it has been tested on a test server; patches should not be tested on production servers. A hot fix is a not fully tested software fix that addresses a specific issue being experienced by certain customers.

Which of the following is a type of connection that can be described as a logical circuit that always exists and is waiting for the customer to send data? A PVC B ISDN C DSL D VPN

Answer A is correct. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data. Answer B is incorrect. Integrated Services Digital Network (ISDN) is a fully digital telephone network that supports both voice and high-speed data communications. Answer D is incorrect. A virtual private network (VPN) is a secure tunnel used to establish connections across a potentially insecure intermediary network. Answer C is incorrect. Digital subscriber line (DSL) is a technology that exploits the upgraded telephone network to grant consumers speeds from 144 Kbps to 20 Mbps (or more).

You are developing a new software application for a customer. The customer is currently defining the application requirements. Which process is being completed? A prototyping B sampling C abstraction D interpretation

Answer A is correct. A prototype or a blueprint of the product is developed on the basis of customer requirements. Prototyping is the process of putting together a working model, referred to as a prototype, to test various aspects of a software design, to illustrate ideas or features, and to gather feedback in accordance with customer requirements. A prototype enables the development team and the customer to move in the right direction. Prototyping can provide significant time and cost savings because it will involve fewer changes later in the development stage. A product is developed in modules. Therefore, prototyping provides scalability. Complex applications can be further subdivided into multiple parts and represented by different prototypes. The software design and development tasks can be assigned to multiple teams. A sample is a generic term that identifies a portion that is a representative of a whole. Interpreters are used to execute the program codes by translating one command at a time. Abstraction is an object-oriented programming (OOP) concept that refers to hiding unnecessary information to highlight important information or properties for analysis. Abstraction involves focusing on conceptual aspects and properties of an application to understand the information flow. Abstraction involves hiding small, redundant pieces of information to provide a broader picture.

Which type of virus is specifically designed to infect programs as they are loaded into memory? A resident B boot sector replication C companion D nonresident

Answer A is correct. A resident virus is specifically designed to infect programs as they are loaded into memory. A companion virus is designed to take advantage of the extension search order of an operating system. A nonresident virus is part of an executable program file on a disk that is designed to infect other programs when the infected program file is started. A boot sector replicating virus is written to the boot sector of a hard disk on a computer and is loaded into memory each time a computer is started.

What type of attack can detect passwords sent across a network in cleartext? A Sniffing B Side-channel C Spoofing D Spamming

Answer A is correct. A sniffing attack uses a sniffer (also called a packet analyzer or protocol analyzer) to capture data and can be used to read passwords sent across a network in cleartext. Answers C, D, and B are incorrect. A spoofing attack attempts to hide the identity of the attacker. A spamming attack involves sending massive amounts of email. A side-channel attack is a passive, noninvasive attack used against smart cards.

Tunnel connections can be established over all except for which of the following? A Stand-alone systems B Dial-up connections C LAN pathways D WAN links

Answer A is correct. A stand-alone system has no need for tunneling because no communications between systems are occurring and no intermediary network is present.

Which type of network connection is created by tunneling through a public network? A a VPN B a LAN C a MAN D a WAN

Answer A is correct. A virtual private network (VPN) is created by tunneling through a public network, such as the Internet. Tunneling protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP), can create a tunnel, which is a secure connection through a public network. A local area network (LAN) connection is typically created by a Physical layer network communication protocol. A metropolitan area network (MAN), which spans the area of a city, is created by dedicated connections. A wide area network (WAN) connection spans a large distance, such as the distance between cities or continents. A WAN connection typically consists of two or more LAN connections and can be created by using either leased-lines or dedicated connections.

Your organization has recently implemented an artificial neural network (ANN). The ANN enabled the network to make decisions based on the experience provided to them. Which characteristic of the ANN is described? A adaptability B retention capability C neural integrity D fault tolerance

Answer A is correct. Adaptability is the artificial neural network (ANN) characteristic that is described. Adaptability refers to the ability of an ANN to arrive at decisions based on the learning process that uses the inputs provided. It is important to note that the ability of ANN learning is limited to the experience provided to them. An ANN is an adaptive system that changes its structure based on either external or internal information that flows through the network by applying the if-then-else rules. ANNs are computers systems where the system simulates the working of a human brain. A human brain can contain billions of neurons performing complex operations. An ANN can also contain a large number of small computational units that are called upon to perform a required task. A neural network learns by using various algorithms to adjust the weights applied to the data. The equation Z = f [wn in], where Z is the output, wn are weighting functions, and in is a set of inputs, scientifically describes a neural network. Fault tolerance refers to the ability to combat threats of design reliability and continuous availability. ANNs do not provide fault tolerance. Retention capability and neural integrity are generic terms and are invalid options.

You have created a cryptographic key on your organization's domain controller. What should you do next? A Initialize the key. B Activate the key. C Terminate the key. D Distribute the key.

Answer A is correct. After creating a cryptographic key, you should initialize the key by setting all of its core attributes. The four phases in the cryptographic key life cycle are as follows: Pre-operational Operational Post-operational Destroyed

Which of the following is true for a host-based intrusion detection system (HIDS)? A It monitors a single system. B It monitors an entire network. C It cannot detect malicious code. D It's invisible to attackers and authorized users.

Answer A is correct. An HIDS monitors a single system looking for abnormal activity. A network-based IDS (NIDS) watches for abnormal activity on a network. An HIDS is normally visible as a running process on a system and provides alerts to authorized users. An HIDS can detect malicious code similar to how anti-malware software can detect malicious code.

Of the following choices, what indicates the primary purpose of an intrusion detection system (IDS)? A Detect abnormal activity. B Diagnose system failures. C Rate system performance. D Test a system for vulnerabilities.

Answer A is correct. An IDS automates the inspection of audit logs and real-time system events to detect abnormal activity indicating unauthorized system access. While IDSs can detect system failures and monitor system performance, they don't include the ability to diagnose system failures or rate system performance. Vulnerability scanners are used to test systems for vulnerabilities.

Which of the following can help mitigate the success of an online brute-force attack? A Account lockout B Salting passwords C Encryption of password D Rainbow table

Answer A is correct. An account lockout policy will lock an account after a user has entered an incorrect password too many times, and this blocks an online brute-force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the stored password but isn't effective against a brute-force attack without an account lockout.

You have decided to implement a full/incremental backup strategy. A full backup will be performed each Sunday. An incremental backup will be performed the other days of the week. What does an incremental backup do? A It backs up all the new files and files that have changed since the last full or incremental backup and resets the archive bit. B It backs up all the new files and files that have changed since the last full backup without resetting the archive bit. C It backs up all the files in a compressed format. D It backs up all the files.

Answer A is correct. An incremental backup backs up all the new files and files that have changed since the last full or incremental backup and resets the archive bit. When restoring the data, the full backup must be restored first, followed by each incremental backup in order. Incremental backups build on each other. For example, the second incremental backup contains the changes made since the first incremental backup. A restoration involving incremental backups would require restoring the most recent full backup first, and then restoring in order any incremental backups that occurred since the last full backup. A full backup backs up all the files every time it runs. Because of the amount of data that is backed up, full backups can take a long time to complete. A full backup is used as the baseline for any backup strategy and most appropriate when using offsite archiving. A compressed full backup backs up all the files in compressed format. A differential backup backs up all the new files and files that have changed since the last full backup without resetting the archive bit. When restoring the data, the full backup must be restored first, followed by the most recent differential backup. Differential backups are not dependent on each other. For example, each differential backup contains the changes made since the last full backup. Therefore, differential backups can take a significantly longer time than incremental backups. However, a differential restore requires only two backup files: the full backup and the latest differential backup. A continuous backup system is one that performs backups on a regular basis to ensure that data can be restored to a particular point-in-time. SQL Server 2000 is an application that provides this feature. If a continuous backup plan is not used, any data changes that occur since the last backup must be recreated after the restore is completed.

An organization has recently suffered a series of security breaches that have damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks. Management wants to ensure that the consultant has the correct priorities while doing her research. Of the following, what should be provided to the consultant to meet this need? A Asset valuation B Threat modeling results C Vulnerability analysis reports D Audit trails

Answer A is correct. Asset valuation identifies the actual value of assets so that they can be prioritized. For example, it will identify the value of the company's reputation from the loss of customer data compared with the value of the secret data stolen by the malicious employee. None of the other answers is focused on high-value assets. Threat modeling results will identify potential threats. Vulnerability analysis identifies weaknesses. Audit trails are useful to re-create events leading up to an incident.

When correctly implemented, what is the only cryptosystem known to be unbreakable? A One-time pad B Transposition cipher C Substitution cipher D Advanced Encryption Standard

Answer A is correct. Assuming that it is used properly, the onetime pad is the only known cryptosystem that is not vulnerable to attacks.

Which Digital Subscriber Line (DSL) implementation offers speeds up to 8 megabits per second (Mbps) and provides faster download speed than upload speed? A ADSL B HDSL C IDSL D SDSL

Answer A is correct. Asymmetrical Digital Subscriber Line (ADSL) offers speeds up to 8 megabits per second (Mbps) and provides faster download speed than upload speed. High-bit-rate DSL (HDSL) offers speeds up to 1.544 Mbps over regular UTP cable. ISDN DSL (IDSL) offers speeds up to 128 kilobits per second (Kbps). Symmetrical DSL (SDSL) offers speeds up to 1.1 Mbps. Data travels in both directions at the same rate. Another type of DSL is Very high bit-rate Digital Subscriber Line (VDSL). VDSL transmits at super-accelerated rates of 52 Mbps downstream and 12 Mbps upstream.

Eavesdropping is an example of what kind of attack? A Passive attack B Active attack C DoS attack D Bonk attack

Answer A is correct. Attacks may be passive or active. Eavesdropping is an example of a passive attack. Eavesdropping is simply listening to communication traffic for the purpose of duplicating it. It usually requires physical access to the IT infrastructure to connect a physical recording device to an open port or cable splice or to install a software-recordingtool onto the system. Answer B is incorrect. An active attack requires the attacker to be able to transmit data to one or both of the parties, or block the data stream in one or both directions. Answer C is incorrect. In a Distributed Denial of Service (DDoS) attack, the attacker uses multiple computers throughout the network that it has previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. Answer D is incorrect. Bonk attack is a variant of the teardrop attack that affects mostly Windows computers by sending corrupt UDP packets to DNS port 53. It is a type of DoS attack. It manipulates a fragment offset field in TCP/IP packets. This field tells a computer how to reconstruct a packet that was fragmented, because it is difficult to transmit big packets.

You are creating a monitoring solution for your company's network. You define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted. Which type of monitoring are you using? A behavior-based B anomaly-based C misuse-detection-based D signature-based

Answer A is correct. Behavior-based monitoring looks for behavior that is not allowed or may be perceived as malicious and acts accordingly. With this type of monitoring, you do not need to know the signature of the malicious action. In addition, the system may not recognize the actions as being outside the norm. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring. Misuse-detection-based monitoring is the same as signature-based monitoring. Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature database. Anomaly-based monitoring detects any changes or deviations in network traffic. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous behavior. Sometimes the baseline is established through a manual process. Network-based monitoring is attached to the network in a place where it can monitor all network traffic. It implements passive and active responses. Passive responses including logging, notification, and shunning. Active responses include terminating processes or sessions, network configuration changes, and deception.

Which of the following includes the authorization rights of the access control subject? A Capability table B Access control list C Rainbow table D Access control matrix

Answer A is correct. Capability tables are created for each subject, and they identify the objects that the subject can access. It includes the authorization rights of the access control subject such as read, write, execute, and so on. Answer B is incorrect. ACLs (access control lists) are lists of subjects that are authorized to access a specific object. Answer D is incorrect. An access control matrix is a table that includes subjects, objects, and assigned privileges. Answer C is incorrect. A rainbow table provides precomputed values for cryptographic hashes. These are commonly used for cracking passwords stored on a system in hashed form.

Which principle stipulates that multiple changes to a computer system should NOT be made at the same time? A change management B due diligence C due care D acceptable use

Answer A is correct. Change management stipulates that multiple changes to a computer system should NOT be made at the same time. This makes tracking any problems that can occur much simpler. Change management includes the following rules: Distinguish between your system types. Document your change process. Develop your changes based on the current configuration. Always test your changes. Do NOT make more than one change at a time. Document your fallback plan. Assign a person who is responsible for change management. Regularly report on the status of change management.

Which of the following is not a valid access control model? A Compliance-based access control model B Mandatory Access Control model C Nondiscretionary access control model D Discretionary Access Control model

Answer A is correct. Compliance-based access control model is not a valid type of access control model. The other answers list valid access control models.

Which process includes auditing and tracking of changes made to the trusted computing base? A configuration management B media controls C system controls D input and output controls

Answer A is correct. Configuration management identifies controls and audit changes made to the trusted computing base. The audit changes include changes made to the hardware, software, and firmware configurations throughout the life cycle of infrastructural assets. Configuration management ensures that changes to the infrastructure will take place in a controlled manner by following a process approach. It also ensures that future changes do not violate an organization's security policy and security objectives. The configuration management process involves proper approval and authorization, testing, implementation, and documentation of the changes that have taken place in the infrastructure. All the changes made to the infrastructure are subject to audits and reviews to ensure compliance with the security policy. Configuration management involves information capture and version control. Configuration management reports the status of change processing. Configuration management documents the functional and physical characteristics of each configuration item. The four major aspects of configuration management are: Configuration identification Configuration control Configuration status accounting Configuration auditing Media controls ensure that confidentiality, integrity, and availability of the data stored on storage media is properly adhered to and is not compromised. Media controls define appropriate controls for labeling, handling, storage, and disposal of storage media. They have nothing to do with the trusted computing base. You should keep the following media controls in mind: The data media should be logged to provide a physical inventory control. All data storage media should be accurately marked. A proper storage environment should be provided for the media. System controls restrict the execution of instructions that can only be executed when an operating system is running in either the supervisor or the privileged mode. System controls are a part of the operating system architecture. The type of instructions that can be executed at a certain level is defined by the operating system architecture by using the control tables of the operating system. Controlling the input to and output from a system involves programming an application to accept only restricted and specific values as inputs. This prevents errors and misuse by manipulating the input values. To accomplish the purpose of producing output, an application should only accept legitimate values. For example, an accounting package designed to perform calculations should not accept alphabetical characters as input values. Configuration identification involves the use of configuration items (CIs). A CI is a uniquely identifiable subset of the system that represents the smallest portion to be subject to independent configuration control procedures. CIs can vary widely in size, type, and complexity.

What form of access control is concerned primarily with the data stored by a field? A Content-dependent B Context-dependent C Semantic integrity mechanisms D Perturbation

Answer A is correct. Content-dependent access control is focused on the internal data of each field.

What is the best description of CAPI? A an application programming interface that provides encryption B an application programming interface that uses Kerberos C an application programming interface that provides accountability D an application programming interface that uses two-factor authentication

Answer A is correct. Cryptographic application programming interface (CAPI) is an application programming interface that provides encryption. None of the other options is a description of CAPI.

What database security technology involves creating two or more rows with seemingly identical primary keys that contain different data for users with different security clearances? A Polyinstantiation B Views C Aggregation D Cell suppression

Answer A is correct. Database developers use polyinstantiation, the creation of multiple records that seem to have the same primary key, to protect against inference attacks.

Your company decides that a new software product must be purchased to help the marketing staff manage their marketing campaigns and the resources used. During which phase of the software acquisition process do you document the software requirements? A Planning phase B Maintaining phase C Monitoring phase D Contracting phase

Answer A is correct. During the planning phase, the software requirements are documented. You should also create an acquisition strategy during this phase and develop the evaluation criteria. During the contracting phase, you should issue the request for proposal (RFP), evaluate the proposals, and complete final contract negotiations with the selected seller. During the monitoring phase, you should ensure that the supplier completes the contract and formally accept the final product. In the maintaining phase, you should maintain the software, including possibly decommissioning the software at some future date.

Which of the following helps monitor the outgoing traffic of the enterprise network? A Egress monitoring B Continuous monitoring C Keystroke monitoring D Traffic analysis E Trend analysis

Answer A is correct. Egress monitoring helps monitor the outgoing traffic of the enterprise network using egress monitors. An egress monitor helps scan and identify the malicious and/or suspicious activities within the enterprise network. The TCP/IP packets being sent out of the internal network are scanned via a firewall, router, or similar edge device. Packets that don't meet security policies are not allowed to egress. Answer B is incorrect. Continuous monitoring allows organizations to evaluate the operating effectiveness of controls on or near a real-time basis. Answer C is incorrect. Keystroke monitoring is an act of recording the keystrokes a user performs on a physical keyboard. Answers D and E are incorrect. Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than actual packet contents. This is sometimes referred to as network flow monitoring.

Mark has to research different types of computation technologies in order to meet the requirements of his organization. To carry out singular computation tasks, Mark is required to use loosely coupled and geographically dispersed systems. Which of the following will best fit for the requirement of his company? A Grid computing B Farm computing C Quantum computing D Parallel computing

Answer A is correct. Grid computing is considered a load-balanced parallel means of massive computation. It is similar to clusters, but it is implemented with loosely coupled systems that may join and leave the grid randomly. Cluster computing is a high-performance computing system. In grid computing, grids tend to be more loosely coupled, heterogeneous, and geographically dispersed. This feature of grid computing distinguishes it from cluster computing. Answer D is incorrect. Parallel computing is a computation system designed to perform numerous calculations simultaneously. But parallel data systems often go far beyond basic multiprocessing capabilities. This implementation is based on the idea that some problems can be solved efficiently if broken into smaller tasks that can be worked on concurrently. Answers C and B are incorrect. Quantum computing and farm computing are not required in the given scenario.

Which statements are true of halon as a fire suppression agent? Halon is safe for humans. Halon deals with Class A category of fire. Halon gas suppresses fire by a chemical reaction. FM-200 is an EPA-approved replacement for halon. Halon is currently approved by the Environmental Protection Agency (EPA). A options c and d B options b, c, and d C options a and b D option e E option d F option c G option b H option a

Answer A is correct. Halon suppresses Class B and C fires that involve both electrical equipment and liquids, such as petroleum products. Halon was usually used in data centers and server rooms storing electrical equipment. Halon works by disrupting the chemical reactions of a fire. It was discovered that halon as a suppression agent depletes the ozone and is potentially harmful to humans. Therefore, in 1987, the Montreal Protocol banned the use of halon. The EPA-approved replacements for halon include water, FM-200, NAF-S-III, CEA-410, FE-13, argon, argonite, and inergen. FM-200 is used for data centers as a substitute for halon because it does not harm computers or human beings.

What happens when a trusted computing base (TCB) failure occurs as a result of a lower-privileged process trying to access restricted memory segments? A The system goes into maintenance mode. B The system reboots immediately. C Administrator intervention is required. D Operating system reinstallation is required.

Answer A is correct. If a process with lower privilege attempts to access the restricted memory segments, the system transits into maintenance mode, also referred to as an emergency system restart. An emergency system restart occurs in response to a system failure. An emergency system restart can be caused by a trusted computing base (TCB) failure, a media failure, or a user performing an insecure activity. A lower privileged process trying to access restricted memory segments is an example of an insecure activity. A system reboot occurs in response to other TCB failures. This is a controlled reboot of the system. The purpose of performing a system reboot is to release system resources and perform the necessary system activities. A system cold start occurs if a user or a system administrator intervenes. A system cold start occurs when the recovery procedures are inadequate to recover the system from a TCB or a media failure. The system remains in an inconsistent state during an attempt by the system to recover. Operating system reinstallation is not a valid response for trusted recovery. Trusted recovery includes a system reboot, an emergency system restart, and system cold start.

Your organization has decided to implement the Diffie-Hellman asymmetric algorithm. Which statement is true of this algorithm's key exchange? A Authorized users exchange secret keys over a nonsecure medium. B Unauthorized users exchange public keys over a nonsecure medium. C Authorized users exchange public keys over a secure medium. D Authorized users need not exchange secret keys.

Answer A is correct. In Diffie-Hellman key exchange, authorized users exchange secret keys over a nonsecure medium. The Diffie-Hellman algorithm is a cryptographic protocol in which the sending and receiving parties jointly establish the shared secret key to enable its use for all future encryption and decryption of bulk data. A Diffie-Hellman key exchange algorithm is not typically used to encrypt data. It is a method used to securely exchange keys over a non-secure medium. Therefore, Diffie-Hellman is a key exchange protocol and is used for secure key distribution. Diffie-Hellman does not assist in bulk encryption and decryption. In Diffie-Hellman key exchange, the authorized users do not exchange public keys but a shared secret key over a non-secure medium. Unauthorized users should not have access to the secret keys because they are not authorized participants of a secure communication.

What type of federal government computing system requires that all individuals accessing the system have a need to know all of the information processed by that system? A Dedicated B System high C Compartmented D Multilevel

Answer A is correct. In a dedicated system, all users must have a valid security clearance for the highest level of information processed by the system, they must have access approval for all information processed by the system, and they must have a valid need to know of all information processed by the system.

In which of the following cryptographic attacks does the attacker try to repeat or delay a cryptographic transmission? A Replay attack B Man-in-the-middle attack C Ciphertext only attack D Known plaintext attack

Answer A is correct. In a replay attack, the attacker tries to repeat or delay a cryptographic transmission. A replay attack can be prevented using session tokens. Answer D is incorrect because in a known plaintext attack, the attacker should have both the plaintext and ciphertext of one or more messages. These two items are used to extract the cryptographic key and to recover the encrypted text. Answer C is incorrect because in a ciphertext only attack, the attacker obtains encrypted messages that have been encrypted using the same encryption algorithm. Answer B is incorrect because in a man-in-the-middle attack, the attacker places himself in the middle of the communications flow between two parties.

Which security control system assigns users roles to dictate access to resources? A RBAC B MAC C DAC D UDP

Answer A is correct. In role-based access control (RBAC), users are assigned roles to accomplish specific tasks. For example, a user might be assigned to a role named standard for typical work on a computer, and the same user might be assigned to a role named admin for work that requires administrative privileges. In an RBAC system, roles are granted or denied access to network resources. The roles are used to identify the users who have permissions to a resource. In mandatory access control (MAC), users and resources are assigned to security levels. In a MAC-based security system, users can write documents at or above their assigned security level, and can read documents at or below their assigned security level. The U.S. military uses MAC for access to documents and network resources. In discretionary access control (DAC), users are assigned to groups, and users and groups are granted or denied access to folders and files. Each folder and file in a DAC security system has an access control list (ACL) that is used to determine which users and groups can gain access to a network resource. User Datagram Protocol (UDP) is a protocol that is used on a TCP/IP network to support connectionless communications; it is not a security control system.

In which of the analysis can forensic analysts perform forensic reviews of applications or activities taking place within a running application? A Software analysis B Hardware and embedded device analysis C Media analysis D Network analysis

Answer A is correct. In software analysis, forensic analysts can perform forensic reviews of applications or activities taking place within a running application. In some situations, the forensic analyst may be asked to perform a review of software code and look for back doors, logic bombs, or other security vulnerabilities when malicious insiders are suspected. In other situations, forensic analysts may be required to review and interpret the log files from application or database servers, and look for other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks. Answer C is incorrect. In media analysis, information is identified and extracted from storage media. Answer D is incorrect. Network analysis is required to capture traffic sent over the network. Answer B is incorrect. Hardware and embedded device analysis may include a review of personal computers, smart phones, tablet computers, and embedded computers in cars, security systems, and other devices.

Which of the following models manages the software development process if the developers are limited to go back only one stage to rework? A Waterfall model B Spiral model C Prototyping model D RAD model

Answer A is correct. In the waterfall model, software development can be managed if the developers are limited to go back only one stage to rework. If this limitation is not imposed mainly on a large project with several team members, then any developer can be working on any phase at any time, and the required rework might be accomplished several times. Answer B is incorrect. The spiral model is a software development process combining elements of both design and prototyping-in-stages, in an effort to combine advantages of top-down and bottom-up concepts. Answer C is incorrect. The prototyping model is a systems development method (SDM). In this model, a prototype is created, tested, and then reworked as necessary until an adequate prototype is finally achieved from which the complete system or product can now be developed. Answer D is incorrect. Rapid application development (RAD) refers to a type of software development methodology that uses minimal planning in favor of rapid prototyping.

You are reviewing the access control methods used by an organization. The organization is concerned with the cost of access control. Which aspect of the information being safeguarded will most affect this cost? A information value B information type C information redundancy D information replacement cost

Answer A is correct. Information value will most affect the cost of access control. Information that has a high value to the company must be protected. This affects the confidentiality of the information. The maximum effective cost of access control is determined based on the value of the information. Information type will affect the access control design. While it may affect the cost, it is not the most important factor affecting it. Information redundancy will affect the access control design. Information redundancy ensures that more than one copy of important data is retained. The redundant copies could be on a CD-ROM, on another hard drive, or on backup media. Generally, information redundancy does not greatly affect the cost of access control because the redundant copies retain the same access control permissions as the original copies. Information replacement cost will affect the cost of its access control, but it is not the factor that will most affect it. Information replacement cost should include the cost to replace the equipment as well as the labor time it would take to bring the information back online.

You are preparing a proposal for management about the value of using cryptography to protect your network. Which statement is true of cryptography? A Key management is a primary concern of cryptography. B Availability is a primary concern of cryptography. C Cryptography is used to detect fraudulent disclosures. D The keys in cryptography can be made public.

Answer A is correct. Key management is one of the most crucial considerations of cryptography. An algorithm and a key are required for the encryption of data. The algorithm is publicly known while the key is kept secret. The confidentiality, integrity, and authenticity of data can be addressed through cryptography only if the keys are not compromised. A single key is used for encryption and decryption in a symmetric cryptosystem. Separate keys are used to encrypt and decrypt data in an asymmetric cryptosystem. In both the scenarios, the safety of the keys in a cryptographic system is of prime concern. The keys should not be compromised during transmission of the message. The cryptographic keys should not be captured, modified, corrupted, or disclosed to unauthorized individuals. Therefore, it is important that key distribution and management be controlled. The following individuals are responsible for key management: Users who protect their own keys Administrators who maintain public and private keys The authentication server that holds, maintains, and distributes the keys to the sending and receiving parties Effective key management has the following requirements: The key should be distributed and managed in a secure manner. The key should be generated randomly and should use the full keyspace of the algorithm. The duration of the key should be based on the sensitivity of data. The key should be backed up in the event of a lost or destroyed key. The key should be disposed in a secure manner. Cryptography cannot be used to detect fraudulent disclosures. The primary purpose of cryptography is to protect sensitive information against disclosure and not to detect fraudulent disclosures. Cryptography also protects against fraudulent modifications of any kind. Cryptography addresses the confidentiality, integrity, and authenticity of data. It does not deal with the availability of data.

What is the primary problem of symmetric cryptography? A key management B different keys for encryption and decryption C hardware and software implementation D high processing

Answer A is correct. Key management is the primary problem with symmetric cryptography. Symmetric cryptography uses the one key to encrypt and decrypt the data, whereas asymmetric cryptography uses different keys to encrypt and decrypt the data. The two keys are referred to as private and the public keys. The issues of key management include key recovery, key storage, and key change. Symmetric cryptography actually requires much less processing than asymmetric cryptography. Symmetric (private key) cryptography is easier to implement and approximately 1000 to 10000 times faster than asymmetric (public key) cryptography. Each authorized person communicating by using the symmetric algorithm should have a copy of the secret key. If the number of users runs into hundreds, hundreds of identical keys are required to be handled. Therefore, it becomes difficult to manage the keys. Symmetric encryption requires that each communication node has its own key. Symmetric cryptography may be less secure than asymmetric cryptography because of the same keys being used for encryption and decryption. Symmetric cryptography requires a separate secure mechanism to deliver keys to the participating nodes in the communication.

What is a security enhancement for Linux that is implemented using a loadable kernel module? A low water-mark mandatory access control (LOMAC) B role-based access control (RBAC) C discretionary access control (DAC) D mandatory access control (MAC)

Answer A is correct. Low water-mark mandatory access control (LOMAC) is a security enhancement for Linux that is implemented using a loadable kernel module. Role-based access control (RBAC) is an access control model that configures user access based on the user's role in the company. It is not an implementation specific to Linux only. Discretionary access control (DAC) is an access control model that configures user access based on the identity and assignment of the user or on the groups to which the user belongs. This model leaves configuration at the discretion of the resource owners. It is not an implementation specific to Linux only. Mandatory access control (MAC) is an access control model that configures user access based on the user's security clearance and object's security classification. It is not an implementation specific to Linux only.

Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy? A To detect fraud B To increase employee productivity C To reduce employee stress levels D To rotate job responsibilities

Answer A is correct. Mandatory vacation policies help detect fraud. They require employees to take an extended time away from their job, requiring someone else to perform their job responsibilities, and this increases the likelihood of discovering fraud. It does not rotate job responsibilities. While mandatory vacations might help employees reduce their overall stress levels, and in turn increase productivity, these are not the primary reasons for mandatory vacation policies.

An organization ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following? A Need-to-know B Role Based Access Control C Principle of least permission D Separation of duties

Answer A is correct. Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn't control all the elements of a process. Role Based Access Control (RBAC) grants access to resources based on a role.

Which tool is NOT a back door application? A Nessus B NetBus C Masters Paradise D Back Orifice

Answer A is correct. Nessus is NOT a back door application. It is a network vulnerability scanner. Back Orifice, NetBus, and Masters Paradise are all back door applications. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer. Back doors can also be mechanisms created by hackers to gain network access at a later time. Back doors are very hard to trace, as an intruder will often create several avenues into a network to be exploited later. The only real way to be sure these avenues are closed after an attack is to restore the operating system from the original media, apply the patches, and restore all data and applications.

No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent all but which of the following? A Espionage B Piggybacking C Abuse D Masquerading

Answer A is correct. No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Espionage cannot be prevented by physical access controls.

Which of the following acts as a proxy between an application and a database to support interaction and simplify the work of programmers? A ODBC B DSS C Abstraction D SDLC

Answer A is correct. ODBC acts as a proxy between applications and the backend DBMS.

Which of these attacks is an attack on an organization's cryptosystem? A known plaintext attack B brute force attack C Denial of Service (DoS) D buffer overflow

Answer A is correct. Of the given attacks, only a known plaintext attack is an attack on an organization's cryptosystem. In this type of attack, the attacker has both the plaintext and ciphertext for a message. The attackers want to discover the key used to encrypt the message so that other messages can be read. Attacks against cryptosystems include the following: cipher-only attacks - This attack occurs when an attacker has several messages that have all been encrypted using the same algorithm. The aim of the attack is to discover the key used in the encryption. Once the key is discovered, all messages sent using that key can be decrypted. This is the most common type of attack but is the hardest to accomplish. known plaintext attacks - This attack occurs when an attacker has the plaintext and ciphertext version of a message. The aim of the attack is to discover the key used in the encryption. chosen plaintext attacks - This attack occurs when an attacker has the plaintext and ciphertext and can select the plaintext that gets encrypted to see the corresponding ciphertext. The aim of the attack is to discover the key used in the encryption. chosen ciphertext attacks - This attack occurs when an attacker chooses the ciphertext to be decrypted and has access to the resulting decrypted plaintext. The aim of the attack is to discover the key used in the encryption. differential cryptanalysis - This attack looks at ciphertext pairs and analyzes the result of the differences in the corresponding plaintext pairs. The aim of the attack is to discover the key used in the encryption. linear cryptanalysis - This attack occurs when an attacker carries out a known plaintext attack on several encrypted messages encrypted using the same key. The more messages used, the higher the probability that the correct key will be discovered. side-channel attacks - This attack uses inference to determine the value of the encryption key. This method applies reverse engineering instead of mathematical techniques. replay attacks - This attack occurs when an attacker captures some messages and resends the messages, hoping to fool the receiver into thinking the attacker is a legitimate entity. Usually this information involved authentication information. algebraic attacks - This attack analyzes the vulnerabilities of the mathematics used in the algorithm and attempts to exploit the algebraic structure. analytic attacks - This attack identifies structural weaknesses in an algorithm's design. statistical attacks - This attack identifies statistical weakness in an algorithm's design. Keep in mind that many countries restrict the use or exportation of cryptographic systems. Criminals could use encryption to avoid detection and prosecution. The U.S. government has greatly reduced its restrictions on cryptography exportation, but there are still some restrictions in place. Products that use encryption cannot be sold to any country the United States has declared is supporting terrorism. The fear is that the enemies of the country would use encryption to hide their communication, and the government would be unable to break this encryption and spy on their data transfers. Brute force attacks, Denial of Service (DoS) attacks, and buffer overflow attacks are considered attacks against operations. Brute force attacks are attacks that try different inputs to achieve a particular goal, often used to obtained user credentials for unauthorized access. DoS attacks are actions that prevent a system or its resources from operating as planned. Buffer overflow attacks occur when too much data is accepted as input to an application or operating system.

Which interface language is an application programming interface (API) that can be configured to allow any application to query databases? A ODBC B JDBC C XML D OLE DB

Answer A is correct. Open Database Connectivity (ODBC) is an application programming interface (API) that can be configured to allow any application to query databases. The application communicates with the ODBC. The ODBC translates the application's request into database commands. The ODBC retrieves the appropriate database driver. Java Database Connectivity (JBDC) is an API that allows a Java application to communicate with a database. Extensible Markup Language (XML) is a standard for arranging data so that it can be shared by Web technologies. Object Linking and Embedding Database (OLE DB) is a method of linking data from different databases together.

Which of the following is the most secure method of deleting data on a DVD? A Destruction B Degaussing C Formatting D Deleting

Answer A is correct. Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux, so degaussing a DVD doesn't destroy data.

Which operation must you undertake to avoid mishandling of tapes, CDs, DVDs, floppies, and printed material? A labeling B degaussing C zeroization D offsite storage

Answer A is correct. Proper labeling is required to avoid mishandling of the information on storage media, such as tapes and floppy disks. Compact discs and floppy disks are used to store small data sets while backup tapes are used to store large numbers of data sets. Storage media containing confidential information must be appropriately marked and labeled to ensure appropriate classification. The storage media should also be stored in a protected area. Each media should be labeled with the following details: classification date of creation retention period volume name and version name of the person who created the backup Degaussing is not a media handling technique but a media sanitization technique. Degaussing is the process of reducing or eliminating an unwanted magnetic field of a storage media by applying strong magnetic forces. Degaussing devices generate powerful opposing magnetic fields that reduce the magnetic flux density of the storage media to zero. Degaussing is the most preferred method for erasing data from magnetic media, such as floppy disks and magnetic tapes. Zeroization is not a media handling technique but a media sanitization technique. Zeroization implies that a storage media is repeatedly overwritten with null values, such as multiple ones and zeros, for sanitization. Zeroization is generally used in a software development environment. Data transfer to an offsite location should take place to create a backup copy of the media if there is a disaster at the primary site. Data transferred to an offsite location acts as a backup copy of the data. The storage media should be labeled appropriately to prevent mishandling.

Which of the following provides priority to different applications, users, or data to guarantee a specific level of performance? A QoS B DRM C SCADA D CoC

Answer A is correct. QoS (quality of service) can be defined as a resource reservation control mechanism that is designed to provide priority to different applications, users, or data to guarantee a specific level of performance. QoS is required because all packets are not equal. In converged networks, there may be many different types of traffic. Depending on the type of traffic, QoS has different requirements so it allows users to strategically optimize network performance to select different traffic types. Answer C is incorrect. SCADA (supervisory control and data acquisition) refers to ICS (industrial control system) used to monitor critical infrastructure systems and control power distribution, as well as many other forms of automation. Answer D is incorrect. CoC (chain of custody) should be documented to preserve evidences for presentation in court. It is a documentation that shows who has collected and accessed each piece of evidence. Answer B is incorrect. DRM (digital rights management) is a technique of controlling access to copyrighted material.

Which function is provided by remote procedure call (RPC)? A It allows the execution of individual routines on remote computers across a network. B It provides an integrated file system that all users in the distributed environment can share. C It provides code that can be transmitted across a network and executed remotely. D It identifies components within a distributed computing environment (DCE).

Answer A is correct. Remote procedure call (RPC) allows the execution of individual routines on remote computers across a network. It is used in a distributed computing environment (DCE).Globally unique identifiers (GUIDs) and universal unique identifiers (UUIDs) are used to identity components within a DCE. They uniquely identify users, resources, and other components in the environment. A UUID is used in a Distributed Computing Environment. Mobile code is code that can be transmitted across a network and executed remotely. Java and ActiveX code downloaded into a Web browser from the World Wide Web (WWW) are examples of mobile code. A distributed file service (DFS) provides an integrated file system that all users in the distributed environment can share. A directory service ensures that services are made available only to properly designated entities.

Which method of resetting the BIOS password requires physical access to the computer? A resetting the CMOS contents via hardware B resetting the CMOS contents via software C cracking the BIOS password D using a back door BIOS password

Answer A is correct. Resetting the CMOS contents via hardware requires physical access to the computer. To reset the CMOS contents via hardware, you would need to open the computer case and activate the jumpers that reset the CMOS contents, or remove the CMOS battery entirely. The other listed methods do not require physical access to the computer. You can reset the CMOS contents via software remotely. Other remote methods include cracking the BIOS password and using a back door BIOS password. Back doors are those applications that vendor's create to ensure that they are able to access their devices. After installing new devices or operating systems, you need to ensure that all back doors and default passwords are either disabled or reset. Often, hackers first attempt to use such back doors and default passwords to access new devices.

Which of the following statements is not true? A Risks to an IT infrastructure are all computer based. B The process by which the goals of risk management are achieved is known as risk analysis. C IT security can provide protection only against logical or technical attacks. D An asset is anything used in a business process or task.

Answer A is correct. Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.

An organization is implementing a preselected baseline of security controls, but finds that some of the controls aren't relevant to their needs. What should they do? A Tailor the baseline to their needs. B Re-create a baseline. C Identify another baseline. D Implement all the controls anyway.

Answer A is correct. Scoping and tailoring processes allow an organization to tailor security baselines to its needs. There is no need to implement security controls that do not apply, and it is not necessary to identify or re-create a different baseline.

While developing your organization's Web site, the Web developer needs to ensure that certain messages are transmitted securely. Which technology would be the best choice for this purpose? A S-HTTP B SET C HTTPS D HTTP

Answer A is correct. Secure HTTP (S-HTTP) would be the best choice to ensure that certain messages from the Web server are transmitted securely. Hypertext Transfer Protocol (HTTP) is the technology that transmits messages from the Internet. It provides no security. HTTP Secure (HTTPS) is HTTP running over Secure Sockets Layer (SSL). It is used to secure entire portions of a Web site. While HTTPS will secure entire sections of a Web site, S-HTTP secures only certain messages. Secure Electronic Transaction (SET) is a security technology that secures credit card transactions.

Which of the following determines whether an organization will work under a discretionary, mandatory, or nondiscretionary access control model? A Security policy B Implicit deny C Constrained interface D Single sign-on

Answer A is correct. Security policy determines whether an organization will work under a discretionary, mandatory, or nondiscretionary access control model. It identifies assets that need protection and the extent to which security solutions should go to protect them. Some organizations create a security policy as a single document and other organizations create multiple security policies with each one focused on a separate area. Answer D is incorrect. SSO (single sign-on) is a centralized access control technique that allows the authentication of subject only once on a system and permits multiple resources to access subject without repeated authentication prompts. Answer C is incorrect. A constrained or restricted interface is implemented within an application in order to restrict what users can do or see based on their privileges. Answer B is incorrect. The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

Which access control model uses the star (*) integrity axiom and the simple integrity axiom? A Biba model B Clark-Wilson model C Bell-LaPadula model D Chinese Wall model

Answer A is correct. The Biba access control model, a formal security model for the integrity of objects and subjects in a system, uses the star (*) integrity axiom and the simple integrity axiom. The * integrity axiom, sometimes referred to as "no write up," is used to ensure that a subject does not write to an object at a higher integrity level. The simple integrity axiom, sometimes referred to as "no read down," is used to ensure that a subject does not read data from a lower integrity level. None of the other models uses these axioms. The main emphasis of the Biba model is integrity. It addresses unauthorized modification of data. The Biba model uses a subject-object relationship. It ensures that integrity is maintained by preventing data from flowing between the integrity levels. The goal of integrity is to prevent the modification of information by unauthorized users, prevent the unauthorized or unintentional modification of information by authorized users, and preserve the internal and external consistency of the information. Subjects are assigned classes according to their trustworthiness; objects are assigned integrity labels according to the harm that would be done if the data were modified improperly. The two most well-known access control models are the Bell-LaPadula model and the Biba model.

Which of the following should be members of the Computer Security Incident Response Team (CSIRT)? IT department member Legal department member Public relations department member Management team member A all of the options B options c and d C options a and b D option d E option c F option b G option a

Answer A is correct. The Computer Security Incident Response Team (CSIRT) should contain the following members: CSIRT Team Leader CSIRT Incident Lead CSIRT Associate Members, includingIT department memberLegal department member or legal counselPublic relations team memberManagement team member The team members have specific roles during an incident investigation. The CSIRT has the following responsibilities during an incident investigation: Initial Assessment - owned by CSIRT Incident Lead Initial Response - owned by CSIRT Incident Lead Forensic Evidence Collection - owned by Legal department member Temporary Fix Implementation - owned by CSIRT Incident Lead Incident Communication - owned by Management team member Local Law Enforcement Contact - owned by Management team member Permanent Fix Implementation - owned by CSIRT Incident Lead Financial Impact Determination - owned by Management team member As part of an incident investigation, your organization should have established rules of engagement that define all roles and responsibilities for a security incident. These rules should be periodically reviewed and updated to ensure that they are up to date. The rules of engagement define how the CSIRT should handle the incident and what actions are legal. Legal counsel and local law enforcement should be involved in the development of the rules of engagement. In addition, the rules of engagement should grant authorization to CSIRT team members to carry out their duties. The scope of the CSIRT team members' duties should be clearly defined to prevent any future legal issues.

Which of the following key sizes is used by International Data Encryption Algorithm (IDEA)? A 128-bit B 64-bit C 32-bit D 16-bit

Answer A is correct. The International Data Encryption Algorithm (IDEA) is a block cipher that operates on 64-bit blocks using a 128-bit key. This algorithm was intended as a replacement for the Data Encryption Standard. IDEA was used in Pretty Good Privacy (PGP) v2.0, and was incorporated after the original cipher used in v1.0 was found to be insecure. It is an optional algorithm in OpenPGP. IDEA is a minor revision of an earlier cipher, PES (Proposed Encryption Standard). It was originally known as IPES (Improved PES). The cipher is patented in a number of countries but is freely available for non-commercial use.

Your company has an e-commerce site that is publicly accessible over the Internet. The e-commerce site accepts credit card information from a customer and then processes the customer's transaction. Which standard or law would apply for this type of data? A PCI DSS B SOX C Basel II D The Economic Espionage Act of 1996

Answer A is correct. The Payment Card Industry Data Security Standard (PCI DSS) applies to any entity that transmits, stores, or accepts credit card data. This is a private sector standard and not a law. The Economic Espionage Act of 1996 protects companies from industry or corporate espionage, and specifically addresses technical, business, engineering, scientific, or financial trade secrets. Basel II is an accord that went into effect in 2006. This accord affects financial institutions. Its three main pillars are as follows: Minimum Capital Requirements - determines the lowest amount of funds that a financial institute must keep in hand. Supervision - ensures oversight and review of risks and security measures. Market Discipline - requests members to disclose risk exposure and to validate market capital. The Sarbanes-Oxley (SOX) Act of 2002 was written to prevent companies from committing fraud by knowingly providing inaccurate financial reports to shareholders and the public. It is mainly concerned with corporate accounting practices. Section 404 of this act specifically addresses information technology.

Which model employs a directed graph that defines how privileges can transfer from one subject to another subject or to an object? A Take-Grant model B Information flow model C Trusted computing base D Brewer and Nash model

Answer A is correct. The Take-Grant model employs a directed graph that defines how privileges can transfer from one subject to another subject or to an object. Answer D is incorrect. The Brewer and Nash model is designed to grant access controls to change dynamically based on a user's preceding activity. Answer B is incorrect. The informational flow model focuses on the flow of information for ensuring and enforcing security. Answer C is incorrect. A trusted computing base (TCB) is a combination of software, hardware, and controls that form a trusted base ensuring security policy.

Which one of the following technologies is considered flawed and should no longer be used? A WEP B TLS C SHA-3 D PGP

Answer A is correct. The WEP algorithm has documented flaws that make it trivial to break. It should never be used to protect wireless networks.

Which of the following models deals with how objects can be accessed by subjects on the basis of established rights and capabilities? A Access control matrix B Biba C Clark-Wilson D Sutherland

Answer A is correct. The access control matrix model deals with how objects can be accessed by subjects on the basis of established rights and capabilities. In access control matrix model, an access control matrix is used. The access control matrix is a table of subjects and objects. This table indicates the actions or functions that are performed on each object by each subject. Each column of the matrix is an access control list (ACL) and each row of the matrix is a capabilities list. An ACL is linked to the object. It lists valid actions that can be performed by each subject. A capability list is linked to the subject. It lists valid actions that can be taken on each object. Answer B is incorrect. The Biba model, also called the Biba Integrity model, is a formal state transition system of computer security policy that is used to depict a set of access control rules designed for ensuring data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt objects in a level ranked higher than the subject, or be corrupted by objects from a lower level than the subject. Answer C is incorrect. The Clark-Wilson model provides a foundation for specifying and analyzing an integrity policy for a computing system. It is primarily concerned with formalizing the notion of information integrity. It protects integrity by preventing unauthorized users from making changes. The model's enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction. Answer D is incorrect. The Sutherland model is an integrity model that focuses on preventing interference in support of integrity. It is formally based on the state machine model and the information flow model. For protection of integrity, the Sutherland model does not directly specify specific mechanisms. In the model, a set of system states, initial states, and state transitions are defined. Integrity is maintained and interference is prohibited through the use of and limitations to only these predetermined secure states.

Which one of the following data roles is most likely to assign permissions to grant users access to data? A Administrator B Custodian C Owner D User

Answer A is correct. The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.

Which of the following processes is often intertwined with the configuration documentation to ensure that changes are documented? A Change management B Incident management C Configuration management D Capacity management

Answer A is correct. The change management process ensures that changes are adequately reviewed, approved, and documented to reduce outages from changes. It is often intertwined with the configuration documentation to ensure that changes are documented. Changes often create unexpected side effects that can result in outages. An administrator can make a change to a system in order to resolve a problem, but this may cause a problem in other systems. Answer B is incorrect. Incident management is the process of restoring normal service operation as fast as possible while reducing unfavorable impact on business operations. Answer C is incorrect. Configuration management helps ensure that systems are configured properly throughout their lifetime. Answer D is incorrect. Capacity management ensures that the service provider has, at all times, sufficient capacity so that the current and the future needs of the customer get fulfilled.

Who establishes the rules for appropriate use and protection of the subject's information? A Data owner B Administrator C Program manager D Custodian

Answer A is correct. The data owner is responsible for establishing the rules for appropriate use and protection of the subject's information. They are responsible for assigning data classification. Answer D is incorrect. A custodian protects the security and integrity of data by ensuring that it is properly stored and protected. Answer B is incorrect. An administrator is responsible for granting appropriate access to personnel. Answer C is incorrect. A program manager owns processes that use systems managed by other entities.

During which step of the NIST SP 800-137 are the decisions on risk responses made? A Respond to findings. B Review and update the monitoring program and strategy. C Establish the ISCM program. D Define the ISCM strategy.

Answer A is correct. The decisions on risk responses are made during the Respond to findings step of the NIST SP 800-137. They are considered an output of this step. NIST SP 800-137 guides the development of information security continuous monitoring (ISCM) for federal information systems and organizations. It defines the following steps to establish, implement, and maintain ISCM: Define an ISCM strategy. Establish an ISCM program. Implement an ISCM program. Analyze data, and report findings. Respond to findings. Review and update the ISCM strategy and program. The decisions on risk responses are not part of any of the other listed steps of the NIST SP 800-137.

Which statement is true of an information processing facility? A Doors and walls should have the same fire rating. B Windows should be shielded by metallic bars. C Critical areas must be illuminated six feet high. D A critical path analysis does not have to include a redundant path for every critical path.

Answer A is correct. The doors and walls of an information processing facility should have the same fire rating, in conformance with safety codes and regulations. Fire extinguishers should be kept at known places in the information facility. Doors must resist forced entry to avoid theft or access to computer systems. To avoid trapping people during fire and flood, windows should not be shielded with metallic bars. According to the National Institute of Standards and Technology (NIST), critical areas must be illuminated to a height of eight feet high and with two foot-candles of intensity. A critical path analysis can determine the level of protection for an environment by keeping track of environmental components, their interaction, and interdependencies. A critical path analysis includes a redundant path for every critical path to ensure uninterrupted business operation for the organization.

Which of the following is the feature of a mutual assistance agreement (MAA) in an event of a disaster? A No monetary cost B Guaranteed availability C Legally enforceable D Immediate access

Answer A is correct. The feature of an MAA in the event of a disaster is that it has no monetary cost, but it also provides no reliable insurance against downtime due to a disaster. If an organization cannot afford to implement any other type of alternate processing, an MAA might provide a degree of valuable protection in an event of a localized disaster. Answers B, C, and D are incorrect. A mutual assistance agreement does not provide guaranteed availability, immediate access, and are not legally enforceable in an event of a disaster.

Which of the following best describes an implicit deny principle? A All actions that are not expressly allowed are denied. B All actions that are not expressly denied are allowed. C None of the above. D All actions must be expressly denied.

Answer A is correct. The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn't require all actions to be denied.

Which statement is true of the information flow model? A The information flow model allows the flow of information within the same security level. B The information flow model does not permit the flow of information from a lower security level to a higher security level. C The information flow model only deals with the direction of flow. D The Biba model is not built upon the information flow model.

Answer A is correct. The information flow model allows the flow of information between the different security levels and the objects within the same security level based on an access control matrix. A flow acts as a type of dependency by relating two versions of the same object. The flow maps the transformation of the object from one version to another. The Biba model and the Ball-LaPadula model are based on both the information flow model and the state machine model. The information flow model allows every type of information flow and does not restrict itself to the direction of flow. Information is allowed to flow between different security levels or within the same security level if there is no restriction on the operation. If a user attempts a restricted operation, the system uses the access control matrix to verify whether the user is permitted to perform the action or not.

All of the following affect the strength of encryption, EXCEPT: A the length of the data being encrypted B the algorithm C the secrecy of the key D the length of the key

Answer A is correct. The length of the data being encrypted does not affect the strength of encryption. The strength of encryption is affected by the algorithm, the secrecy of the key, the length of the key, and the initialization vector.

During a recent forensic investigation, several message digests were obtained. What is the main disadvantage of using this evidence? A modified timestamp B faster processing C slower access time D stringent authentication

Answer A is correct. The main disadvantage of message digests is that the timestamp can be modified. During the course of a forensic investigation, the last access time for a file is changed when a message digest is created on the data collected. Message digests are necessary to ensure that the evidence is not tampered with during the course of the investigation. A logging timestamp is changed due to a transaction taking place and overwrites the timestamp of the incident that originally occurred. A message digest is a fixed output created by using a one-way hash function. A message digest is created from a variable set of input, also referred to as a checksum. A message digest is helpful in detecting whether any change is made to the records during the course of the chain of custody. The message digest is expected to be smaller than the original data string. Message digests do not provide a stringent authentication and deal with integrity of information. Message digests do not contribute to either a higher processing time or a slower access time.

Management is concerned that attackers will attempt to access information in the database. They have asked you to implement database protection using bogus data in hopes that the bogus data will mislead attackers. Which technique is being requested? A noise and perturbation B trusted front-end C cell suppression D partitioning

Answer A is correct. The noise and perturbation technique are being requested. This technique involves inserting randomized bogus information along with valid records of the database to mislead attackers and protect database confidentiality and integrity. This alters the data but allow users to access relevant information from the database. This technique also creates enough confusion to prevent the attacker from telling the difference between valid and invalid information. Partitioning is not being requested. Partitioning is another protection technique for database security. Partitioning involves splitting the database into many parts and making it difficult for an intruder to collect and combine confidential information and deduce relevant facts. Cell suppression is not being requested. Cell suppression is the technique used to protect confidential information stored in the databases by hiding the database cells that can be used to disclose confidential information. A trusted front-end is not being requested. A trusted front-end refers to providing security to the database by incorporating security features into the functionality of the front-end client software that is used to issue instructions to the back-end server by using a structured query language. The trusted front-end client software acts as an interface to the back-end database system and provides the resultant output based on the input instructions issued by the user.

Which security model ensures that the activities performed at a higher security level do not affect the activities at a lower security level? A noninterference model B Brewer and Nash model C information flow model D Biba model

Answer A is correct. The noninterference model provides multilevel security and ensures that the commands and activities performed at one security level do not affect the activities at another security level. The activities performed at a lower security level should neither be affected by nor interfere with the subjects or objects of a higher security level. Such a model provides protection against object reuse or execution of malicious programs, which attempt to gain access to restricted resources. The noninterference model addresses the situation wherein one group is not affected by another group using specific commands. The Biba model deals with the integrity of data and adheres to the following requirements: A subject at a lower integrity level should not be able to write to an object at a higher integrity level. A subject should not be able to read data from an object at a lower integrity level. The information flow model is concerned with the type of information, whether legal or illegal, that flows. This model is not concerned with the direction of the information flow. The model states that information can flow from one security level to another or among the same security levels unless a restricted operation is performed. The Brewer and Nash model, also referred to as the Chinese Wall model, states that access controls for a system will dynamically change according to a user's activities and the previous access requests. A request from the user to access the information may be denied if the request presents a conflict of interest. For example, a user from the Accounts department may not be allowed to view the financial reports for a sister concern of the same organization. This ensures that the user does not introduce any conflict of interest.

Near the end of a recent incident investigation, the incident investigator suggests that your organization takes several recommended countermeasures. Which step of the investigation process is being carried out? A presentation B collection C examination D analysis

Answer A is correct. The presentation step of the investigation process is being carried out. This step can include documentation, expert testimony, clarification, mission impact statement, recommended countermeasures, and statistical interpretation. The collection step of the investigation process is not being carried out. This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques. The examination step of the investigation process is not being carried out. This step can include traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction. The analysis step of the investigation process is not being carried out. This step can include traceability, statistical analysis, protocol analysis, data mining, and timeline determination. The proper steps in a forensic investigation are as follows: Identification Preservation Collection Examination Analysis Presentation Decision

Which type of security identifies the process of safeguarding information assets after the implementation of security? A operations security B physical security C application security D access control security

Answer A is correct. The primary goal of operations security is to guard against information asset threats generated within an organization. It includes taking steps to make sure an environment and the things within it are covered by a certain level of protection. Operations security is important because an environment continually changes and has the potential of lowering its level of protection. Operations security aims at continuous maintenance of security infrastructure through implementation of routine activities that keep the infrastructure up and running in a secure manner. Operations security also depends on the routine procedures and processes of other types of security. For example, to enable operations security, physical security controls should be implemented and maintained, thereby ensuring the confidentiality, integrity, and availability of business operations. Physical controls refer to facility perimeter security, including fencing, gates, locks, and lighting. Physical security controls work in conjunction with operation security to achieve the security objectives of the organization. Application security controls provide processes for input, processing, interprocess communications, communication between different programs, and the resultant output. Access control is a method of limiting resource access to authorized users and preventing access to illegitimate users.

You are part of the design team for an organization's information processing facility. Which option or options represent potential physical security risks to the design? spoofing physical theft power failure hardware damage denial of service (DoS) attack A options b, c, and d B options c, d, and e C options a, b, and c D option e E option d F option c G option b H option a

Answer A is correct. The primary physical security risks include physical theft, interruption of critical services, physical damage to hardware assets, threats affecting confidentiality, and integrity and availability of critical resources of an organization. Physical security addresses the following major categories of risks: Interruption of services: Power failure is an example of interruption of critical services that are vital to the business operations of an organization. Hardware damage is an example of loss of computer services. Physical theft: Physical theft not only amounts to loss of an asset but also leads to unauthorized disclosure of information. A denial of service (DoS) attack and an IP spoofing attack are network-based threats and do not pose a physical security risk.

What is the primary purpose of Kerberos? A Authentication B Accountability C Confidentiality D Integrity

Answer A is correct. The primary purpose of Kerberos is authentication, as it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

Which of the following best defines "rules of behavior" established by a data owner? A Identifying appropriate use and protection of data B Determining who has access to a system C Ensuring that users are granted access to only what they need D Applying security controls to a system

Answer A is correct. The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures that users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.

Which processes define the supervisor mode? A processes that are executed in the inner protection rings B processes in the outer protection ring that have more privileges C processes that are executed in the outer protection rings D processes with no protection mechanism

Answer A is correct. The supervisor mode refers to processes that are executed in the inner protection rings. The processes in the inner protection rings are granted more privileges than the processes in the outer protection ring. The processes in the inner ring are executed in the privileged or the supervisor mode, while the processes working in the outer protection rings are executed in the user mode. These processes in the inner ring include the operating system kernel process and input/output (I/O) instructions. Processes are placed in a ring structure according to least privilege. Multiplexed Information and Computing Service (MULTICS) is an example of a ring protection system. All other options are incorrect. Each operating system has a protection mechanism, such as memory segments and protection rings, to ensure that the applications do not adversely affect the critical components of the operating system. The protection rings define the security policy for each application by limiting the operations that can be performed by the application. No application in the operating system functions without a protection mechanism. Operating systems are responsible for memory allocation, input and output tasks, and resource allocation. If an operating system allows sequential use of an object without refreshing it, disclosure of residual data can arise.

Which term is used to describe the area that is covered by a satellite? A footprint B amplitude C frequency D line of sight

Answer A is correct. The term footprint is used to describe the area that is covered by a satellite. The large footprint of a satellite can results in the interception of the satellite transmission. A footprint covers an area on Earth for a small amount of time. Amplitude and frequency are analogue communication terms. Amplitude is used to describe the height of the signal. Frequency is used to describe the number of waves that are transmitted during a period of time. Line of sight is the term used to describe the requirement that a receiver must not have any obstruction of the satellite signal. This includes buildings, trees, and weather.

An organization has created an access control policy that grants specific privileges to accountants. What type of access control is this? A Role-based access control B Discretionary access control C Mandatory access control D Rule-based access control

Answer A is correct. The type of access control that is mentioned in the given scenario is role-based access control. This access control policy grants specific privileges based on roles, and roles are frequently job based or task based. Answers B, C, and D are incorrect. Discretionary access controls allow owners to control privileges, mandatory access controls use labels to control privileges, and rule-based access controls use rules.

You have been hired as a security consultant for an organization that does contract work for the U.S. Department of Defense (DoD). You must ensure that all data that is part of the contract work is categorized appropriately. What is the highest data classification category you can use? A Top Secret B Sensitive C Secret D Confidential

Answer A is correct. Top Secret is the highest data classification category that can be used when categorizing data for government or military use. This system has five main levels of classification (from lowest to highest): Unclassified Sensitive Confidential Secret Top secret While other classification levels do exist, they usually operate within these five main levels.

What is an example of a brute force attack? A using a program to guess passwords from a SAM file B gathering packets from a network connection C searching through a company's trash D sending multiple ICMP messages to a Web server

Answer A is correct. Using a program to guess passwords from a Security Account Manager (SAM) file is an example of a brute force attack. A SAM file, which is used on some Windows networks, contains encrypted passwords. A hacker can initiate a brute force attack in an attempt to decrypt passwords stored in a SAM file. You can defend against a brute force network attack by increasing the complexity and keyspace of the password. Sending multiple Internet Control Message Protocol (ICMP) messages to a Web server is a type of denial of service (DoS) attack that is referred to as a ping of death. Searching through a company's trash to find sensitive information is a type of physical attack that is sometimes referred to as dumpster diving. Using a packet analyzer to gather packets from a network connection between two computers is a method that can be used to initiate a man in the middle (MITM) attack.

What type of attack uses email and attempts to trick high-level executives? A Whaling B Vishing C Phishing D Spear phishing

Answer A is correct. Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).

A security breach has occurred on your organization's file server. As part of an incident investigation, two copies of the original media have been created. You have been asked to create message digests for the files and directories on the media before the data is analyzed. What is the purpose of this action? A to prove the integrity of the original image B to ensure that the new media does not contain any residual data C to prove the confidentiality of the original image D to ensure that the old media does not contain any residual data

Answer A is correct. When you create message digests for the files and directories, the message digests are used to prove the integrity of the original image. If the message digests have not changed, the original data has not been changed. Purging ensures that media does not contain any residual data. Purging new media before you use it to store a copy of data is important. To provide confidentiality of an image, you would need to encrypt the image.

What should you implement on the client computers to best manage the encryption keys, passwords, drive encryption, and digital rights for users? A TPM B VM C DNS D PKI

Answer A is correct. You should implement Trusted Platform Module (TPM) on the client computers to best manage the encryption keys, passwords, drive encryption, and digital rights for users. A public key infrastructure (PKI) is used to centrally manage digital certificates. A Domain Name System (DNS) is used to resolve fully qualified domain names (FQDNs) to IP addresses. A virtual machine (VM) is a software computer that, like a physical computer, runs an operating system and applications. Virtual machines share resources with the host computer.

You need to implement security countermeasures to protect from attacks being implemented against your PBX system via remote maintenance. Which policies provide protection against remote maintenance PBX attacks? Turn off the remote maintenance features when not needed. Use strong authentication on the remote maintenance ports. Keep PBX terminals in a locked, restricted area. Replace or disable embedded logins and passwords. A all of the options B options a and b only C options a, b, and c only D option d E option c F option b G option a

Answer A is correct. You should implement all of the given policies to provide protection against remote maintenance PBX attacks. You should turn off the remote maintenance features when not needed and implement a policy whereby local interaction is required for remote administration. You should use strong authentication on the remote maintenance ports. This will ensure that authentication traffic cannot be compromised. You should keep PBX terminals in a locked, restricted area. While this is more of a physical security issue, it can also affect remote maintenance attacks. If the physical security of a PBX system is compromised, the attacker can then reconfigure the PBX system to allow remote maintenance. You should replace or disable embedded logins and passwords. These are usually configured by the manufacturer to allow back door access to the system.

You have been asked to implement antivirus software for your virtualization environment. Where should you install the antivirus software? A on both the host computer and all virtual computers B on the host computer only C on each virtual computer only D on the physical computer only

Answer A is correct. You should install the antivirus software on both the host computer and all virtual computers. Virtual machines can be compromised with viruses just like a physical computer. Virtualization allows you to implement virtual computers on your network without purchasing the physical hardware to implement the server. Virtualization allows you to isolate the individual virtual machines in whatever manner you need. However, all virtual machines located on a virtual host are compromised if the virtual host is compromised. Therefore, it is important to not limit your implementation of the appropriate security measures to the virtual host. You should also implement the appropriate security measures on each virtual machine, including implementing antivirus software and using the principle of least privilege. You should not install the antivirus software on the host computer only, on each virtual computer only, or on the physical computer only. Because virtual machines can be compromised with viruses just like a physical computer, you should ensure that the antivirus software is installed on both the host computer and each virtual computer.

You need to format data from your database so that it can be easily displayed using Web technologies. Which interface language should you use? A XML B JDBC C OLE DB D ADO

Answer A is correct. You should use extensible markup language (XML). XML is an interface language used to arrange data so that it can be shared by Web technologies. This flexible language can be used to arrange the data into a variety of formats using tags. Answers B, C, and D are incorrect. Java Database Connectivity (JDBC) is an application programming interface (API) that allows a Java application to communicate with a database. Object Linking and Embedding Database (OLE DB) is a method of linking data from different databases. ActiveX Data Objects (ADO) is an API that allows ActiveX programs to query databases.

Which protocol should you configure on a remote access server to authenticate remote users with smart cards? A EAP B PAP C CHAP D MS-CHAP

Answer A is correct. You should use the Extensible Authentication Protocol (EAP). By using an EAP authentication protocol, such as EAP-Transport Level Security (EAP-TLS), for authentication, the remote access server can authenticate remote users with smart cards. The other authentication protocols listed do not support authentication using smart cards. Password Authentication Protocol (PAP) requires that users authenticate using a password. The password is transmitted in plain text, thereby allowing a possible security breach. Challenge Handshake Authentication Protocol (CHAP) provides a higher level of security. Passwords are not sent in plain text. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) comes in two versions. Version 2 provides better security because it provides mutual authentication, meaning both ends of the connection are authenticated.

What is the minimum level of static discharge that causes permanent damage to computer electronics? A 17,000 volts B 4,000 volts C 1,000 volts D 2,000 volts

Answer A is correct.17,000 volts is the minimum level of static discharge that causes permanent damage to computer electronics. Answer C is incorrect. 1,000 volts of static discharge that causes scrambling of monitor display. Answer B is incorrect. 4,000 volts of static discharge that causes printer jam or component damage. Answer D is incorrect. 2,000 volts of static discharge that causes abrupt system shutdown.

Which level of fences deter casual trespassers? A 3 to 4 feet high B 6 to 7 feet high C 8 feet high with barbed wire

Answer A is correct.3 to 4 feet high fences deter casual trespassers. Answer C is incorrect. 8 or more feet high fences with three strands of barbed wire deter determined intruders. Answer B is incorrect. 6 to 7 feet high fences are too hard to climb and deter most intruders, except determined ones.

What is NOT an example of an operational control? A an audit trail B a business continuity plan C configuration management D a backup control

Answer B is correct. A business continuity plan refers to the procedures undertaken for dealing with long-term unavailability of business processes and resources. Business continuity planning differs from disaster recovery. Disaster recovery aims at minimizing the impact of a disaster. Business continuity planning includes the following steps: Moving critical systems to another environment during the repair of the original facility Performing operations in a constrained mode with lesser resources till the conditions of the primary facility return to normal. Dealing with customers, partners, and shareholders through various channels until the original channel is restored. Operational controls ensure the confidentiality, integrity, and availability of business operations by implementing security as a continuous process. Audit trails are operational controls and detective controls. Audit trails identify and detect not only unauthorized users but also authorized users who are involved in unauthorized activities and transactions. Audit trails achieve the security objectives defined by the security policy of an organization, and ensure the accountability of users in the organization. They provide detailed information regarding the computer, the resource usage, and the activities of users. In the event of an intrusion, audit trails can help identify frauds and unauthorized user activity. Backup controls, software testing, and anti-virus management are other examples of operational software controls. Configuration management is an operational control. Configuration management identifies both controls and audit changes made to the trusted computing base (TCB). The audit changes include changes made to the hardware, software, and firmware configurations throughout the operational life cycle of infrastructural assets. Configuration management ensures that changes to the infrastructure take place in a controlled manner and follow a procedural approach. Configuration management also ensures that future changes to the infrastructure do not violate the organization's security policy and security objectives. Maintenance accounts are considered a threat to operational controls. This is because maintenance accounts are commonly used by hackers to access network devices.

Which type of water sprinkler system is best used in colder climates? A wet pipe B dry pipe C deluge D pre-action

Answer B is correct. A dry pipe water sprinkler system is best used in colder climates. Because water is not held in the pipes of the system, the pipes will not freeze. In a dry pipe system, the following steps occur when a fire is detected: The heat or smoke sensor is activated. The water fills the pipes leading to the sprinkler heads. The fire alarm sounds. The electric power is disconnected. Water flows from the sprinklers. Wet pipe systems hold water in the pipes. This system is usually implemented throughout buildings in warmer climates. Pre-action systems are similar to dry pipe systems. The main difference is that pre-action systems holds pressurized air in the pipes. When the pressurized air is reduced, the pipes are filled. In addition, the sprinkler heads include a thermal-fusible link that must melt before the water is released. This type of system is more expensive, and is therefore only used in data processing environments. A deluge system releases a larger amount of water in a shorter time.

Which form of Denial of Service attack is well known for spoofing the source and destination addresses as the address of the victim? A Teardrop B Land C Ping of Death D Smurf

Answer B is correct. A land DoS attack is well known for spoofing the source and destination addresses as the address of the victim. This attack tricks the system into constantly replying to itself and can lead it to freeze, crash, or reboot. Answer A is incorrect. In a teardrop attack, the attacker fragments the traffic in a way that it becomes impossible for a system to refragment the data packets. Answer D is incorrect. A smurf attack floods the victim with ICMP (Internet Control Message Protocol) echo packets. In this attack, the attacker broadcasts the echo request to all systems on the network and spoofs the source IP address. Answer C is incorrect. A ping of death attack uses a ping packet of 32 or 64 bytes, which is resized to over 64KB. When a system receives a ping packet larger than 64KB, it results in a problem

You are servicing a Windows computer that is connected to your company's Ethernet network. You need to determine the manufacturer of the computer's NIC. You issue the ipconfig /all command in the command prompt window and record the NIC's MAC address, which is 00-20-AF-D3-03-1B.Which part of the MAC address will help you to determine the NIC's manufacturer? A 20-AF-D3 B 00-20-AF C D3-03-1B D AF-D3-03

Answer B is correct. A media access control (MAC) address is a unique 48-bit number that is built into a NIC that connects to an Ethernet network. A MAC address is divided into six octets, each of which represents 8 bits of the address as a two-digit hexadecimal number. The first three octets of a MAC address are assigned by the Institute of Electrical and Electronics Engineers (IEEE) to each network interface card (NIC) manufacturer; these three octets uniquely identify each NIC manufacturer. In this scenario, the sequence 00-20-AF identifies the NIC's manufacturer as 3Com. Other popular manufacturers of NICs include Cisco, which has been assigned the sequence 00-00-0C, and Hewlett-Packard, which has been assigned the sequence 08-00-09. The last three octets of a MAC address are used to uniquely identify each NIC that a manufacturer produces. Originally, a MAC address was permanently added to a NIC, but more recent manufacturing processes allow the MAC address to be reconfigured to a different value. The ability to reconfigure a MAC address allows administrators to assign addresses of their choosing. However, changing MAC addresses must be done with care because having two cards with the same MAC address on the same network will always cause communications problems.

Which job is NOT provided by a network protocol analyzer? A provide network activity statistics B detect active viruses or malware on the network C identify the types of traffic on the network D identify the sources and destinations of communications

Answer B is correct. A network protocol analyzer does not detect active viruses or malware on the network. A network protocol analyzer can determine if passwords are being transmitted over the network in clear text. It can also be used to read the contents of any File Transfer Protocol (FTP) packet, including an FTP GET request. WireShark is a commercial network protocol analyzer.

Your company has hired a security firm to test your network's security. What would need to be used outside your network? A protocol analyzer B penetration tester C vulnerability scanner D port scanner

Answer B is correct. A penetration tester would need to be used outside your network. This tests your network's security to see if it can be penetrated. You can only penetrate a network from outside of it. None of the other tests needs to be used outside your network. A vulnerability scanner checks your network for known vulnerabilities and provides methods for protection against the vulnerabilities. A port scanner identifies ports and services that are available on your network. A protocol analyzer captures packets on your network. A penetration test originates from outside the network. A vulnerability scan usually originates from within the network. The formal steps in the penetration test are as follows: Document information about the target system or device. (This is discovery.) Gather information about attack methods against the target system or device. This includes performing port scans. (This is enumeration.) Identify the known vulnerabilities of the target system or device. (This is vulnerability mapping.) Execute attacks against the target system or device to gain user and privileged access. (This is exploitation.) Document the results of the penetration test and report the findings to management, with suggestions for remedial action. (This is reporting.) The IP addresses of the computers are usually discovered during a penetration test. As components of the network are discovered, the methods used will be determined.

Which of the following is a set of routines, protocols, and tools that users can use to work with a component, application, or operating system? A DevOps B API C SCADA D OCSP

Answer B is correct. API (application programming interface) is a set of routines, protocols, and tools that users can use to work with a component, application, or operating system. It helps in reducing the development time of applications by reducing application code. Most operating environments, such as MS-Windows, provide an API so that programmers can write applications consistent with the operating environment. Answer A is incorrect because DevOps is a software development method that emphasizes communication, collaboration, automation, and measurement of co-operation between software developers and other IT professionals. Answer C is incorrect because SCADA (supervisory control and data acquisition) refers to ICS (industrial control system) used to monitor critical infrastructure systems and control power distribution, as well as many other forms of automation. Answer D is incorrect because OCSP (Online Certificate Status Protocol) eliminates the latency inherent in the use of certificate revocation lists.

Which component is NOT associated with the Common Criteria? A target of evaluation B accreditation C security target D protection profile

Answer B is correct. Accreditation is not an associated component of the Common Criteria. Accreditation is the process in which the management accepts system functionality and assurance. Accreditation represents the satisfaction of the management regarding the functionality and the assurance of the product. The Common Criteria is associated with the functionality and assurance attributes of a product. The Common Criteria was started in 1993 with an aim to combine evaluation criteria, such as TCSEC and ITSEC, into a global standard for evaluation of infrastructure products, their security functionality, and their assurance. The Common Criteria is a worldwide recognized and accepted standard for evaluation of infrastructure products. This evaluation criterion reduces the complexity of the ratings and ensures that the vendors manufacture products for international markets. Therefore, the Common Criteria addresses the functionality in terms of what a product does and assures that the product will work consistently and predictably. The Common Criteria assigns an evaluation assurance level. Unlike the Orange Book, which assigns a rating to a product based on the methods they use to relate to the Bell-LaPadula model, the Common Criteria assigns a rating based on a protection profile. A protection profile contains a set of security requirements for a product and the rationale behind such requirements. In Part 3 of the Common Criteria, Security Assurance Requirements, seven predefined packages of assurance components that make up the CC scale for rating confidence in the security of IT products and systems are called evaluation assurance level (EAL). A protection profile can be documented and presented by vendors and customers who demand a security solution. The seven EAL levels are as follows: EAL1: The product is functionally tested. EAL2: The product is structurally tested. EAL3: The product is methodically tested and checked. EAL4: The product is methodically designed, tested, and reviewed. EAL5: The product is semi-formally designed and tested. EAL6: The product has a semi-formally verified design and is tested. EAL7: The product has a formally verified design and is tested. The thoroughness of the testing increases and the testing becomes more detailed with each level. The target of evaluation (TOE) defines the product that is to be evaluated for rating. The TOE is a part of common criteria. The vendor's security target defines the functionality and assurance mechanisms that meet the security solution. The EAL or package describes the requirements to be fulfilled by the proposed security solution to achieve a specific EAL rating for the product.

You are designing the reporting solution for your company's information security continuous monitoring (SCM) program. You need to create a mechanism whereby end users are able to create the reports that they need. You set up the business intelligence (BI) solution, connect it to the data sources, establish security settings, and determine which objects users can access. Which type of reporting are you implementing? A automated reporting B ad-hoc reporting C data feed D recurring reporting

Answer B is correct. Ad-hoc reporting is being used when you set up the business intelligence (BI) solution, connect it to the data sources, establish security settings, and determine which objects users can access. Automated reporting delivers information by setting up in advance the reports that need to be run and then automatically generating and delivering these reports. With automated reporting, users do not create the reports they need. Recurring reporting is very similar to automated reporting. It allows reports to be generated on a regular basis for information that is always needed. With recurring reporting, users do not create the reports they need. A data feed allows users to receive updated data from data sources. A web feed or RSS feed are popular forms of data feeds. With data feeds, users receive information, not reports.

You must document the appropriate guidelines that should be included as part of any security policy that involves personnel who travel with company-issued devices. You have been given a list of possible tips that travelers should be included in the guidelines as follows: Privacy when traveling, no matter the connection medium, is not guaranteed. Personnel movements can be tracked using mobile devices. Malicious software can be inserted onto a device from any connection that is controlled by someone else or through thumb drives. Do not take the device with you if you do not need it. Which tips are valid tips that should be included as part of the guidelines for personnel? A points A, B, and C only B All of the points C points A, C, and D only D points B, C, and D only

Answer B is correct. All of the tips list are valid tips that should be included as part of the guidelines for personnel that may travel with company-issued devices. Other tips include: All information that you transmit can be intercepted. All individuals are at risk, although some in sensitive corporate or government positions may be at a higher risk. Foreign criminals are adept at posing as someone you trust to obtain sensitive information. If your device is ever examined or left in a hotel room when the room is examined, assume that the hard drive has been copied and the device compromised.

What is the concept of a computer implemented as part of a larger system that is typically designed around a limited set of specific functions (such as management, monitoring, and control) in relation to the larger product of which it's a component? A IoT B Embedded system C SoC D Application appliance

Answer B is correct. An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it's a component. It may consist of the same components found in a typical computer system, or it may be a microcontroller.

A user inherits a permission based on his group membership. Which type of right has been implemented? A access right B implicit right C explicit right D capability

Answer B is correct. An implicit right occurs when a user inherits a permission based on group membership. It can also occur due to role assignment. A capability is an access right that is assigned directly to a subject. An explicit right occurs when a user is given a permission directly. An access right is a generic term referring to any permission granted to a user, whether implicitly or explicitly.

Which statement is true of programming languages? A The compiler translates one command at a time. B Assemblers translate assembly language into machine language. C A high-level programming language requires more time to code instructions. D High cohesion and high coupling represent the best programming.

Answer B is correct. Assemblers translate assembly language into machine language. Interpreters translate one command at a time. Compilers translate large sections of program instructions. The cohesive module refers to a piece of software code that either does not depend on or depends less on other software modules to be executed. High cohesiveness of a software program represents best programming due to reduced dependency levels. Coupling refers to the level of interconnection required between various software modules in a software program to perform a specific task. A lower coupling indicates lesser dependence on other programs and higher performance. High-level languages require less time to code a program compared to low-level programming languages. This is because high-level languages use objects that act as independent functional modules having a specific functionality and reduce the number of programmers involved in coding application instructions.

You must provide SOC 2 and SOC 3 reports on the security, availability, confidentiality, processing integrity, and privacy of operational controls. As part of these reports, you must provide information regarding the backup and restoration of data. To which tenet of SOC 2 and SOC 3 does this information apply? A privacy B availability C confidentiality D security

Answer B is correct. Backup and restoration of data applies to the availability tenet of the SOC 2 and SOC 3 reports. Availability also includes environmental controls, disaster recovery, business continuity, and availability process. Privacy includes management, privacy notice, data collections, data use and retention, data access, data disclosure to third parties, data quality, and monitoring and enforcement. Security includes the IT security policy, security awareness, risk assessment, logical and physical access, security monitoring, user authentication, incident management, asset classification, personnel security, and other topics. Confidentiality includes the confidentiality policy, input confidentiality, data processing confidentiality, output confidentiality, information disclosure, and systems development confidentiality.

Your organization is considering leasing an off-site data center to provide facility recovery if a disaster occurs. Management wants to lease a cold site. What are some disadvantages of this type of site? expense recovery time administration time testing availability A option a B options b and d C option c D option d E options a and c F option b

Answer B is correct. Cold sites take a long time to bring online. They also are not as available for testing as other alternatives. Therefore, recovery time and testing availability are two disadvantages in using a cold site. Cold sites are inexpensive, and require no daily administration time. Therefore, expense and administration time are two advantages in using a cold site. Hot sites are expensive. They require a lot of administration time to ensure that the site is ready within the maximum tolerable downtime (MTD). Therefore, expense and administration time are two disadvantages in using a hot site. In addition, another disadvantage of a hot site is that it would need extensive security controls. Hot sites are available within the MTD and are available for testing. Therefore, recovery time and testing availability are two advantages in using a hot site. Warm sites are less expensive than hot sites, but more expensive than cold sites. The recovery time of a warm site is more than is needed for a hot site, but less than that needed for a cold site. Warm sites usually require less administration time because only the telecommunications equipment is maintained, not the computer equipment. Warm sites are easier to test than cold sites, but harder to test than hot sites. Redundant sites are expensive and require a lot of administration time. However, they require a small recovery time and are easier to test than the facilities owned by other companies.

Which statement is NOT true of cryptanalysis? A It is a tool used to develop a secure cryptosystem. B It is used to test the strength of an algorithm. C It is a process of attempting reverse engineering of a cryptosystem. D It is used to forge coded signals that will be accepted as authentic.

Answer B is correct. Cryptanalysis is not used to test the strength of an algorithm. Cryptanalysis is the process of obtaining plaintext from the ciphertext without knowing the secret key. The process is accomplished by forging signals or text. These forged signals will be accepted as authentic. Cryptanalysis is based on the permutations and combinations that are used as inputs during the course of analysis. Cryptanalysis is also referred to as a process of reverse engineering used to obtain an output from a deciphered input.

Which of the following business continuity exercises can be quite involved and should be performed annually? A structured walkthrough B disaster simulation testing C emergency evacuation drill D table-top exercise

Answer B is correct. Disaster simulation testing can be quite involved and should be performed annually. To complete this test, you should create a simulation of an actual disaster, including all of the equipment, supplies, and personnel needed. This test will determine if you can carry out critical business functions during the event. None of the other exercises is as involved as disaster simulation testing. In a table-top exercise, personnel from every business unit that understand disaster recovery meet in a conference room to examine the plan and look for gaps. A structured walkthrough occurs when each team member walks through his plan components to identify weaknesses, usually with a specific disaster in mind. Emergency evacuation drills are usually completed at least twice a year, and only ensure that personnel know how to properly evacuate the facilities.

What occurs during the reconstitution phase of a recovery? A an organization ensures that its facility is fully restored at the alternate site B an organization transitions back to its original site C an organization implements the recovery strategy D an organization transitions to a temporary alternate site

Answer B is correct. During the reconstitution phase of disaster recovery, an organization transitions back to its original site or to a new site that was constructed to replace the original site. An organization is not considered fully restored until it is operating from its original or replacement location. None of the other options defines what occurs during the reconstitution phase.

What type of access control model is used on a firewall? A DAC model B Rule-based access control model C RBAC model D MAC model

Answer B is correct. Firewalls use a rule-based access control model with rules expressed in an access control list. A Mandatory Access Control (MAC) model uses labels. A Discretionary Access Control (DAC) model allows users to assign permissions. A Role Based Access Control (RBAC) model organizes users in groups.

Management has asked you to ensure that voltage is kept clean and steady your facility. Which component is MOST appropriate for this purpose? A concentric circle B line conditioners C UPS D HVAC

Answer B is correct. Fluctuations in voltage supply, such as spike and surges, can damage electronic circuits and components. A line conditioner ensures clean and steady voltage supply by filtering the incoming power and eliminating fluctuations and interference. An uninterruptible power supply (UPS) provides clean distribution of power. The UPS provides a backup power supply. A UPS can also provide surge suppression, but can only protect those items connected to it. In addition, the protection provided is very limited. For voltage issues for the primary power supply, you should use voltage regulators or line conditioners. The heating, ventilation, and air conditioning (HVAC) system is installed in a building to regulate temperature. This includes air conditioning plants, chillers, ducts, and heating systems. HVAC is also referred to as climate control. It is important to note that HVAC has no role in regulating voltage. HVAC should maintain a humidity level of 40 to 60 percent in the air. High humidity can cause either condensation on computer parts or corrosion on electric connections. A low humidity level can cause static electricity that can damage the electronic components of computer equipment. Static electricity can also be reduced using anti-static sprays and anti-static flooring. The concentric circle approach defines a circular security zone and determines physical access control. The zone should be secured by fences, badges, mantraps, guards, dogs, and access control systems, such as biometric identification systems. Concentric circle is a layered defense architecture and does not deal with electric power.

Which of the following is an attack that sends out an overload of UDP packets from a spoofed source so that an overload of ICMP unreachable replies flood the victim? A Brute force B Fraggle C Polymorphic shell code D Dictionary

Answer B is correct. Fraggle is an attack that sends out an overload of UDP packets from a spoofed source so that an overload of ICMP unreachable replies flood the victim. Answer A is incorrect. The brute force attack is a type of password guessing attack. In this type of attack, attackers systematically try every conceivable combination to find out the password of a user. Answer D is incorrect. The dictionary attack is a type of password guessing attack. This type of attack uses a dictionary of common words to find out the password of a user. It can also use common words in either upper or lower case to find a password. There are many programs available on the Internet to automate and execute dictionary attacks. Answer C is incorrect. In a polymorphic shell code attack, the attacker sends malicious data which continuously changes its signature. The signature is changed by the attacking payload sent by the attacker. Since the new signature of the data does not match the old signature entered into the IDS signature database, the IDS becomes unable to point out the malicious data. Such data can harm the network as well as the IDS.

What is used in evolutionary computing? A mathematical or computational models B genetic algorithms C characteristics of living organisms D knowledge from an expert

Answer B is correct. Genetic algorithms are used in evolutionary computing. Evolutionary computing is a type of artificial intelligence. Biological computing uses the characteristics of living organisms. Knowledge-based or expert systems use knowledge from an expert. Artificial neural networks (ANNs) use mathematical or computational models.

Which of the following is not considered a violation of confidentiality? A Eavesdropping B Hardware destruction C Social engineering D Stealing passwords

Answer B is correct. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.

Which of the following will indicate that modification has been made in a message? A The private key has been altered. B The message digest values do not match. C The message has been encrypted properly. D The public key has been altered.

Answer B is correct. Hashing algorithms generate message digests to detect whether modification has taken place or not. The sender and receiver independently generate their own digests and the receiver compares these values. If they are different, the receiver knows that the message has been altered in some way. Answers D, A, and C are incorrect. They will not indicate that modification has been made in a message.

___________________ is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic. A IDEA B IPsec C SDLC D UDP

Answer B is correct. IPsec, or IP Security, is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic.

What happens when a trusted computing base (TCB) failure occurs as a result of a lower-privileged process trying to access restricted memory segments? A Operating system reinstallation is required. B The system goes into maintenance mode. C The system reboots immediately. D Administrator intervention is required.

Answer B is correct. If a process with lower privilege attempts to access the restricted memory segments, the system transits into maintenance mode, also referred to as an emergency system restart. An emergency system restart occurs in response to a system failure. An emergency system restart can be caused by a trusted computing base (TCB) failure, a media failure, or a user performing an insecure activity. A lower privileged process trying to access restricted memory segments is an example of an insecure activity. A system reboot occurs in response to other TCB failures. This is a controlled reboot of the system. The purpose of performing a system reboot is to release system resources and perform the necessary system activities. A system cold start occurs if a user or a system administrator intervenes. A system cold start occurs when the recovery procedures are inadequate to recover the system from a TCB or a media failure. The system remains in an inconsistent state during an attempt by the system to recover. Operating system reinstallation is not a valid response for trusted recovery. Trusted recovery includes a system reboot, an emergency system restart, and system cold start.

Which of the following modes of 3DES takes place in the sequence encrypt-decrypt-encrypt by using two different keys? A DES-EEE2 B DES-EDE2 C DES-EEE3 D DES-EDE3

Answer B is correct. In DES-EDE2, three DES operations take place in the sequence encrypt-decrypt-encrypt by using two different keys. 3DES uses a 112-bit key. The following function is used to represent this mode: C = E K1 (D K2 (E K1 (P ))) Answer C is incorrect. In DES-EEE3, three different keys are used in the three stages of encryption. 3DES uses a 168 bit key. The following function is used to represent this mode: C = E K1 (E K2 (E K3 (P ))) Answer D is incorrect. In DES-EDE3, three DES operations take place in the sequence encrypt-decrypt-encrypt by using three different keys. 3DES uses a 168 bit key. The following function is used to represent this mode: C = E K1 (D K2 (E K3 (P ))) Answer A is incorrect. In DES-EEE2, two keys are used for the 3DES encryptions. 3DES uses a 112 bit key. The following function is used to represent this mode: C = E K1 (E K2 (E K1 (P )))

In PKI, what is the entity that signs a certificate? A a principal B an issuer C a subject D a verifier

Answer B is correct. In a public key infrastructure (PKI), an issuer is the entity that signs a certificate. Signing a certificate verifies that the name and key in the certificate are valid. PKI is a system designed to securely distribute public keys. A PKI typically consists of the following components: certificates, a key repository, a method for revoking certificates, and a method to evaluate a certificate chain, which security professionals can use to follow the possession of keys. Chain of custody might be used in proving legal cases against hackers. A principal is any entity that possesses a public key. A verifier is an entity that verifies a public key chain. A subject is an entity that seeks to have a certificate validated. A PKI provides digital certification. It includes a certification authority (CA) and timestamping. A Lightweight Directory Access Protocol (LDAP) server is used in a PKI to provide the directory structure. A PKI provides non-repudiation support.

Which of the following can be considered a single point of failure within a single sign-on implementation? A RADIUS B Authentication server C Users workstation D Logon credentials

Answer B is correct. In a single sign-on technology, all users are authenticating to one source. Authentication requests cannot be processed if that source goes down. Answers C, D, and A are incorrect. They cannot be considered as a single point of failure within a single sign-on implementation because their failure will not cause an entire system to fail.

Richard believes that a database user is misusing his privileges to gain information about the company's overall business trends by issuing queries that combine data from a large number of records. What process is the database user taking advantage of? A Inference B Aggregation C Polyinstantiation D Contamination

Answer B is correct. In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal. Answer A is incorrect. Inference attacks involve combining several pieces of non-sensitive information to gain access to information that should be classified at a higher level. However, inference makes use of the human mind's deductive capacity rather than the raw mathematical ability of modern database platforms. Answer D is incorrect. Contamination is the mixing of data from a higher classification level and/or need to know requirement with data from a lower classification level and/or need-to-know requirement. Answer C is incorrect. Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels.

Mark, Sam, and Pete are IT managers. They all report to Jim. Mark's group is responsible to manage firewall administration tasks. Sam's group manages user accounts. Pete's group is responsible to manage the section of customer support. Members from any of the group cannot share or exchange their tasks. What security control is Jim enforcing? A Data remanence B Separation of duties C Principle of least privilege D Job rotation

Answer B is correct. In this question, more than one person is required to complete a task. Mark's group is responsible to manage firewall administration tasks. Sam's group manages user accounts. Pete's group is responsible to manage the section of customer support. Separation of duties (SoD) is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of duties. Separation of duties helps reduce the potential damage from the actions of one person. Answer C is incorrect. The principle of least privilege states that an individual should have just enough permissions and rights to fulfill his/her role. Answer D is incorrect. Job rotation is an approach to management development where an individual is moved through a schedule of assignments designed to give him or her breadth of exposure to the entire operation. Answer A is incorrect. Data remanence refers to the data that remains even after the efforts have been made for removing or erasing the data.

Which task does a key revocation system accomplish? A key validation B key invalidation C key generation D private key protection

Answer B is correct. Key revocation systems are designed to invalidate keys. Keys are generated by key generation systems. Data Encryption Standard (DES), for example, provides a key generation system that produces 56-bit encryption keys. A receiver of a key can certify the identity of the sender of the key by using a key certification system. Encryption systems typically provide password protection to protect private keys.

Which of the following access controls provides upper and lower bounds of access for every relationship between a subject and an object? A Attribute-based B Lattice-based C Discretionary D Role-based

Answer B is correct. Lattice-based access controls define upper and lower bounds of access for every relationship between a subject and an object. These boundaries usually follow military or corporate security levels (although they can also be arbitrary). As a subject may be able to Read, but not Write to that object, Write is outside of its lattice bounds. Answer C is incorrect. DAC (discretionary access control) allows the owner or creator of an object to control and define subject access to that object. Answer D is incorrect. In RBAC (role-based access control), a user can access resources according to his role in the organization. Answer A is incorrect. In ABAC (attribute-based access control), access is granted not based on the rights of the subject associated with a user after authentication, but based on the attributes of the user.

What is a characteristic of maintaining logs in a system? A Logging provides access control by authenticating user credentials. B Logging helps an administrator to detect security breaches and vulnerable points in a network. C Logging provides audit trails but enhances security violations. D Logging prevents security violations but only deals with passive monitoring.

Answer B is correct. Logging helps the administrator to detect vulnerable points in a network, specify changes that can enhance the system's security, log suspicious activity from a specific user or a system, and identify a security breach. Logging does NOT enhance security violations. Logging is not only a passive but also an active process of assimilating information about various aspects, such as performance and security of an infrastructure. Logging as a part of the access control system provides accountability services and does not provide authentication and authorization services to legitimate users. Logging is the process of collecting information that is used for monitoring and auditing purposes. Logging establishes user accountability by providing audit trails and system logs related to system resource usage and activities. If an intrusion occurs, logging helps find the potential source of an attack. Therefore, logs must be secured properly. Logs should be periodically archived and reviewed for any suspicious activity. The period of log retention depends on the security requirements of the organization. Logs can also be used for security evaluation of a company during the course of information security audits. An infrastructure can be monitored by performing activities, such as log analysis and intrusion detection by using the IDS. An organization can also periodically deploy countermeasure testing to ensure that the infrastructure devices comply with the security policy and meet the security needs of the organization. Countermeasure testing is not a monitoring technique, but it ensures that an organization meets its security objectives.

Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special type of oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection best suits their needs? A Patent B Trade secret C Copyright D Trademark

Answer B is correct. Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely. Answer A is incorrect. A patent is a form of intellectual property which provides an inventor with a set of exclusive rights for a specific period of time, generally 20 years. Answer D is incorrect. A trademark is a form of intellectual property which includes registered slogans, words, or logos used to identify a company and its products. Answer C is incorrect. Copyright is a form of intellectual property which grants exclusive rights to the creator of an original work for its use and distribution.

Which term is an estimate of the amount of time a piece of equipment will last and is usually determined by the equipment vendor or a third party? A MTTR B MTBF C BCP D BIA

Answer B is correct. Mean time between failures (MTBF) is an estimate of the amount of time a piece of equipment will last and is usually determined by the equipment vendor or a third party. Mean time to repair (MTTR) is an estimate of the amount of time it will take to fix a piece of equipment and return it to production. The owner of the equipment usually determines this amount of time. A business impact analysis (BIA) is created to identify the vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. A business continuity plan (BCP) is created to ensure that policies are in place to deal with long-term outages and disasters. Its primary goal is to ensure that the company maintains its long-term business goals both during and after the disruption and mainly focuses on the continuity of the data, telecommunications, and information systems infrastructure. Elements of the BCP plan approval and implementation include: Creating an awareness of the plan Obtaining senior management approval of the results Updating the plan regularly and as needed The BCP should be tested if there have been substantial changes to the company or the environment. They should also be tested at least once a year.

What is the term for providing fault tolerance by copying the contents of one hard drive to another? A RAID B mirroring C clustering D hot swapping

Answer B is correct. Mirroring occurs when you provide fault tolerance by copying the contents of one hard drive to another. Clustering occurs when you combine two or more servers that provide the same service into a cluster. Clustering balances the load between the servers, or ensures that if one server fails another one takes over. Hot swapping is when you can replace a piece of hardware in a computer while the computer is still operating. Redundant Array of Independent Disks (RAID) is a hard drive technology that provides fault tolerance and performance improvement. While some RAID levels implement mirroring, not all of them do.

Paul would like to test his application against slightly modified versions of previously used input. What type of test does Paul intend to perform? A Application vulnerability review B Mutation fuzzing C Generational fuzzing D Code review

Answer B is correct. Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.

Which of the following acts as the interface between a local area network and the Internet using one public IP address? A firewall B NAT C VPN D router

Answer B is correct. Network Address Translation (NAT) acts as the interface between a local area network and the Internet using one public IP address. A VPN is a private network that is implemented over a public network, such as the Internet. A router is a network device that divides a local area network into smaller subnetworks. Routers operate at the Network layer of the OSI model (Layer 3). While a firewall can also be a router, it is referred to as a firewall when it functions to create a DMZ.

Which would an administrator do to classified media before reusing it in a less secure environment? A Clearing B Purging C Overwriting D Erasing

Answer B is correct. Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.

The team writes business continuity procedures. The business continuity procedures return operations to normal conditions as part of the overall disaster recovery plan. Which of the following types of control is the business continuity procedure? A Physical B Recovery C Directive D Logical

Answer B is correct. Recovery controls attempt to return conditions to a normal state. Business continuity procedures are designed to return business operations to their normal state following a disaster. Answers C, D, and A are incorrect. The business continuity procedure is not a directive, logical, and physical control.

Which statement is true of the Rijndael algorithm? A Rijndael uses fixed block lengths and fixed key lengths. B Rijndael uses variable block lengths and variable key lengths. C Rijndael uses fixed block lengths and variable key lengths. D Rijndael uses variable block lengths and fixed key lengths.

Answer B is correct. Rijndael is a block cipher algorithm that uses variable block lengths and variable key lengths. The block and key size that Rijndael algorithms support are 128, 192, and 256 bits. The number of rounds of encryption depends upon the size of the key and the block. Rijndael is a symmetric key algorithm. Rijndael operates at the nonlinear, key-addition, and linear-mixing layers. Rijndael requires low memory and provides resistance against all known attacks and has been chosen to protect sensitive but unclassified government information. The NIST Advanced Encryption Standard (AES) uses the Rijndael algorithm. AES and Rijndael are often referred to as iterated block ciphers.

You need to ensure that data types and rules are enforced in the database. Which type of integrity should be enforced? A entity integrity B semantic integrity C cell suppression D referential integrity

Answer B is correct. Semantic integrity should be enforced. Semantic integrity ensures that data types and rules are enforced. It includes checking data types, values, data constraints, and uniqueness rules. Semantic integrity protects the data by ensuring that data values follow all the rules. Entity integrity ensures that each row is identified by a unique primary key. Referential integrity ensures that each foreign key references a primary key that actually exists. Cell suppression is not a type of integrity. It is a technique used to hide certain cells.

Which of the following types of virus hides themselves by actually tampering with the operating system and making antivirus packages believe that everything is functioning normally? A Encrypted viruses B Stealth viruses C Multipartite viruses D Polymorphic viruses

Answer B is correct. Stealth viruses hide themselves by actually tampering with the operating system. These viruses make the antivirus packages believe that everything is functioning normally. Answer C is incorrect. Multipartite viruses make use of a group of techniques that include infecting documents, executables, and boot sectors in order to infect the computers. Mostly, multipartite viruses first enter the memory and then infect the boot sector of the hard drive. Once this virus enters into the memory, it can infect the entire system. Answer D is incorrect. Polymorphic viruses have the ability to change their own signature at the time of infection. These viruses are very complicated and are difficult to detect. These viruses cannot be detected by the signature-based antivirus. Answer A is incorrect. Encrypted viruses use cryptographic techniques to avoid detection. These viruses are quite similar to the polymorphic viruses in their outward appearance. Each infected system has a virus with a different signature. However, these viruses alter the way they are stored on the disk. They do not produce the modified signatures by changing their codes.

Which of the following is the method of hiding data within another media type such as graphic or document? A Spoofing B Steganography C Cryptanalysis D Packet sniffing

Answer B is correct. Steganography is the method of hiding data within another media type such as graphic or document. The advantage of steganography, over cryptography alone, is that messages do not attract attention to malicious users. Answer A is incorrect. Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, and so on. In IP spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, etc. because forging the source IP address causes the responses to be misdirected. Answer C is incorrect. Cryptanalysis is the process of analyzing cipher text and finding weaknesses in cryptographic algorithms. These weaknesses can be used to decipher the cipher text without knowing the secret key. Answer D is incorrect. Packet sniffing is a process of monitoring data packets that travel across a network. The software used for packet sniffing is known as sniffers. There are many packet-sniffing programs that are available on the Internet. Some of these are unauthorized, which can be harmful for a network's security.

Which technology centralizes authentication, accounting, and per-command authorization? A RADIUS B TACACS+ C AD D LDAP

Answer B is correct. Terminal Access Controller Access Control System (TACACS+) centralizes authentication, accounting, and per-command authorization. TACACS+ enables two-factor authentication, enables a user to change passwords, and resynchronizes security tokens. Remote Authentication Dial-In User Service (RADIUS) offers a centralized system for authentication. RADIUS does not offer centralized accounting or per-command authorization, but is more widely supported than TACACS+. Active Directory (AD) is a directory service supported on Windows networks. Lightweight Directory Access Protocol (LDAP) is used to create a connection between directory services or between a directory service and a client.

Which access control model ensures integrity through the implementation of integrity-monitoring rules and integrity-preserving rules? A Biba model B Clark-Wilson model C Chinese Wall model D Bell-LaPadula model

Answer B is correct. The Clark-Wilson access control model ensures integrity by implementing integrity-monitoring rules and integrity-preserving rules. The integrity-monitoring rules are known as certification rules, and the integrity-preserving rules are known as enforcement rules. This model defines a constrained data item, an integrity verification procedure, and a transformation procedure. None of the other models ensures integrity through the use of these types of rules. The main emphasis of the Clark-Wilson model is integrity. It is best known for its use in commercial applications. The Clark-Wilson security model provides integrity of data by preventing unauthorized modifications by unauthorized users and improper modifications by authorized users. The Clark-Wilson model maintains internal and external consistency. It focuses on integrity, separation of duties, constrained data items, transformational procedures, and well-formed transactions. Auditing is required in the Clark-Wilson model. This model should be audited and monitored to track the information flow for a given transaction. The Clark-Wilson model uses a subject-program-object three-part relationship known as a triple. The subjects in the Clark-Wilson model access data through a program, which acts as an intermediary between a subject and an object. This process is also referred to as an access triple. The subject is only able to access an object through an application program that forms the interface between the subject and the object. Triples ensure separation of duties because subjects are not given direct access to objects. Objects can only be accessed using programs. Separation of duties is vital in the Clark-Wilson model. The Clark-Wilson model enforces the separation of duties for a given task and ensures that separate subjects perform subtasks. The Clark-Wilson model does NOT address data confidentiality.

Which statement is NOT true regarding the Ethernet LAN technology? A It is defined by IEEE 802.3 B It uses a multistation access unit (MAU) as its central device. C It supports full duplex transmissions. D It uses carrier sense multiple access with collision detection (CSMA/CD).

Answer B is correct. The Ethernet LAN technology does NOT use a multistation access unit (MAU) as its central device. This is the central device used in the Token Ring technology. Token Ring networks were defined by IEEE 802.5. Token Ring supports full duplex transmission using carrier sense multiple access with collision avoidance (CSMA/CA). Ethernet supports full duplex transmissions. It uses carrier sense multiple access with collusion detection (CSMA/CD). It is defined by IEEE 802.3. Full-duplex can transmit and receive information in both directions simultaneously. The transmissions can be asynchronous or synchronous. In asynchronous transmission, a start bit is used to indicate the beginning of transmission. The start bit is followed by data bits, and then one or two stop bits follow to indicate the end of the transmission. Because start and stop bits are sent with every unit of data, the actual data transmission rate is lower than half-duplex because the overhead bits are used for synchronization and do not carry information. In this mode, data is sent only when it is available and the data is not transmitted continuously. In synchronous transmission, the transmitter and receiver have synchronized clocks and the data is sent in a continuous stream. The clocks are synchronized by using transitions in the data and, therefore, start and stop bits are not required for each unit of data sent. Half-duplex transmissions are transmissions in which information can be transmitted in two directions, but only one direction at a time. Simplex transmissions are communication that takes place in one direction only.

What technology does the Java language use to minimize the threat posed by applets? A Stealth B Sandbox C Confidentiality D Encryption

Answer B is correct. The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.

Which key size is not used by the Rijndael cipher? A 128 B 300 C 256 D 192

Answer B is correct. The Rijndael cipher does not use the 300-bit key. It uses the 128-bit key, 192-bit key, or 256-bit key. In this cipher, the number of encryption rounds depends on the key length. If a 128-bit key is used, then 9 rounds of encryption take place. If a 192-bit key is used, then 11 rounds of encryption take place, and similarly, if a 256-bit key is used, then 13 rounds of encryption take place. The following layers of transformations are used by the Rijndael algorithm in order to encrypt or decrypt blocks of message text: Linear Mix Transform Nonlinear Transform Key Addition Transform

What port is typically used to accept administrative connections using the SSH utility? A 20 B 22 C 25 D 80

Answer B is correct. The SSH protocol uses port 22 to accept administrative connections to a server.

Which model allows for the output of one system to be used as the input of another system? A State machine model B Cascade composition model C Take-Grant model D Noninterference model

Answer B is correct. The cascade composition model allows for the output of one system to be used as the input of another system. Answer C is incorrect. The Take-Grant model uses a directed graph to show how rights can be passed from one subject to another or from a subject to an object. Answer D is incorrect. Noninterference model is loosely based on information flow model and is concerned with how the actions of the subject affect the system state or the action of another subject. Answer A is incorrect. State machine model is based on FSM (finite state machine). It is designed in such a way that whatever action is performed the system is always in a secure state.

Collecting and identifying digital evidence in a court of law is challenging. Why is it so? A The evidence is mostly corrupted. B The evidence is mostly intangible. C The evidence is mostly tangible. D The evidence is mostly encrypted.

Answer B is correct. The evidence within computer crimes usually comes straight from computers themselves. This implies that the data is held as electronic voltages, which are represented as binary bits. Some data can be held on hard drives and peripheral devices and some data may be held in the memory of the system itself. This type of evidence is intangible in that it is not made up of objects one can hold, see, and manipulate. Other types of crimes usually have evidence that is more tangible in nature, which is easier to handle and control.

How is the value of a safeguard to a company calculated? A ALE before safeguard * ARO of safeguard B ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard C Total risk - controls gap D ALE after implementing safeguard - annual cost of safeguard - controls gap

Answer B is correct. The formula to calculate the value of a safeguard to an organization is ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard

In which of the following orders is the information packaged during encapsulation? A Data, Packet, Segment, Frame B Data, Segment, Packet, Frame C Packet, Data, Segment, Frame D Segment, Data, Packet, Frame

Answer B is correct. The information is packaged in the following order during encapsulation: Data Segment Packet Frame

Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level? A No read down property B No read up property C No write up property D (star) Security Property

Answer B is correct. The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher-security-level object.

A business impact analysis (BIA) is a crisis management and business impact analysis technique that identifies those threats that can impact the business continuity of operations. Which of the following are the objectives defined by the business impact analysis? A Determining all potential financial, legal, and regulatory impacts B All of these C Defining the key inner and outer dealings and dependencies of each process D Setting up time frames for recovery of all business-related processes

Answer B is correct. The objectives defined by business impact analysis are as follows: Identifying the full business process Determining all potential financial, legal, and regulatory impacts Setting up time frames for recovery of all business-related processes Defining the key inner and outer dealings and dependencies of each process Identifying the required resources for all processes to recover and their related recovery time frames Training personnel in the recovery process Making management aware of the continuity plans

In the context of backup media, what is meant by the term retention time? A the amount of time a tape takes to back up the data B the amount of time a tape is stored before its data is overwritten C the amount of time a tape takes to restore the data D the amount of time a tape is used before being destroyed

Answer B is correct. The retention time is the amount of time a tape is stored before its data is overwritten. The longer the retention time, the more media sets will be needed for backup purposes. A longer retention time will give you more flexibility for restoration. The backup time is the amount of time a tape takes to back up the data. It is based on the speed of the device and the amount of data being backed up. The life of a tape is the amount of time a tape is used before being destroyed. The life of a tape is based on the amount of time it is used. Most vendors provide an estimate on backup media life. The restoration time is the amount of time a tape takes to restore the data. It is based on the speed of the device, the amount of data being restored, and the type of backups used. When selecting backup devices and media, you should consider the physical characteristics or type of the drive. The type of the drive includes the media type, capacity, and speed. You should also consider the rotation scheme. The rotation scheme includes the frequency of backups and the tape retention time.

Which service provided by a cryptosystem turns information into unintelligible data? A nonrepudiation B confidentiality C integrity D authorization

Answer B is correct. The service provided by a cryptosystem that turns information into unintelligible data is confidentiality. Nonrepudiation ensures that the sender of the data cannot deny having sent the data. Authorization allows users to access a resource once their identity is proven. Integrity ensures that data has not been changed by an unauthorized user since the data was created, transmitted, or stored.

Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A 0.01 B 10,000,000 C 100,000 D 0.10

Answer B is correct. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

What software development model uses a seven-stage approach with a feedback loop that allows progress one step backward? A Boyce-Codd B Waterfall C Spiral D Agile

Answer B is correct. The waterfall model uses a seven-stage approach to software development and includes a feedback loop that allows development to return to the previous phase to correct defects discovered during the subsequent phase.

An organization wants to implement the access control model that is easiest to administrator. Which access control model should they use? A DAC B RBAC C ACL D MAC

Answer B is correct. They should use role-based access control (RBAC). RBAC is the easiest access control model to administer. With RBAC, each user is assigned to one or more roles. Object permissions are granted to the roles. The roles are easily determined based on the roles defined within the organization. Examples of roles include data entry clerk, bank teller, loan manager, network manager, and so on. In this way, RBAC can be mapped to the organizational structure of the company. An access control list (ACL) is not an access control model. It is an access control entity that gives a table of subjects and the level of access granted to a particular object. Mandatory access control (MAC) is usually considered difficult to implement because of several factors. First, a specialized operating system is required for proper implementation. Also, each subject and object must be assigned a security label. These labels are used to determine access rights. Discretionary access control (DAC), while easier to administer than MAC, is not as easy to administer as RBAC. DAC requires that the data owner determine the level of object access that should be granted to each subject. Subjects can be users or groups of users. DAC is the easiest access control method to implement. DAC and MAC can be effectively replaced by RBAC.

Which hashing algorithm uses a 192-bit hashing value and was developed for 64-bit systems? A MD5 B Tiger C HAVAL D SHA

Answer B is correct. Tiger uses a 192-bit hashing value and was developed for 64-bit systems. None of the other hashing algorithms was developed for 64-bit systems. HAVAL uses a variable-length hash. Secure Hash Algorithm (SHA) uses a 160-bit hash value. Message Digest 5 (MD5) uses a 128-bit hash value.

How many possible keys exist in a 4-bit key space? A 8 B 16 C 128 D 4

Answer B is correct. To determine the number of keys in a key space, raise 2 to the power of the number of bits in the key space. In this example, 24 = 16.

You are implementing enterprise access management for your company. You need to ensure that the system you implement allows you to configure a trust with another company such that your users can access the other company's network without logging in again. What should you implement to ensure that this trust can be configured? A biometrics B federated identity management C password management D smart cards

Answer B is correct. To ensure that you can configure a trust with another company that allows your users to access the other company's network without logging in again, you should implement federated identity management. Federated identity management allows single sign-on (SSO) between companies. Password management is necessary in any enterprise access management implementation. If passwords are not managed properly, security breaches are likely to occur. However, password management will not ensure that the trust between the companies can be configured. Smart cards provide a more secure login and authentication mechanism than passwords. However, smart cards will not ensure that the trust between the companies can be configured. Biometrics provides a more secure login and authentication mechanism than passwords or smart cards. However, biometrics will not ensure that the trust between the companies can be configured. Enterprise access management (EAM) provides access control management services to Web-based enterprise systems. EAM provide SSO, role-based access control, and accommodation of a variety of authentication mechanisms, including passwords, smart cards, and biometrics.

Your company suspects an employee for sending unauthorized emails to competitors. These emails are alleged to contain confidential company data. Which of the following is the most important step for you to take in preserving the chain of custody? A Place spyware on the employee's PC to confirm these activities. B Preserve the email server including all logs. C Make copies of that employee's email. D Seize the employee's PC.

Answer B is correct. To preserve chain of custody, you should immediately create a mirror image of the hard drive on the email server, and then preserve the original hard drive and use the mirrored image for your server. This is the best way to guarantee that all email records are not only preserved, but are not tampered with. Answer D is incorrect. The employee may have already erased offending emails; there may or may not be evidence on that PC. Answer C is incorrect. In this case, the employee may have already deleted the emails you are seeking. Furthermore, copies can present problems at any potential trial. Experts for the other side might argue that the copies were (intentionally or not) altered in the copy process. Answer A is incorrect. Not only might the spyware not catch the employee's offending action, but the presence of spyware could be construed to alter the computer and might make it difficult to establish chain of custody on any evidence gathered.

Servers within your organization were recently attacked causing an excessive outage. You are asked to check systems for known issues that attackers may use to exploit other systems in your network. Which of the following is the best choice to meet this need? A Security audit B Vulnerability scanner C Versioning tracker D Security review

Answer B is correct. Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn't directly check systems for vulnerabilities.

When Microsoft uses a Security Development Lifecycle (SDL) process to consider and implement security at each stage of a product's development, which of the following goals it has in mind with this process? A To reduce the number of security-related design defects B All of the above C To reduce the severity of any remaining defects D To reduce the number of coding defects

Answer B is correct. When Microsoft uses a Security Development Lifecycle (SDL) process to consider and implement security at each stage of a product's development, it has the following goals in mind with this process: To reduce the number of security-related design defects To reduce the number of coding defects To reduce the severity of any remaining defects

When all the system testing and bugs correction has done, the software product will be delivered to the user for __________. A white-box testing B acceptance testing C black-box testing D stress testing

Answer B is correct. When all the system testing and bugs correction has done, the software product will be delivered to the user for acceptance testing conducted on project's completion. Basically, acceptance testing is done by the user, sometimes stakeholders may be involved. This test is used to establish confidence in the system and focuses on a validation type testing. Answer A is incorrect because white-box testing examines the internal logical structures of a program and steps through the code line by line, analyzing the program for potential errors. Answer D is incorrect because stress testing tests stress limits of a system (maximum number of users, peak demands, and so on).Answer C is incorrect because black-box testing examines the program from a user perspective by providing a wide variety of input scenarios and inspecting the output.

You have been hired as the security administrator for an organization that uses mandatory access control (MAC). When using this type of access control, which entities make up a security label? A roles and privileges B classification and categories C definitions and permissions D identities and rights

Answer B is correct. When using mandatory access control (MAC), a security or sensitivity label is comprised of a classification and different categories. The classification indicates the sensitivity level of the subject or object, such as secret or top-secret. The different categories enforce the need-to-know rules by categorizing the subjects and objects into categories, such as human resources and accounting. The categories should be determined by the organization based on the organization access control needs. The other entities are not valid parts of a security label. MAC is more prohibitive in nature. Therefore, it is more secure than discretionary access control (DAC). However, DAC is more flexible and scalable than MAC. MAC defines security levels that are imposed on all subjects and objects.

Given two messages, M1 and M2, what is the LEAST likely outcome when using the same one-way hash function, H, to encrypt the messages? A H(M1) is not equal to H(M2) B H(M1) = H(M2) C H(M1) < H(M2) D H(M1) > H(M2)

Answer B is correct. When using the same one-way hash function to encrypt two different messages, it is the least likely outcome that H(M1) = H(M2). When you apply a hash function to two different messages, it is unlikely that the two resulting hash values will be the same. This means that is the computationally infeasible that two messages have the same hash value. Because of this, one-way hashes are collision free. All of the other options are more likely to occur than that the two results will be the same. For a cryptographic hash function, H(M) is relatively easy to compute for a given message. Hash functions generate a fixed-length result that is independent of the length of the input message. One-way functions are difficult or impossible to invert.

Which notebook is most preferred during the course of investigation in legal record keeping? A tagged notebook B bound notebook C spiral notebook D clear notebook

Answer B is correct. While collecting and analyzing evidence in legal record keeping, the response team should record the findings in a bound notebook rather than in a spiral notebook. While following the chain of custody, the response team should be equipped with a bound notebook, a camera, forensic tools, containers, and evidence identification tags. Bound notebooks are useful because removing pages is easily noticeable. Spiral notebooks should not be used because there is no clear way to notice if pages have been removed. Tagged notebooks and clear notebooks are invalid categories of notebooks used by the investigator during the course of evidence collection and analysis. It is important to note that the notebook cannot be used as evidence in court. A notebook as a part of legal record keeping can only be used by the investigator to refresh that individual's memory during hearings and while submitting facts and evidence to the court. During the course of investigation and while following chain of custody, the scene of the computer crime should be photographed along with proper labeling and tags attached to the evidence. Computer memory contents should be dumped, and the system should be powered down. A bit image of the hard drive should be prepared to be used for investigation. In order for evidence to be admissible in a court of law, it must be relevant, legally permissible, reliable, properly identified, and properly preserved. Reliability of evidence means that the evidence has not been tampered with or modified.

One of the planned international offices will perform highly sensitive tasks for a governmental entity. For this reason, you must ensure that the company selects a location where a low profile can be maintained. On which of the following criteria do you base your facility selection? A accessibility B visibility C surrounding area D construction

Answer B is correct. You are concerned with visibility. The amount of visibility depends on the organization and the processes carried out in the facility. In the case of this office, you need to ensure that the company selects a location where a low profile can be maintained. Accessibility is the ease with which employees and officers can access the facility. Construction, determines the building materials used to construct the facility. Surrounding area is the environment in which the facility is located, and primarily is concerned with the local crime rate and distance to emergency services. None of these factors is relevant to maintaining a low profile.

As a part of the incident response team, you have been given a procedures document that identifies the steps you must complete during a forensic investigation. When should the evidence collection step be completed? A after the incident has been identified only B after the incident has been identified and the evidence has been preserved C after the incident has been identified, the evidence has been preserved, and the evidence has been analyzed D after the evidence has been preserved only

Answer B is correct. You should complete the evidence collection step after the incident has been identified and the evidence has been preserved. The proper steps in a forensic investigation are as follows: Identification - This step can include event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis. Preservation - This step can include imaging technologies, chain of custody standards, and time synchronization. Collection - This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques. Examination - This step can include traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction. Analysis - This step can include traceability, statistical analysis, protocol analysis, data mining, and timeline determination. Presentation - This step can include documentation, expert testimony, clarification, mission impact statement, recommended countermeasures, and statistical interpretation. Decision - This step can include management reports, court decisions, and internal decisions.

A file server has unexpectedly rebooted into single-user mode. You are not sure what caused the reboot. What should you do next? A Reboot the file server. B Recover damaged file system files. C Validate critical configuration and system files. D Identify the cause of the unexpected reboot.

Answer B is correct. You should recover damaged file system files next. None of the other options is correct. When a system crashes, you should perform the following steps in this order: Enter into single-user mode. (The computer may already be in this mode.) Recover damaged file system files. Identify the cause of the unexpected reboot, and repair the system as necessary. Validate critical configuration and system files and system operations. Reboot the system as normal.

During a recent security audit at your organization, a rogue subject was discovered. You need to discover the access rights for this subject only. Which entity should you review? A access control list (ACL) B capability table C group D access rights function

Answer B is correct. You should review the subject's capability table. A capability table is used to display the access rights for a subject pertaining to a certain table. Subjects are bound to capability tables. A group is a subset of users that are grouped together based on their role, department membership, or other qualifying criteria that the system administrator determines. Permissions can be assigned to groups to reduce administrative effort for configuring access. An access control list (ACL) is used to display the access rights subjects can take upon objects. Objects are bound to ACLs. There is no such thing as an access rights function. The access control matrix model ensures that the appropriate access for objects is granted to subjects. It consists of a list of subjects, a list of objects, a function that returns an object's type, and the matrix itself, where objects are columns and subjects are rows. This model is commonly implemented using ACLs and capability tables. The rows of an access control matrix indicate the capabilities that a user has to a number of resources. The columns of an access control matrix indicate the capabilities that multiple users have to a single resource.

Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A Business continuity manager B Chief executive officer C Chief information officer D Vice president of business operations

Answer B is correct. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer is the highest ranking.

You are using a network analyzer to monitor traffic on your network. Users report that sessions are hanging intermittently throughout the day. You suspect that your network is under attack. You decide to use the network analyzer to determine the problem. Which information should you examine? A protocol statistics B packet capture C station statistics D port statistics

Answer B is correct. You should use packet capture information to examine the sessions that are hanging intermittently throughout the day. You will need to examine the packets being sent and determine which devices failed to respond. A packet capture provides detailed information on each packet on your network. All of the other options should only be used if you know which protocol, station (device), or port is the cause of the problem. You should not use protocol statistics for this problem because you are not sure which protocol, if any, is causing the problem.

You need to view events on host name registrations. Which log in Event Viewer should you view? A System B DNS C Application D Security

Answer B is correct. You should use the DNS log in Event Viewer to view events on host name registrations. You should log DNS entries so that you can watch for unauthorized DNS clients or servers. Without a DNS log, you would be unable to discover how long an entry was being used. None of the other logs will contain this type of information. The Application log contains events logged by applications. The Security log contains events based on the auditing configuration. Only administrators can configure and view auditing. The System log contains events logged by computer system components. Auditing deters perpetrators' attempts to bypass the system protection mechanisms, reviews patterns of access to individual objects, and discovers when a user assumes a functionality with privileges greater than his own.

During a recent incident investigation, you extracted hidden data from the data image that was created. In which step of the incident investigation process were you involved? A identification B examination C collection D preservation

Answer B is correct. You were involved in the examination step of the incident investigation process. This step includes traceability, validation techniques, filtering techniques, pattern matching, hidden data discovery, and hidden data extraction. You were not involved in the identification step of the incident investigation process. This step can include event/crime detection, signature resolution, profile detection, anomaly detection, complaint reception, system monitoring, and audit analysis. You were not involved in the preservation step of the incident investigation process. This step can include imaging technologies, chain of custody standards, and time synchronization. You were not involved in the collection step of the incident investigation process. This step can include approved collection methods, approved software, approved hardware, legal authority, sampling, data reduction, and recovery techniques. The proper steps in a forensic investigation are as follows: Identification Preservation Collection Examination Analysis Presentation Decision

Your company follows a full/incremental strategy as a backup solution. The full/incremental strategy starts with a full backup each Saturday evening and an incremental backup all other evenings. Assume that each of the backups was stored on a different tape. If the system crashed on Monday morning, how many tapes would you need to recover the data? A one B two C four D three

Answer B is correct. You would first need to recover the full backup from Saturday. Because the incremental backups would be backing up different data each day of the week, each of the incremental backups must be restored and in the chronological order. As the system crashes on Monday morning, you will need to restore two backups: the full backup from Saturday evening and the incremental backup from Sunday evening. When incremental backups are included in your backup plan, you will need to restore the full backup and all incremental backups that have been taken since the full backup. Because the failure occurred on Monday morning, only the full Saturday backup and the incremental Sunday backup need to be restored. If the crash had occurred on Tuesday morning, you would have needed to restore three backups: Saturday evening's full backup, Sunday evening's incremental backup, and Monday evening's incremental backup. If the crash had occurred on Wednesday morning, you would have needed to restore four backups: Saturday evening's full backup, Sunday evening's incremental backup, Monday evening's incremental backup, and Tuesday evening's incremental backup.

Which network device provides a transparent firewall solution between an internal network and outside networks? A router B proxy server C NAT router D hub

Answer C is correct. A Network Address Translation (NAT) router provides a transparent firewall solution between an internal network and outside networks. Using NAT, multiple internal computers can share a single Internet interface and IP address. The primary purpose of NAT is to hide internal hosts from the public network. NAT can use static or dynamic translation. Static translation has static mappings for the NAT communication; dynamic translation has a dynamic table that is configured as hosts attempt to use NAT. NAT can cause problems with a IPSec virtual private network (VPN) tunnel because of changes made to the IP header. NAT is only supported with IPSec when running in NAT traversal mode. A proxy server is often mistaken as a NAT server. However, a proxy server is not a transparent solution. A proxy server operates at Layer 4 or higher of the OSI model (the Transport layer or above). NAT operates at the Network layer (Layer 3) of the OSI model. A router is a network device that divides a local area network into smaller subnetworks. Routers operate at the Network layer (Layer 3) of the OSI model. While a firewall can also be a router, it is referred to as a firewall when it functions to create a DMZ.A hub is a network device that connects multiple networks together.

Which type of malicious code is hidden inside an otherwise benign program when the program is written? A a worm B a logic bomb C a Trojan horse D a virus

Answer C is correct. A Trojan horse is a type of malicious code that is embedded in an otherwise benign program when the program is written. A Trojan horse is typically designed to do something destructive when the infected program is started. Trojan horses, viruses, worms, and logic bombs are all examples of digital pests. Software development companies should consider reviewing code to ensure that malicious code is not included in their products. A virus is added to a program file after a program is written. A virus is often associated with malicious programs that are distributed in e-mail messages. A worm creates copies of itself on other computers through network connections. A logic bomb is designed to initiate destructive behavior in response to a particular event. For example, a logic bomb might be programmed to erase a hard disk after 12 days.

Which type of error occurs when an invalid subject is authenticated? A Type 4 B Type 1 C Type 2 D Type 3

Answer C is correct. A Type 2 error occurs when an invalid subject is authenticated. This is also known as a false positive authentication. The ratio of Type 2 errors to valid authentications is called the FAR (false acceptance rate). For example, hacker Joe doesn't have an account but he uses his fingerprint to authenticate and the system recognizes him. Answer B is incorrect because a Type 1 error occurs when a valid subject is not authenticated. This is also known as a false negative authentication. Answers D and A are incorrect because there are no such type of errors.

Which of the following is the best protection against data loss caused by power failure? A Transformer B Standby generator C UPS D Surge suppressor

Answer C is correct. A UPS is the best protection against data loss caused by power failure. It is an electrical apparatus that provides emergency power to a load when the input power source, typically the utility mains, fails. It differs from a standby generator in that it will provide instantaneous or near instantaneous protection from input power interruptions by means of one or more attached batteries and associated electronic circuitry for low power users, and or by means of diesel generators and flywheels for high power users. Answer D is incorrect. A surge suppressor is an appliance designed to protect electrical devices from voltage spikes. A surge suppressor attempts to regulate the voltage supplied to an electric device by either blocking or by shorting to ground voltages above a safe threshold. Answer A is incorrect. A transformer is a device that transfers electrical energy from one circuit to another through inductively coupled conductors - the transformer's coils. A varying current in the first or primary winding creates a varying magnetic flux in the transformer's core, and thus a varying magnetic field through the secondary winding. Answer B is incorrect. A standby generator will not provide instantaneous protection. It is a back-up electrical system that operates automatically. Within seconds of a utility outage, an automatic transfer switch senses the power loss, commands the generator to start, and then transfers the electrical load to the generator.

What defines the minimum level of security? A standards B procedures C baselines D guidelines

Answer C is correct. A baseline defines the minimum level of security and performance of a system in an organization. A baseline is also used as a benchmark for future changes. Any change made to the system should match the defined minimum-security baseline. A security baseline is defined through the adoption of standards in an organization. Guidelines are the actions that are suggested when standards are not applicable in a particular situation. Guidelines are applied where a particular standard cannot be enforced for security compliance. Guidelines can be defined for physical security, personnel, or technology in the form of security best practices. Standards are the mandated rules that govern the acceptable level of security for hardware and software. Standards also include the regulated behavior of employees. Standards are enforceable and are the activities and actions that must be followed. Standards can be defined internally in an organization or externally as regulations. Procedures are the detailed instructions used to accomplish a task or a goal. Procedures are considered at the lowest level of an information security program because they are closely related to configuration and installation problems. Procedures define how the security policy will be implemented in an organization through repeatable steps. For instance, a backup procedure specifies the steps that a data custodian should adhere to while taking a backup of critical data to ensure the integrity of business information. Personnel should be required to follow procedures to ensure that security policies are fully implemented. Procedural security ensures data integrity.

Which of the following is a collaborative cloud deployment model in which infrastructure is shared between several organizations from a specific community with common goals? A Hybrid cloud B Public cloud C Community cloud D Private cloud

Answer C is correct. A community cloud is a collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns in the areas of security, compliance, jurisdiction, and so on. Answer B is incorrect. A public cloud deployment model includes assets available for any consumers to rent or lease and is hosted by an external CSP. It is accessible publicly and is owned by a third-party cloud provider. Answer D is incorrect. A private cloud deployment model includes cloud-based assets for a single organization. It can be created and hosted by organizations using their own resources. Answer A is incorrect. A hybrid cloud deployment model includes a combination of public and private clouds and thus, does not provide cloud-based assets to two or more organizations. The creation and maintenance of this model is a complex process due to the potential disparity in cloud environments.

Which of the following statements is true of a digital certificate? A It is a process of finding a unique fixed-length mathematical derivation (hashes) of a plaintext message. B It is a message digest that is encrypted using the sender's private key. C It binds the identity of an individual to a key pair. D It is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key.

Answer C is correct. A digital certificate binds the identity of an individual to a key pair. A digital certificate is an electronic credit card that establishes an individual's credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains the name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Answer B is incorrect. A digital signature is a message digest that is encrypted using the sender's private key. Answer A is incorrect. Hashing is a process of finding a unique fixed-length mathematical derivation (hashes) of a plaintext message. Answer D is incorrect. Hash-based Message Authentication Code (HMAC) is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key.

Which of the following statements is true of a digital certificate? A It is a process of finding a unique fixed-length mathematical derivation (hashes) of a plaintext message. B It is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key. C It binds the identity of an individual to a key pair. D It is a message digest that is encrypted using the sender's private key.

Answer C is correct. A digital certificate binds the identity of an individual to a key pair. A digital certificate is an electronic credit card that establishes an individual's credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains the name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Answer D is incorrect. A digital signature is a message digest that is encrypted using the sender's private key. Answer A is incorrect. Hashing is a process of finding a unique fixed-length mathematical derivation (hashes) of a plaintext message. Answer B is incorrect. Hash-based Message Authentication Code (HMAC) is a specific construction for calculating a Message Authentication Code (MAC) involving a cryptographic hash function in combination with a secret key.

Which of the following disaster recovery tests includes the operations that shut down at the primary site and are shifted to the recovery site according to the disaster recovery plan? A Parallel B Structured walk-through C Full-interruption D Simulation

Answer C is correct. A full-interruption test includes operations that shut down at the primary site and are shifted to the recovery site according to the disaster recovery plan. It operates just like a parallel test. The full-interruption test is very expensive and difficult to arrange. Sometimes, it causes a major disruption of operations if the test fails. Answer B is incorrect. The structured walk-through test is also known as the table-top exercise. In a structured walk-through test, team members walk-through the plan to identify and correct weaknesses and how they will respond to the emergency scenarios by stepping in the course of the plan. It is the most effective and competent way to identify the areas of overlap in the plan before conducting more challenging training exercises. Answer A is incorrect. A parallel test includes the next level in the testing procedure, relocates the employees to an alternate recovery site, and implements site activation procedures. These employees present with their disaster recovery responsibilities as they would for an actual disaster. The disaster recovery sites have full responsibilities to conduct the day-to-day organization's business. Answer D is incorrect. A simulation test is a method used to test the disaster recovery plans. It operates just like a structured walk-through test. In the simulation test, members of a disaster recovery team are presented with a disaster scenario and then, they discuss on appropriate responses. These suggested responses are measured and some of them are taken by the team. The range of the simulation test should be defined carefully for avoiding excessive disruption of normal business activities.

Which type of incident is NOT usually addressed in a contingency plan? A a T1 connection failure B a power outage C a hurricane D a server crash

Answer C is correct. A hurricane is not usually addressed in a contingency plan. All natural disasters are part of the business continuity plan, not the contingency plan. The contingency plan addresses how to deal with small incidents, such as power outages, connection failures, server crashes, and software corruption.

Which access control model is usually associated with a multi-level security policy? A role-based access control (RBAC) B discretionary access control (DAC) C mandatory access control (MAC) D rule-based access control

Answer C is correct. A multi-level security policy is usually associated with mandatory access control (MAC). In MAC, sensitivity labels, also called security labels, are attached to all objects. These sensitivity labels contain a classification. For a subject to have write access to an object in a multi-level security policy, the subject's sensitivity label must dominate the object's sensitivity label.Mandatory access controls rely on use of labels for subjects and objects. Rule-based access control is an access control technique, not an access control model. Role-based access control (RBAC) allows access to resources be controlled by the user's role. Discretionary access control (DAC) allows the resource owner to determine the level of access that users have.

Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers. What characteristic of this problem are they relying on? A It contains diffusion. B It contains confusion. C It is a one-way function. D It complies with Kerchoff's principle.

Answer C is correct. A one-way function is a mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values.

Which of the following is the best choice for a role within an organization using a RBAC model? A Application B Web server C Programmer D Database

Answer C is correct. A programmer is a valid role in a Role Based Access Control (RBAC) model. Administrators would place programmers' user accounts into the Programmer role and assign privileges to this role. Roles are typically used to organize users, and the other answers are not users.

Which type of firewall is considered a second-generation firewall? A packet-filtering firewall B kernel proxy firewall C proxy firewall D dynamic packet-filtering firewall

Answer C is correct. A proxy firewall is a second-generation firewall, meaning it was the second type created. Other types followed. A kernel proxy firewall is a fifth-generation firewall, and a packet-filtering firewall is a first-generation firewall. A dynamic packet-filtering firewall is a fourth-generation firewall. Third-generation firewalls typically use a system that examines the state and context of incoming packets. This type of firewall tracks protocols that are considered connectionless, such as User Datagram Protocol (UDP).

Which network device acts as an Internet gateway, firewall, and Internet caching server for a private network? A IDS B VPN C proxy server D IPS

Answer C is correct. A proxy server acts as an Internet gateway, firewall, and Internet caching server for a private network. Hosts on the private network contact the proxy server with an Internet Web site request. The proxy server checks its cache to see if a locally stored copy of the site is available. If not, the proxy server communicates with its Internet connection to retrieve the Web site. The proxy server is virtually invisible to the client and the Internet connection. A proxy server can be configured to allow only outgoing Hypertext Transfer Protocol (HTTP) traffic by configuring which users have permissions to access the Internet via the proxy server. A virtual private network (VPN) is a private network that users can connect to over a public network. An intrusion detection system (IDS) is a network device that detects network intrusion and either logs the intrusion or contacts the appropriate personnel. An intrusion prevention system (IPS) is a network device that detects network intrusion attempts and prevents the network intrusion. An IPS provides more security than an IDS because it actually provides prevention, not just detection.

Which entity must certify the public key pair of a root CA? A an external CA B a subordinate CA C the root CA D a Kerberos server

Answer C is correct. A root certificate authority (CA) must certify its own public key pair. An organization may also want to have a root CA's public key pair certified by an external CA for added security and confidence in the key pair. Neither a subordinate CA nor a Kerberos server is used to certify a root CA's key pair.

Which security threat is a software application that displays advertisements while the application is executing? A spyware B virus C adware D worm

Answer C is correct. Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware that monitors your Internet usage and personal information. Some adware will even allow credit card information theft. A worm is a program that spreads itself through network connections. Spyware often uses tracking cookies to collect and report on a user's activities. Not all spyware is adware, and not all adware is spyware. Spyware requires that your activities be monitored and tracked; adware requires that advertisements be displayed. A virus is malicious software (malware) that relies upon other application programs to execute itself and infect a system.

Which technologies are considered remote-sensing technologies? unmanned aircraft manned aircraft satellites land-based cameras A option c B option d C all of the options D options b, c, and d E options a, b, and c F option a G option b

Answer C is correct. All of the options are considered remote-sensing technologies. Remote sensing is the acquisition of information using photographic, radar, infrared or multi-spectral imagery via remote sensors, including manned and unmanned aircraft, ships, satellites, and remote land-based cameras. The most critical category of information to capture immediately following a disaster is accurate and timely intelligence about the scope, extent, and impact of the event. Remote-sensing technologies provide security surveillance to distant geographic regions as well. Remote sensing systems can provide a highly effective alternative means of gathering intelligence about the event. Remote sensing (RS) intelligence may be integrated into geographic information systems (GIS) to produce map-based products.

What should you use to connect a computer to a 100BaseTX Fast Ethernet network? A Use a CAT5 UTP cable with an RJ-11 connector. B Use an RG-58 cable with a BNC connector. C Use a CAT5 UTP cable with an RJ-45 connector. D Use a fiber-optic cable with an ST connector. E Use a fiber-optic cable with an SC connector.

Answer C is correct. Among the available choices, you should use Category 5 unshielded twisted-pair (CAT5 UTP) cable and RJ-45 connectors to connect a computer to a 100BaseTX Ethernet network. On a 100BaseTX network, you can use two pairs of either CAT5 UTP or Type 1 shielded twisted-pair (STP) cable. RJ-45 connectors typically connect computers to a 100BaseTX network. Although an RJ-45 connector is similar in appearance to a standard RJ-11 telephone connector, an RJ-45 connector is wider than an RJ-11 connector. Additionally, an RJ-45 connector supports eight wires, whereas an RJ-11 connector supports up to six wires. RG-58 coaxial cable and BNC connectors, including BNC barrel connectors and BNC T connectors, are used on 10Base2 Ethernet networks. BNC terminating resistors are also required on both ends of the 10Base2 bus to prevent signals from bouncing back into the cable and corrupting data. Some coaxial implementations require fixed spacing between the connections; twisted pair cabling has no such requirements. Fiber-optic cable, such as 62.5/125 multimode cable and 8/125 single-mode cable, is used on some types of Ethernet networks, such as 10BaseFB Ethernet and 100BaseFX Fast Ethernet networks. Fiber-optic cables use LC, SC, and ST connectors. Fiber optic cable has three basic physical elements: the core, the cladding, and the jacket. The core is the innermost transmission medium, usually made of glass or plastic. The next outer layer, the cladding, is also made of glass or plastic with different properties than the cladding, and helps to reflect the light back into the core. The outermost layer, the jacket, provides protection from heat, moisture, and other environmental elements. CAT1, CAT3, CAT5, CAT5e, and CAT6 cable are all twisted pair technologies.

Your organization includes an Active Directory domain with three domain controllers. Users are members or organizational units (OUs) that are based on departmental membership. Which type of database model is used in the domain? A an object-oriented database model B a relational database model C a hierarchical database model D an object-relational database model

Answer C is correct. An Active Directory domain, which uses the Lightweight Directory Access Protocol (LDAP), is a hierarchical database model. A hierarchical database model uses a logical tree structure. LDAP is the most common implementation of a hierarchical database model. A relational database model is not used in the scenario. A relational database model uses rows and columns to arrange data and presents data in tables. The fundamental entity in a relational database is the relation. Relational databases are the most popular. Microsoft's SQL Server is a relational database. An object-oriented database model is not used in this scenario. An object-oriented database (OODB) model can store graphical, audio, and video data. A popular object-oriented database is db4objects from Versant Corporation. An object-relational database model is not used in this scenario. An object-relational database is a relational database with a software front end written in an object-oriented programming language. Oracle 11g is an object-relation database. Another type of database model is the network database model. This database model expands the hierarchical database model. A network database model allows a child record to have more than one parent, while a hierarchical database model allows each child to have only one parent.

What security method, mechanism, or model reveals a capabilities list of a subject across multiple objects? A Clark-Wilson B Biba C Access control matrix D Separation of duties

Answer C is correct. An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list. Answer D is incorrect. The separation of duties mechanism ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances. Answer B is incorrect. The Biba Model describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. Answer A is incorrect. The Clark-Wilson model uses a multifaceted approach to enforcing data integrity. Instead of defining a formal state machine, the Clark-Wilson model defines each data item and allows modifications through only a small set of programs.

How does an ActiveX component enforce security? A by using object codes B by using macro languages C by using Authenticode D by using sandboxes

Answer C is correct. Authenticode is used by the ActiveX technology of Microsoft to enforce security. ActiveX refers to a set of controls that users can download in the form of a plug-in to enhance a feature of an application. The primary difference between Java applets and ActiveX controls is that the ActiveX controls are downloaded subject to acceptance by a user. The ActiveX trust certificate also states the source of the plug-in signatures of the ActiveX modules. Java applets use sandboxes to enforce security. A sandbox is a security scheme that prevents Java applets from accessing unauthorized areas on a user's computer. When a user accesses a Web page through a browser, class files for an applet are downloaded automatically, even from untrusted sources. To counter this possible threat, Java provides a customizable sandbox and enforces the execution of the application within the sandbox. This prevents Java applets from accessing unauthorized areas on a user's computer or system resources outside the sandbox. Sandbox protections include preventing reading and writing to a local disk, prohibiting the creation of a new process, preventing the establishment of a network connection to a new host, and preventing the loading of a new dynamic library and directly calling a native method. The sandbox security features are designed into the Java Virtual Machine (JVM). These features are implemented through array bounds checking, structured memory access, type-safe reference cast checking, checking for null references, and automatic garbage collection. These checks are designed to limit memory accesses to safe, structured operations. A hostile applet is an active content module used to exploit system resources. Hostile applets coded in Java can pose a security threat to computer systems if the executables are downloaded from unauthorized sources. Hostile applets may disrupt the computer system operation either through resource consumption or through the use of covert channels. Object code refers to a version of a computer program that is compiled before it is ready to run in a computer. The application software on a system is typically in the form of compiled object codes and does not include the source code. Object codes are not related to the security aspects of Java. They represent an application program after the compilation process. Macro programs use macro language for the automation of common user tasks. Macro languages, such as Visual Basic, are typically used to automate the tasks and activities of users. Macro programs have their own set of security vulnerabilities, such as macro viruses, but are not related to Java security. Java applets are short programs that use the technique of a sandbox to limit the applet's access to specific resources stored in the system.

Which technology requires Trusted Platform Module (TPM) hardware? A NTFS B EFS C BitLocker D IPSec

Answer C is correct. BitLocker drive encryption requires TPM hardware. The BitLocker technology encrypts drive contents so that data cannot be stolen. BitLocker can encrypt both user and system files. BitLocker is enabled or disabled by an administrator for all computer users. None of the other options requires TPM hardware. Encrypting File System (EFS) encrypts the contents of a disk. However, EFS is enabled on a per-user basis and can only encrypt files belonging to the user that enables EFS. EFS does not require any special hardware or administrative configuration. New Technology File System (NTFS) is the 32-bit file system used by Windows operating systems. Internet Protocol Security (IPSec) is a protocol that protects communication over a network.

Management has requested that you implement controls that take corrective action against threats. Which entity is an example of this type of control? A backups B audit trails C business continuity planning D separation of duties

Answer C is correct. Business continuity planning is an example of a corrective control. Corrective controls are controls that take corrective action against threats. Audit trails are an example of detective controls. Detective controls are controls that detect threats. Backups are an example of recovery and compensative controls. Recovery controls are controls that recover from an incident or failure. Compensative controls are controls that provide an alternate measure of control. To restore a system and its data files after a system failure, you should implement the recovery procedures. Recovery procedures could include proper steps of rebuilding a system from the beginning and applying the necessary patches and configurations. Separation of duties is an example of a preventative control. Directive controls are controls that tell users what is expected of them and what is considered inappropriate. Recovery controls are controls that describe the actions to take to restore a system to its normal state after a disaster occurs.

What is typically part of an information policy? A acceptable use B authentication C classification of information D employee termination procedure

Answer C is correct. Classification of information is typically part of an information policy. A company usually has at least two information classifications: public and proprietary. Public information can be revealed to the public, and proprietary information can only be shared with individuals who have signed a non-disclosure agreement. Some companies also use the restricted classification. Only a small group of individuals within a company can gain access to restricted information. The cornerstone of a well-defined information policy is to limit individual access to that information which the individual 'needs to know' to perform required functions. Authentication is typically part of a company's security policy. Acceptable use is typically part of a company's computer use policy. An acceptable use policy typically stipulates that company employees use computers and other equipment only for purposes of completing company projects. An employee termination procedure is typically part of a company's management policies, which also include new employee and transferred employee procedures. Termination procedures should include disabling a user's network access account no later than the end of the last day of the employee's relationship with the company. Because a network is vulnerable to attack by employees who are being terminated, most companies do not provide advanced notice to terminated employees. It is also a common practice to provide an escort for the terminated employee from the time they are informed of termination until the time they leave company facilities. This practice limits the possibility that the person will damage company equipment or harm other personnel. In the event of an unfriendly termination, it is essential that system access be removed as quickly as possible after termination.

Which service provided by a cryptosystem is most important for the military? A nonrepudiation B authentication C confidentiality D integrity

Answer C is correct. Confidentiality is the most important service provided by a cryptosystem for the military. Integrity and confidentiality are important to financial institutions. Integrity ensures that the data has not been changed. Nonrepudiation is important if an agency must ensure that the sender cannot deny sending the message. Authentication is important in court because it confirms who sent the message.

On which of the following principles does the Trusted Computer Security Evaluation Criteria (TCSEC) depend? A Assurance, provisioning, and functionality B Assurance, auditing, and availability C Functionality, effectiveness, and assurance D Auditing, activating, and effectiveness

Answer C is correct. Depending upon the functionality, effectiveness, and assurance security principles, TCSEC determines if a product meets security goals. Answers D, A, and B are incorrect. These are invalid answers.

The research department at your company has decided to implement a new file server. The department manager will be responsible for granting access to the folders and files based on a user's or a group's identity. Which type of access control model is being used? A MAC B RBAC C DAC D ACL

Answer C is correct. Discretionary access control (DAC) is based on identity. This identity can be a user's identity or a group's identity, and is sometimes referred to as identity-based access control. DAC is the type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources certain users can access. An access control list (ACL) is not an access control model, although it is used in a DAC model. It is an access control entity that lists user access levels to a given object. Mandatory access control (MAC) is a model based upon security labels. Role-based access control (RBAC) is a model based upon user roles. An access control model should be applied in a preventative manner. A company's security policy determines which access control model will be used.

Your organization has recently been the victim of a network attack. Who performs the emergency procedures in response to this attack? A the cyber security team B the incident prevention team C the incident response team D the intrusion detection team

Answer C is correct. Emergency procedures in response to a computer system or network attack are performed by the incident response team. The security incidents that occur within the organization are handled by the incident response team. The team consists of members from different departments of the organization, such as the representatives of the senior management, the information technology department, the legal department, and the human resource department. The core incident response team should have sound technical knowledge and should follow standard and formal procedures for incident handling. The main purpose of computer incident handling is to contain and repair any damage caused by an event. After responding to an incident, a meeting should be held within a week to discuss the intrusion and its investigation. The analysis should prove helpful in preventing future attacks and in improving the emergency response procedures. The following items are on the agenda of the incident response team while investigating an incident: Points of contact and reporting outside the company Points of contact for system forensics Process used to search for and secure the evidence, including search and seizure team members Content and format of the report to be presented to management Methods to deal with different types of systems The incident response team must also be concerned with the fact that a suspect may attempt to destroy evidence. The incident prevention, intrusion detection, and cyber security teams are not concerned with the incident response.

You are designing the user management policies for your organization. What is typically part of these policies? A authentication B information classification C employee termination D acceptable use

Answer C is correct. Employee termination procedures are typically part of a company's user management policies, which also include procedures for dealing with new employees and transferred employees. Classification of information is typically covered by an information policy. A company usually has a minimum of two classifications for information: public and private. Most companies define public information as information that can be revealed to anyone, and proprietary information as information that can only be shared with employees who have signed a non-disclosure agreement. A company's security policy typically contains standard authentication procedures. Acceptable use policies, which indicate the manner in which employees are allowed to use company resources, are part of a company's computer use policy.

During a recent security conference, you attended training that explained the difference between active and passive security monitoring. What is a passive measure that can be used to detect hacker attacks? A connection termination B process termination C event logging D firewall reconfiguration

Answer C is correct. Event logging is a passive measure that can be used to detect hacker attacks. Event logging is considered a passive measure because it does not create obstacles to attacks. Administrators can, however, review log files after an attack to determine the source and the means of the attack. The information obtained from log files can be used to implement active prevention measures. Log files can also be used as legal evidence when prosecuting attackers, so log files should be protected and measures should be taken to ensure their integrity. Connection termination, firewall reconfiguration, and process termination are active measures for the prevention of hacker attacks; these methods establish obstacles intended to foreclose, or at least limit, the possibility of attack.

Evidence must be legally permissible in a court of law and must provide a foundation for a case. All of the following characteristics of evidence are important, EXCEPT: A reliability B sufficiency C confidentiality D relevancy

Answer C is correct. Evidence should not be confidential to ensure that it is legally permissible in a court of law. Most evidence is not confidential. Evidence must be sufficient, reliable, and relevant to ensure that it is legally permissible in a court of law. To be sufficient, the evidence must convince a reasonable person of its validity. To be reliable, the evidence must be consistent with the facts of the case. To be relevant, the evidence must have a relationship to the findings.

To what does ISO 15408 refer? A TCSEC B ITSEC C Common Criteria D security policy

Answer C is correct. ISO/IEC 15408 refers to the Common Criteria (CC) that is used to evaluate security properties of information technology (IT) products and systems, such as operating systems, applications, and other hardware, firmware, and software. The Information Technology Security Evaluation Criteria (ITSEC) evaluates the functionality and assurance attributes separately. This method of system evaluation and rating used in Europe is different from the Trusted Computer System Evaluation Criteria (TCSEC) in which the functionality and assurance of a system are bundled together for evaluation purposes. The U.S. Department of Defense (DoD) developed Trusted Computer System Evaluation Criteria (TCSEC) to evaluate and rate the effectiveness, assurance, trustworthiness, and functionality of operating systems, applications, and security products. The evaluation criteria were published in a book known as the Orange Book. A security policy refers to a group of rules that define the process of protecting and managing sensitive information. A security policy defines the security mechanisms that should be implemented to achieve the security objective. Common Criteria is a worldwide recognized and accepted standard for evaluation of infrastructure products. This evaluation criterion reduces the complexity of the ratings and ensures that the vendors manufacture products for international markets. Therefore, the Common Criteria addresses the functionality in terms of what a product does and assures that the product will work predictably and consistently. The Common Criteria assigns an evaluation assurance level. Unlike the Orange Book, which assigns a rating to a product based on how the products relate to the Bell-LaPadula model, the Common Criteria assigns a rating based on a protection profile.

In which of the following modes does the IPSec VPN connection encrypt the original IP packet header and add a new link specific header? A Transport B Static C Tunnel D Dynamic

Answer C is correct. In IPSec VPN tunnel mode, the original IP packet header is encrypted and a new VPN-specific header is added. Answer D is incorrect. Dynamic is a NAT mode which allows multiple internal clients access to a few leased public IP addresses. Answer A is incorrect. In Transport mode, IP packet data is encrypted but the header of the packet is not. Answer B is incorrect. Static is a NAT mode used when a specific internal client's IP address is assigned a permanent mapping to a specific external public IP address.

In which of the following access controls can a user access resources according to his role in the organization? A DAC B MAC C RBAC D ABAC

Answer C is correct. In RBAC (role-based access control), a user can access resources according to his role in the organization. RBAC uses roles, and these roles are granted appropriate privileges based on jobs or tasks. Subjects are placed into roles and they inherit privileges assigned to the roles. Answer A is incorrect. DAC (discretionary access control) allows the owner or creator of an object to control and define subject access to that object. Answer B is incorrect. MAC (mandatory access control) uses a predefined set of access privileges for an object of the system. Answer D is incorrect. In ABAC (attribute-based access control), access is granted not based on the rights of the subject associated with a user after authentication, but based on the attributes of the user.

What advanced virus technique modifies the malicious code of a virus on each system it infects? A Encryption B Multipartitism C Polymorphism D Stealth

Answer C is correct. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.

In what type of addressing scheme is the data actually supplied to the CPU as an argument to the instruction? A Indirect addressing B Direct addressing C Immediate addressing D Base+offset addressing

Answer C is correct. In immediate addressing, the CPU does not need to actually retrieve any data from memory. The data is contained in the instruction itself and can be immediately processed. Answer B is incorrect. In direct addressing, the CPU is provided with an actual address of the memory location to access. The address must be located on the same memory page as the instruction being executed. Answer D is incorrect. Base+offset addressing uses a value stored in one of the CPU's registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to that base address and retrieves the operand from that computed memory location. Answer A is incorrect. Indirect addressing uses a scheme similar to direct addressing. However, the memory address supplied to the CPU as part of the instruction doesn't contain the actual value that the CPU is to use as an operand.

In what type of software testing does the tester have access to the underlying source code? A Cross-site scripting testing B Black-box testing C Static testing D Dynamic testing

Answer C is correct. In order to conduct a static test, the tester must have access to the underlying source code.

Which of the following statements best defines spear phishing? A Replacing a valid source IP address with a false one to hide their identity B Attempting to gain the trust of someone by using deceit C Targeting specific individual or small group of people D Attempting to redirect Web traffic to an imposter site through DNS software flaws, host file alterations, or other techniques

Answer C is correct. In spear phishing, an attacker uses phishing techniques against a specific individual or small group of people with a high net worth. Answer D is incorrect because attempting to redirect Web traffic to an imposter site through DNS software flaws, host file alterations, or other techniques is a pharming attack. It can be prevented by carefully monitoring DNS configurations and hosts files. Answer A is incorrect because replacing a valid source IP address with a false one to either hide their identity or to impersonate a trusted system is an IP spoofing attack. Answer B is incorrect attempting to gain the trust of someone by using deceit, such as false flattery or impersonation, or by using conniving behavior is a social engineering attack.

You have been asked to provide scoping and tailoring guidance for an organization's security controls. Which of the following guidelines is NOT true regarding this process? A Tailoring matches security controls to the needs of the organization. B Scoping provides instruction to an organization on how to apply and implement security controls. C Scoping and tailoring are closely tied to access control lists. D Scoping and tailoring allow an organization to narrow its focus.

Answer C is correct. It is NOT true to state that scoping and tailoring are closely tied to access control lists. Scoping and tailoring are closely tied to the security baselines, not the access control lists. Scoping provides instruction to an organization on how to apply and implement security controls. Tailoring matches security controls to the needs of the organization. Scoping and tailoring will allow an organization to narrow its focus to identify and address the appropriate risks.

You are considering the sensitivity and criticality of your organization's data. Which of the following statements is NOT true? A Criticality measures the importance of the data. B Once data sensitivity and criticality is documented; the organization should work to create a data classification system. C Data that is sensitive should also be considered critical. D Sensitivity determines how freely the data can be handled.

Answer C is correct. It is not true that sensitive data should also be considered critical data. Data considered sensitive may not necessarily be considered critical. Sensitivity and criticality are not related. Sensitivity determines how freely the data can be handled. Criticality measures the importance of the data. Once data sensitivity and criticality is documented, the organization should work to create a data classification system.

What does the message authentication code (MAC) ensure? A message confidentiality B message replay C message integrity D message availability

Answer C is correct. Message authentication code (MAC), which is also referred to as message integrity code (MIC), ensures integrity of the messages. MAC adds authentication capability to a one-way hashing function. MAC does not ensure message replay. It provides protection against message replay attacks. A message replay can be performed to gain access to information and to reinsert the information back to a legitimate connection through attacks, such as man-in-the middle attacks. MAC cannot ensure the availability of the data or the system. A one-way hashing function does not use any key and only ensures that the message that is transferred is not tampered with by calculating a checksum value. Messages with one-way hashing can be intercepted and hashing can be reproduced. One-way hashing converts a message of arbitrary length into a value of fixed length. Given the digest value, it should be computationally infeasible to find the corresponding message. It should be impossible or rare to derive the same digest from two different messages. MAC applies a secret key to the message that is known to the authorized recipient only. Block chaining cryptography uses MAC to ensure the authenticity of the message. There are two basic types of MAC: Hash-MAC (HMAC) and CBC-MAC. In HMAC, a symmetric key is appended to the message that is known only to the authorized recipient. However, HMAC lacks confidentiality. When an HMAC function is used, a symmetric key is combined with the message, and then that result is put though a hashing algorithm. The result is an HMAC value. HMAC provides data origin authentication and data integrity. In CBC-MAC, the message is encrypted with a symmetric block cipher in CBC mode. Some MAC algorithms use stream ciphers as well. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.MAC was developed to prevent fraud in electronic fund transfers involved in online transactions.

Which statement is true of network address hijacking? A It uses ICMP echo messages to identify the systems and services that are up and running. B It involves flooding the target system with malformed fragmented packets to disrupt operations. C It allows the attacker to reroute data traffic from a network device to a personal computer. D It is used for identifying the topology of the target network.

Answer C is correct. Network address hijacking allows an attacker to reroute data traffic from a network device to a personal computer. Also referred to as session hijacking, network address hijacking enables an attacker to capture and analyze the data addressed to a target system. This allows an attacker to gain access to critical resources and user credentials, such as passwords, and to critical systems of an organization. Session hijacking involves assuming control of an existing connection after the user has successfully created an authenticated session. A scanning attack is used to identify the topology of the target network. Also referred to as network reconnaissance, scanning involves identifying the systems that are up and running on the target network and verifying the ports that are open, the services that a system is hosting, the type of operating system, and the applications running on a target host. Scanning is the initial process of gathering information about a network to find out vulnerabilities and exploits before an actual attempt to commit a security breach takes place. A smurf attack uses ICMP echo messages to identify the systems and services that are up and running. It is a denial-of-service (DoS) attack that uses spoofed broadcast ping messages to flood a target system. In a smurf attack, the attacker sends a large amount of ICMP echo packets with spoofed sources IP address as that of the target host to IP broadcast addresses. This results in the target host being flooded with echo replies from the entire network, causing the system to either freeze or crash. Ping of death, bonk, and fraggle are other examples of DoS attacks. In a teardrop attack, the attacker uses a series of IP fragmented packets, causing the system to either freeze or crash while the target host is reassembling the packets. A teardrop attack is primarily based on the fragmentation implementation of IP. To reassemble the fragments in the original packet at the destination, the host looks for incoming packets to ensure that they belong to the same original packet. The packets are malformed. Therefore, the process of reassembling the packets causes the system to either freeze or crash.

Which of the following ensures that the subject of an activity or event cannot deny that the event occurred? A Confidentiality B Authentication C Non-repudiation D Integrity

Answer C is correct. Non-repudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event. Answer A is incorrect because confidentiality ensures that only authorized subjects can access objects. Answer D is incorrect because integrity ensures that data or system configurations are not modified without authorization. Answer B is incorrect because authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities.

Which one of the following cannot be achieved by a secret key cryptosystem? A Availability B Key distribution C Nonrepudiation D Confidentiality

Answer C is correct. Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message. Answers D, A, and B are incorrect. All these can be achieved by a secret key cryptosystem.

Which of the following is the lowest military data classification for classified data? A Private B Sensitive C Secret D Proprietary

Answer C is correct. Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.

Which of the following protocols is used to verify the status of a certificate? A CEP B HTTP C OCSP D OSPF

Answer C is correct. Online Certificate Status Protocol (OCSP) is used for obtaining the revocation status of an X.509 digital certificate. It is used to verify the status of a certificate. It was created as an alternative to certificate revocation lists (CRL). It provides more timely information about the revocation status of a certificate. It also eliminates the need for clients to retrieve the CRLs themselves. Therefore, it generates to less network traffic and provides better bandwidth management. It is described in RFC 2560 and is on the Internet standards track. Answer D is incorrect because OSPF (Open Shortest Path First) is defined as a routing protocol that is used in large networks. Answer B is incorrect because HTTP (Hypertext Transfer Protocol) defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. Answer A is incorrect because CEP (Certificate Enrollment Protocol) allows Cisco devices to acquire and utilize digital certificates from Certification Authorities (CAs). This protocol is primarily used for deployment of IPSec VPNs while using digital certificate authentication with Cisco devices.

Your organization has a fault-tolerant, clustered database that maintains sales records. Which transactional technique is used in this environment? A ODBC B data warehousing C OLTP D OLE DB

Answer C is correct. Online transaction processing (OLTP) is used in this environment. OLTP is a transactional technique used when a fault-tolerant, clustered database exists. OLTP balances transactional requests and distributes them among the different servers based on transaction load. OLTP uses a two-phase commit to ensure that all the databases in the cluster contain the same data. Object Linking and Embedding Database (OLE DB) is a method of linking data from different databases together. Open Database Connectivity (ODBC) is an application programming interface (API) that can be configured to allow any application to query databases. Data warehousing is a technique whereby data from several databases is combined into a large database for retrieval and analysis.

Spamming is often possible because hackers are able to locate and take advantage of which of the following? A Bots B Botnets C Open relay agents D E-mail clients

Answer C is correct. Open relay agents (specifically, SMTP relay agents) are often exploited into distributing spam. Relay agents are prime targets for spammers because they allow them to send out traffic of emails by piggybacking on an insecure email infrastructure. Answer D is incorrect. E-mail clients retrieve e-mail from their server-based inboxes using POP3 (Post Office Protocol version 3) or IMAP (Internet Message Access Protocol). Answer B is incorrect. Botnets refer to the deployment of numerous bots or zombies across various unsuspecting secondary victims. Answer A is incorrect. Bots are autonomous programs on the Internet which interact with systems or users.

Which of the following types of virus alters its appearance to avoid detection? A Encrypted B Multipartite C Polymorphic D Stealth

Answer C is correct. Polymorphic virus alters its appearance to avoid detection. The virus propagates from system to system changing its signature each time it infects a new system. Answer B is incorrect. The multipartite virus uses propagation techniques to penetrate systems that defend against only one method or the other. Answer A is incorrect. The encrypted virus uses cryptographic techniques to avoid detection and employs a very short segment of code known as the virus decryption routine to load and decrypt the main virus code stored elsewhere on the disk. Answer D is incorrect. Stealth virus tampers the operating system to hide themselves, bluffing the antivirus packages into thinking that everything is functioning normally.

You have been specifically asked to implement a stream cipher. Which cryptographic algorithm could you use? A RC6 B MD5 C RC4 D RC5

Answer C is correct. RC4 is a stream cipher. Stream and block ciphers are two main types of symmetric algorithms. Block ciphers process one block of bits and stream ciphers one bit at a time. RC4, RC5, and RC6 do not provide one-way hashing. RC5 and RC6 are block ciphers. MD5 is a one-way hashing algorithm. One-way hashing refers to inserting a string of variable length into a hashing algorithm and producing a hash value of fixed length. This hash value is appended to the end of the message being sent. This hash value is recomputed at the receivers end in the same fashion in which it was created by using the same computational logic. If the recomputed hash value is the same as the generated hash value, the message was not altered during the course of transmission. MD2, MD4, and MD5 all take a message of arbitrary length and produce a message digest of 128-bits. Hashing algorithms include MD2, MD4, MD5, HAVAL, and all the Secure Hash Algorithm (SHA) variants.

Which of the following is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity? A RCO B RTA C RTO D RPO

Answer C is correct. Recovery time objective (RTO) is defined as the maximum acceptable time period needed to bring one or more applications and associated data back from an outage to a correct operational state. It is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in business continuity. Answer B is incorrect. The Recovery Time Actual (RTA) is established during an exercise, actual event, or predetermined based on recovery methodology that the technology support team develops. This is the time frame the technology support takes to deliver the recovered infrastructure to the business. Answer A is incorrect. The Recovery Consistency Objective (RCO) is used in business continuity planning in addition to Recovery Point Objective (RPO) and Recovery Time Objective (RTO). It applies data consistency objectives to continuous data protection services. Answer D is incorrect. The Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. It is the point in time to which data must be recovered as defined by the organization. It is generally a definition of what an organization determines is an acceptable loss in a disaster situation.

You work for an organization that employs temporary employees on a rotating basis. The organization experiences high employee turnover. Which access control model is best used in this environment? A discretionary access control B identity-based access control C role-based access control D mandatory access control

Answer C is correct. Role-based access control (RBAC) is best used in an environment where there is high employee turnover. When an employee leaves the company, it is very easy to add the employee's replacement to the role than to ensure that the new employee has all the permissions of the old employee. Mandatory access control (MAC) is best used in an environment where confidentiality is the biggest concern. Each subject and object is given a security label. Administrative effort in this model can be relatively high due to this fact. Discretionary access control (DAC) is used in environments where data owners need to control access permissions to their files. Administration in this model is usually decentralized. DAC would be difficult in an environment where there is high employee turnover because each data owner would need to be notified of employee resignations and replacements. Identity-based access control is usually implemented in DAC environments. Identity-based access control should not be used in an environment where there is high employee turnover. In a very large environment, this type of access control would be an administrative burden.

Which of the following access controls is a set of restrictions or filters that determines what can and cannot occur on the system? A Detective B Discretionary C Rule-based D Preventive

Answer C is correct. Rule-based access controls are used in a rule-based system. A set of rules, restrictions, or filters determines what can and cannot occur on the system, such as granting a subject access to an object or granting the ability to perform an action. Answer D is incorrect because a preventive access control prevents unwanted or unauthorized activities from happening. Answer A is incorrect because a detective access control searches for unwanted or unauthorized activities. Answer B is incorrect because a discretionary access control allows the owner or creator of an object to control and define subject access to that object.

Which technology is used to create an encrypted remote terminal connection with a Unix computer? A SCP B FTP C SSH D Telnet

Answer C is correct. Secure Shell (SSH) is used to create an encrypted remote terminal connection with a Unix computer. File Transfer Protocol (FTP) is used to transfer files on a TCP/IP network. FTP transmits data in clear text. Secure Copy (SCP) enables users to transfer files over a secure connection. Telnet is a protocol that enables a user to establish terminal connections with Unix computers. Telnet transmits data in clear text.

Which protocol is a dial-up connection protocol that requires both ends of the communication channel be assigned an IP address? A IMAP4 B DLC C SLIP D PPP

Answer C is correct. Serial Line Internet Protocol (SLIP) is an older dial-up connection protocol that requires both ends of the communication channel be assigned an IP address. SLIP was used over low-speed serial interfaces. Data Link Control (DLC) is a connectivity protocol that is used to connect IBM mainframe computers with LANs and in some earlier models, HP printers. Internet Mail Access Protocol version 4 (IMAP4) is an e-mail retrieval protocol that some e-mail clients use to download messages from e-mail servers. DLC and IMAP4 are not dial-up protocols. Point-to-Point Protocol (PPP) is a newer dial-up protocol with more advanced features than SLIP. It does not require that both ends of the communication channel be assigned an IP address. In addition, PPP supports several network communications protocols, such as TCP/IP, IPX/SPX, and NetBEUI.

Which tool is an intrusion detection system (IDS)? A Tripwire B Nessus C Snort D Ethereal

Answer C is correct. Snort is an intrusion detection system (IDS). Nessus is a vulnerability assessment tool. Tripwire is a file integrity checker. Ethereal is a network protocol analyzer.

You have implemented several software controls in your organization. Which category of access controls have you implemented? A physical controls B preventative controls C technical controls D administrative controls

Answer C is correct. Software controls are technical controls. Technical controls include software-based tools that restrict access to objects. Software controls include employing anti-virus management and tools, implementing a formal application upgrade process, and routinely testing the backup data for accuracy. Administrative tools are policies and procedures that are developed by management to ensure that the organization is secure. Physical controls work with technical controls and administrative controls to actually implement the actual security mechanisms.

Which of the following is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, or caller ID? A Multicasting B Screen scraping C Spoofing D Whaling

Answer C is correct. Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, and so on. In IP spoofing, a hacker modifies packet headers by using someone else's IP address to hide his identity. However, spoofing cannot be used while surfing the Internet, chatting on-line, and so on, because forging the source IP address causes the responses to be misdirected. Answer A is incorrect because multicasting is the transmission of data to multiple specific recipients. Answer D is incorrect because whaling is a variant of phishing that targets senior or high-level executives such as CEOs and presidents by sending an email that contains malicious activity. Answer B is incorrect because screen scraping is a technology that can allow an automated tool to interact with a human interface.

______________ firewalls are known as third-generation firewalls. A Static packet-filtering B Application-level gateway C Stateful inspection D Circuit-level gateway

Answer C is correct. Stateful inspection firewalls are known as third-generation firewalls.

What is needed to allow an external client to initiate a communication session with an internal system if the network uses a NAT proxy? A Reverse DNS B Static private IP address C Static mode NAT D IPsec tunnel

Answer C is correct. Static mode NAT is needed to allow an outside entity to initiate communications with an internal system behind a NAT proxy.

Which of the following statements is true of TCSEC? A It has five classifications: A, B, C, D, and E. B It is an ISO standard. C It is a criteria used to validate the security and assurance provided in products. D It is referred to as the Red Book.

Answer C is correct. TCSEC is a criteria used to validate the security and assurance provided in products. TCSEC offers a rating system (classes of trust) to apply to the organization's information systems. Answer D is incorrect. TCSEC is not referred to as the Red Book, it is referred to as the Orange Book. Answer A is incorrect. TCSEC has four classifications: A, B, C, and D. Answer B is incorrect. TCSEC is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system.

Consider the following IP address: 157.175.12.10/22. How many bits will be used for the host portion of this address? A 16 B 6 C 10 D 22

Answer C is correct. Ten bits are used for the host portion of 157.175.12.10/22. The IP address 157.175.12.10/22 is an example of a "slash x" network, also known as Classless Interdomain Routing (CIDR) notation. CIDR is a way of applying a subnet mask to an IP address to optimize address space while ignoring the traditional IP class categories. With classful addressing, 157.175.12.10 is a class B address, which means that 16 bits of the address are used for the network portion and 16 bits are used for the host portion of the address. With CIDR, the /22 notation at the end of the IP address means that 22 bits are used for the network portion of the address, and the host portion uses the 10 remaining bits. In turn, this would mean that this address space can be divided into smaller, more efficient blocks of space.

Which security model illustrates the multilevel security mode? A finite transaction model B access model C Bell-LaPadula model D Brewer and Nash model

Answer C is correct. The Bell-LaPadula model illustrates the multilevel security mode because it allows simultaneous processing of classified information across the security levels. This model addresses information flow from higher levels to low. The key advantage of the multilevel security mode is the ability to process information of different categories and allow access to a selected user base. This model formalizes the U.S. Department of Defense multi-level security policy. The finite transaction model and the access model are not valid categories of information flow models deploying the multilevel security mode. The Brewer and Nash model, also referred to as the Chinese Wall model, states that access controls for a system will dynamically change based on a user's activities and the previous access requests. Requests from users to access the information may be denied if the request presents a conflict of interest. For example, a user from the Accounts department may not be allowed to view the financial reports for a sister concern of the same organization. This ensures that the user does not introduce any conflict of interest. The multilevel security mode assigns sensitivity labels to subjects and objects. A subject is able to access the object if the sensitivity label of the subject is higher than or equal to the sensitivity label of the object. If the sensitivity label of the subject is lower than the sensitivity label of the object, the subject is denied access to the object.

Which of the following hashing algorithms pads the message to ensure that the message length is a multiple of 16 bytes? A MD5 B SHA-1 C MD2 D MD4

Answer C is correct. The Message Digest 2 (MD2) provides a secure hash function for 8-bit processors. It pads the message so that its length is a multiple of 16 bytes. It then computes a 16-byte checksum and appends it to the end of the message. A 128-bit message digest is then generated by using the entire original message along with the appended checksum. Answer B is incorrect. SHA-1 is the successor of SHA. It takes an input of a variable length and produces a 160-bit message digest. It processes a message in 512-bit blocks. It pads a message with additional data so that the message length reaches the next higher multiple of 512, if the message length is not a multiple of 512. Answer D is incorrect. MD4 is used for the 32-bit processors. It pads the message so that the message length is 64 bits smaller than a multiple of 512 bits. Answer A is incorrect. MD5 processes the message in 512-bit blocks. It requires four distinct rounds of computation to get a digest having the same length as the MD2 and MD4 algorithms. Its message length is 64 bits smaller than a multiple of 512 bits.

Which of the following layers is used for dialog control? A Physical B Data Link C Session D Network

Answer C is correct. The Session layer of the OSI model controls the dialogues (connections) between computers. It establishes, manages, and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. Answer B is incorrect. The Data Link layer corresponds to or is part of the link layer of the TCP/IP reference model. The Data Link layer is the protocol layer which transfers data between adjacent network nodes in a wide area network or between nodes on the same local area network segment. Answer A is incorrect. The Physical layer defines the means of transmitting raw bits rather than logical data packets over a physical link connecting network nodes. The bit stream may be grouped into code words or symbols and converted to a physical signal that is transmitted over a hardware transmission medium. Answer D is incorrect. The Network layer is responsible for routing packets delivery including routing through intermediate routers. It provides the functional and procedural means of transferring variable length data sequences from a source to a destination host via one or more networks while maintaining the quality of service functions.

Which of the following OSI layers handles flow control? A Physical B Data Link C Transport D Network

Answer C is correct. The Transport layer of the OSI model handles flow control. It is responsible for end-to-end message transfer capabilities independent of the underlying network, along with error control, segmentation, flow control, congestion control, and application addressing (port numbers). End to end message transmission or connecting applications at the Transport layer can be categorized as either connection-oriented implemented in Transmission Control Protocol (TCP), or connectionless implemented in User Datagram Protocol (UDP). Answer B is incorrect. The Data Link layer corresponds to or is part of the link layer of the TCP/IP reference model. The Data Link layer is the protocol layer which transfers data between adjacent network nodes in a wide area network or between nodes on the same local area network segment. Answer A is incorrect. The Physical layer defines the means of transmitting raw bits rather than logical data packets over a physical link connecting network nodes. The bit stream may be grouped into code words or symbols and converted to a physical signal that is transmitted over a hardware transmission medium. Answer D is incorrect. The Network layer is responsible for routing packets delivery including routing through intermediate routers. It provides the functional and procedural means of transferring variable length data sequences from a source to a destination host via one or more networks while maintaining the quality of service functions.

Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the degree of this table? A Undefined B Thirty C Three D Two

Answer C is correct. The cardinality of a table refers to the number of rows in the table while the degree of a table is the number of columns.

A user in your organization has been disseminating payroll information on several coworkers. Although she has not been given direct access to this data, she was able to determine this information based on some database views to which she has access. Which term is used for the condition that has occurred? A polyinstantiation B save point C aggregation D data scavenging

Answer C is correct. The condition that has occurred is aggregation. Aggregation is a process in which a user collects and combines information from various sources to obtain complete information. The individual parts of information are at the correct sensitivity, but the combined information is not. A user can combine information available at a lower privilege, thereby reducing the information at a higher privilege level. A similar threat arises in inference attacks, where the subject deduces the complete information about an object from the bits of information collected through aggregation. Therefore, inference is the ability of a subject to derive implicit information. A protection mechanism to limit inferencing of information in statistical database queries is specifying a minimum query set size, but prohibiting the querying of all but one of the records in the database. The condition that has occurred is not a save point. A save point is not a database security feature but a data integrity and availability feature. Save points are used to ensure that a database can return to a point before the system crashed and make available the data prior to the database failure. Save points can be initiated either by a scheduled time interval or on the activity performed by a user while processing data. The condition that has occurred is not polyinstantiation. Polyinstantiation, also known as data contamination, is used to conceal classified information that exists in a database and to fool intruders. Polyinstantiation ensures that users with lower access level are not able to access and modify data categorized for a higher level of access in a multi-level database. Polyinstantiation can be used to reduce data inference violations. When polyinstantiation is implemented, two objects are created by using the same primary keys. One object is filled with incorrect information and is deemed unclassified, and the other object contains the original classified information. When a user with lower level privileges attempts to access the object, the user is directed to the object containing incorrect information. Polyinstantiation is concerned with the same primary key existing at different classification levels in the same database. The condition that has occurred is not scavenging. Scavenging, also referred to as browsing, involves looking for information without knowing its format. Scavenging is searching the data residue in a system to gain unauthorized knowledge of sensitive data.

You need to ensure that all systems, networks, and major applications can be recovered. What should you create or perform? A risk analysis B vulnerability analysis C contingency plan D business impact analysis (BIA)

Answer C is correct. The contingency plan is created to ensure that all systems, networks, and major applications can be recovered. A contingency plan should be created for each major entity, including all hardware and software entities. A vulnerability analysis identifies your company's vulnerabilities. It is part of the business continuity plan. A risk analysis is part of the business impact analysis (BIA). It is used to calculate the risk to discover which functions would offer the greatest financial loss to the company. A BIA is created to identify the vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. A contingency plan addresses all potential, residual, and identified risks. Risks are usually identified by doing research on the types of systems in place. A failure in the contingency plan is usually the result of a management failure. The person designated to manage the contingency planning process should provide direction to senior management. In addition, this person should ensure the identification of all critical business functions and should integrate the planning process across business units. When any part of the LAN is not hosted internally, and is part of a building server environment, it is the responsibility of the contingency planner to identify the building server administrator, identify for him the recovery time frame required for your business applications, obtain a copy of the recovery procedures, and participate in the validation of the building's server testing.

Your company has purchased an expert system that uses if-then-else reasoning to obtain more data than is currently available. Which expert system processing technique is being implemented? A waterfall model B backward-chaining technique C forward-chaining technique D spiral model

Answer C is correct. The expert system processing technique that is being implemented is the forward-chaining technique. The forward-chaining technique is an expert system processing technique that uses if-then-else rules to obtain more data than is currently available. Forward chaining is the reasoning approach that can be used when there are a small number of solutions relative to the number of inputs. The input data is used to reason forward to prove that one of the possible solutions in a small solution set is the correct one. An expert system consists of a knowledge base and adaptive algorithms that are used to solve complex problems and to provide flexibility in decision-making approaches. An expert system uses artificial intelligence to extract new information from a set of information, and exhibits reasoning similar to that of humans knowledgeable in a particular field to solve a problem in that field. An expert system operates in two modes: forward chaining and backward chaining. Backward chaining is the process of beginning with a possible solution and using the knowledge in the knowledge base to justify the solution based on the raw input data. Backward chaining works backwards by analyzing the list of the goals identified and verifying the availability of data to reach a conclusion on any goal. Backward chaining starts with the goals and looks for the data that justifies the goal by applying if-then-else rules. The spiral model is a software development model that is based is on analyzing the risk and building the prototypes and the simulation during the various phases of the development cycle. The waterfall model is a software development model that is based on proper reviews and on documenting the reviews at each phase of the software development cycle. This model divides the software development cycle into phases. Proper review and documentation must be completed before moving on to the next phase. The modified waterfall model was reinterpreted to have phases end at project milestones. Incremental development is a refinement to the basic waterfall model that states that software should be developed in increments of functional capability. Other software development models include the cleanroom model and the capability maturity model (CMM): The cleanroom model follows well-defined formal procedures for development and testing of software. The cleanroom model calls for strict testing procedures and is often used for critical applications that should be certified. The capability maturity model (CMM) describes the principles, procedures, and practices that should be followed by an organization in a software development life cycle. The capability maturity model defines guidelines and best practices to implement a standardized approach for developing applications and software programs. Knowledge-based system (KBS) or expert systems include the knowledge base, inference engine, and interface between the user and the system. A knowledge engineer and domain expert develops a KBS or expert system. Expert systems are used to automate security log review to detect intrusion. A fuzzy expert system is an expert system that uses fuzzy membership functions and rules, instead of Boolean logic, to reason about data. Thus, fuzzy variables can have an approximate range of values instead of the binary True or False used in conventional expert systems. An example of this is an expert system that has rules of the form "If w is low and x is high then y is intermediate," where w and x are input variables and y is the output variable. A software process is a set of activities, methods, and practices that are used to develop and maintain software and associated products. Software process capability is a means of predicting the outcome of the next software project conducted by an organization.

A user reports that she is unable to access a file server. You discover that there are numerous open connections on the file server from several servers and routers. Which type of attack has affected the file server? A back door attack B man-in-the-middle attack C denial-of-service (DoS) attack D privilege escalation

Answer C is correct. The file server has become the victim of a denial-of-service (DoS) attack. Because multiple routers and servers are involved in the attack, a distributed DoS (DDoS) attack has actually occurred. A DDoS attack usually involves hijacking several computers and routers to use as agents in the attack, which overwhelms the bandwidth of the attack victim. Examples of DoS attacks include ping of death, smurf, and TCP SYN. Privilege escalation usually occurs by logging in to a system using your valid user account and then finding a way to access files that you do not have permissions to access. This usually involves invoking a program that can change your permissions, such as Set User ID (SUID) or Set Group ID (SGID), or invoking a program that runs in an administrative context. There are several methods of dealing with privilege escalation, including using least privilege accounts, privilege separation, and so on. Privilege escalation can also lead to DoS attacks. An example of privilege escalation is gaining access to a file you should not access by changing the permissions of your valid account. Back doors are hidden applications that vendors create to ensure that they are able to access their devices. After installing new devices or operating systems, you need to ensure that all back doors and default passwords are either disabled or reset. Often, hackers first attempt to use such back doors and default passwords to access new devices. A man-in-the-middle attack occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver.

Which of the following should be the first step while investigating a computer crime? A Ensure damage cannot be done by planted logic bombs and Trojan horses. B Advise individuals in the area of crime about their rights before collecting evidence. C Take a photograph of the area, computer, and contents on the screen. D Collect all evidences

Answer C is correct. The first step while investigating a computer crime is to take photographs of the area, the computer itself, the surroundings, and even the inside of the computer. Answers B, A, and D are incorrect. These cannot be the first step while investigating a computer crime. They can be further steps that anyone can take to investigate the computer crime.

What is the primary function of portable storage media, such as Zip, Jaz, and flash drives? A to modify data B to erase data C to exchange data D to classify data

Answer C is correct. The primary function of portable storage media, such as Zip drives, Jaz drives, flash drives, SyQuest, and Bernoulli boxes, is to facilitate data exchange across an organization to meet the business requirements. Portable storage media are usually preferred for data exchange processes because of their portable nature and high capacity. Erasing the data from a storage media, such as a hard drive, does not actually remove the data but only removes the pointers to the location where the data resides on the storage media. The erased data can be recovered by using data recovery procedures. Sanitization is the process of wiping out data from storage media to ensure that the data is not recoverable and cannot be reused. Data modification implies making changes to the information. Data modification can either be authorized or unauthorized in nature. Data classification involves assigning a level to the sensitive data and implementing countermeasures to maintain the confidentiality, integrity, and availability of data. For example, organizations can classify data into confidential, private, sensitive, and public. This classification can then be used to implement security controls. Operations security policies for all types of portable storage media should be in place to ensure that the data contained on these drives is not compromised. Audits should be performed periodically to ensure that operations security policies for portable storage media are being followed. This will ensure that employees will not remove portable storage media from your facility unless they are authorized to do so.

Which security principle mandates that only a minimum number of operating system processes should run in supervisory mode? A Layering B Data hiding C Least privilege D Abstraction

Answer C is correct. The principle of least privilege states that only processes that absolutely need kernel-level access should run in supervisory mode. The remaining processes should run in user mode to reduce the number of potential security vulnerabilities.

You work for a company that creates customized software solutions for customers. Recently, a customer has requested that your company provide a software escrow. What is the purpose of this request? A to provide an account to purchase software licenses B to ensure that appropriate software licenses exist C to provide a software vendor's source code in the event the vendor goes out of business D to provide a backup copy of all software used by your company

Answer C is correct. The purpose of a software escrow is to provide a software vendor's source code in the event the vendor goes out of business. In a software escrow, a third party is responsible for holding the source code and other applicable materials. The software escrow contract ensures that both the software vendor and customer are protected. All the other options are invalid.

An earthquake damaged the building that houses your organization's data center. As a result, the alternate site in New Jersey must be configured and brought online. Which team should be responsible for this? A salvage team B damage assessment team C restoration team D security team

Answer C is correct. The restoration team should be responsible for configuring the alternate site and bringing it online when a disaster occurs. When configuring this alternate site, the most critical business functions should be brought online first. For this to occur, the priority levels of the business functions must be defined in the disaster recovery plan. Without these priority levels, the business may not be operational within the recovery timeframe. The salvage team is responsible for the recovery of the original site. This is called the reconstitution phase. It should be spelled out in the disaster recovery plan how the reconstitution phase should be implemented. The least critical functions should first be moved to the original site to ensure that the critical business functions are not adversely affected due to connectivity or installation errors. The security team is responsible for assessing security at the alternate and primary site when a disaster occurs. The damage assessment team is responsible for assessing the damage at the primary site when a disaster occurs. This includes estimating how long it will take to bring critical functions online. All of these teams support the disaster recovery plan, which has as its goal minimizing risks associated with a disaster.

Which processes define the supervisor mode? A processes that are executed in the outer protection rings B processes with no protection mechanism C processes that are executed in the inner protection rings D processes in the outer protection ring that have more privileges

Answer C is correct. The supervisor mode refers to processes that are executed in the inner protection rings. The processes in the inner protection rings are granted more privileges than the processes in the outer protection ring. The processes in the inner ring are executed in the privileged or the supervisor mode, while the processes working in the outer protection rings are executed in the user mode. These processes in the inner ring include the operating system kernel process and input/output (I/O) instructions. Processes are placed in a ring structure according to least privilege. Multiplexed Information and Computing Service (MULTICS) is an example of a ring protection system. All other options are incorrect. Each operating system has a protection mechanism, such as memory segments and protection rings, to ensure that the applications do not adversely affect the critical components of the operating system. The protection rings define the security policy for each application by limiting the operations that can be performed by the application. No application in the operating system functions without a protection mechanism. Operating systems are responsible for memory allocation, input and output tasks, and resource allocation. If an operating system allows sequential use of an object without refreshing it, disclosure of residual data can arise.

Which one of the following types of attacks relies on the difference between the timing of two events? A Fraggle B Land C TOCTOU D Smurf

Answer C is correct. The time of check to time of use (TOCTOU) attack relies on the timing of the execution of two events.

You are researching computer crimes. All of the following are categories of this type of crime, EXCEPT: A computer-targeted crime B computer-assisted crime C computer-commerce crime D computer-incidental crime

Answer C is correct. There are three categories of computer crime. Computer-commerce crime is not a valid category of computer crime. The three categories of computer crime are as follows: computer-assisted crime - This category of crime is one in which a computer is used as a tool to carry out a crime. computer-targeted crime - This category of crime is one in which a computer is the victim of the crime. computer-incidental crime - This category of crime is one in which a computer is involved incidentally in the crime. The computer is not the target of the crime and is not the main tool used to carry out the crime.

Which of the following is considered an activity that has the potential to cause harm to information systems or networks? A Safeguard B Vulnerability C Threat D Asset

Answer C is correct. Threat is considered an activity that has the potential to cause harm to information systems or networks. Answer B is incorrect. Vulnerability refers to a software, hardware, or procedural weakness that may provide an open door to an attacker. Answer D is incorrect. Asset can be anything within the environment that is required to be protected. It can be a computer file, a network service, a system resource, a process, a program, and so on. Answer A is incorrect. Safeguard eliminates vulnerability or protects the system against particular threats.

Which of the following describes the statement given below? "Anytime one entity accepts a user without requiring additional authentication on the behalf of another entity." A Tailoring B Watermarking C Transitive trust D Synthetic transaction

Answer C is correct. Transitive trust describes that anytime one entity accepts a user without requiring additional authentication on the behalf of another entity. For example, with transitive access, one party (A) trusts another party (B). If the second-party (B) trusts another party (C), a relationship can exist where the first-party (A) may also trust the third-party (C).Answer A is incorrect because tailoring is a process by which assessment procedures are scoped to match the characteristics of the information system under assessment. Answer D is incorrect because synthetic transactions are pre-recorded actions, taken on a service that mimic a user accessing the service and executing regular tasks. Answer B is incorrect because adding digital watermarks to documents to protect intellectual property is accomplished by means of steganography. The hidden information is known only to the file's creator. If someone later creates an unauthorized copy of the content, the watermark can be used to detect the copy and trace the offending copy back to the source.

An organization is planning the layout of a new building that will house a datacenter. Where is the most appropriate place to locate the datacenter? A Closest to the outside wall where heating, ventilation, and air conditioning systems are located B Closest to the outside wall where power enters the building C In the center of the building D At the back of the building

Answer C is correct. Valuable assets require multiple layers of physical security, and placing a datacenter in the center of the building helps provide these additional layers. Placing valuable assets next to an outside wall (including at the back of the building) eliminates some layers of security.

As an IT department manager, you must ensure high availability and performance for your organization's network. You must also ensure that the network is secure. What is the relationship between network performance and security? A When you increase the security mechanisms, performance usually increases. B When you increase the security mechanisms, it has no effect on performance. C When you increase the security mechanisms, performance usually decreases. D Security should always be given a higher priority than performance.

Answer C is correct. When you increase the security mechanisms on the network, the performance of the network usually decreases. None of the other statements is true regarding the relationship between network performance and security. An organization should determine when security or performance should be given a higher priority. The security administrator and network administrator roles should be assigned to two different people. The hierarchy within an organization should ensure that the security administrator is under a different chain of command than the network administrator. This ensures that security is not ignored or assigned a lower priority than performance.

One of the planned international offices will perform highly sensitive tasks for a governmental entity. For this reason, you must ensure that the company selects a location where a low profile can be maintained. On which of the following criteria do you base your facility selection? A construction B accessibility C visibility D surrounding area

Answer C is correct. You are concerned with visibility. The amount of visibility depends on the organization and the processes carried out in the facility. In the case of this office, you need to ensure that the company selects a location where a low profile can be maintained. Accessibility is the ease with which employees and officers can access the facility. Construction, determines the building materials used to construct the facility. Surrounding area is the environment in which the facility is located, and primarily is concerned with the local crime rate and distance to emergency services. None of these factors is relevant to maintaining a low profile.

Your organization's data center is a secured portion of your organization's building. Entry to the data center requires that users enter a five-digit password. Only users in the information technology (IT) department are allowed access to the data center, and all IT department personnel use the same five-digit password. You must ensure that the password is changed appropriately. Which guideline should you NOT implement? A Change the password when an IT department employee leaves the organization. B Change the password when the password has been knowingly compromised. C Change the password when an IT department employee goes on extended leave. D Change the password at least every six months.

Answer C is correct. You should NOT change the password when an IT department employee goes on an extended leave. When the data center is protected by a password, you should adhere to the following guidelines: Change the password at least every six months. Change the password when an IT department employee leaves the organization. Change the password when it has been knowingly compromised.

You are responsible for managing a Windows Server 2012 computer that hosts several virtual computers. You need to install the latest patches for the operating system. Where should you install the patches? A on each Windows Server 2012 virtual computer only B on the host computer only C on both the host computer and all Window Server 2012 virtual computers D on the physical computer only

Answer C is correct. You should install the patches on both the host computer and all Windows Server 2008 virtual computers. Virtual machines can be compromised just like a physical computer. You should not install the patches on the host computer only, on each Windows Server 2008 virtual computer only, or on the physical computer only. Because virtual machines can be compromised just like a physical computer, you should ensure that the patches are installed on both the host computer and each Windows Server 2008 virtual computer.

You are responsible for managing your company's virtualization environment. Which feature should NOT be allowed on a virtualization host? A implementing a firewall B monitoring the event logs C browsing the Internet D implementing IPsec

Answer C is correct. You should not allow browsing the Internet on a virtualization host. This can present a possible security breach through the introduction of spyware or malware. Anything that affects a virtualization host also affect all virtual computers on the host. You should implement IPsec, implement a firewall, and monitor the event logs of a virtualization host. IPsec helps by encrypting data as it transmits across the network. Firewalls prevent unauthorized access to a physical or virtual computer. Event logs help administrators to detect when security breaches have occurred or are being attempted.

Your company implements a honeypot as intrusion prevention. Management is concerned that this honeypot would be considered entrapment and has asked you to ensure that entrapment does not occur. Which situation should you prevent? A open services on a honeypot B open ports on a honeypot C allowing downloads on a honeypot D allowing Web browsing on a honeypot

Answer C is correct. You should prevent allowing downloads on a honeypot. Allowing downloads on a honeypot is a possible example of entrapment if it is used to make formal trespassing charges. Entrapment occurs when a hacker is tricked into performing an illegal activity. Entrapment is illegal. Opening port and services and allowing Web browsing on a honeypot are not examples of entrapments. They are enticements. Enticement allows the administrator to monitor activity to increase security and perhaps trace the attack. Enticement is legal.

As network administrator for an organization, you need to prevent unethical access to the organization's online library. For this, you need to apply a condition such that the employee name and the employee code should match to access the library. Which of the following access controls will you select to accomplish the task? A Role-based access control B Attribute-based access control C Mandatory access control D Discretionary access control

Answer C is correct. You should select MAC (mandatory access control) to accomplish this task. It prevents the unethical access for the organization's online library by applying the condition of matching the employee name and the employee code. It relies upon the use of classification labels. Each classification label represents a security domain, or a realm of security. A security domain is a collection of subjects and objects that share a common security policy. Answer D is incorrect. DAC (discretionary access control) allows the owner or creator of an object to control and define subject access to that object. Answer A is incorrect. In RBAC (role-based access control), a user can access resources according to his role in the organization. Answer B is incorrect. In ABAC (attribute-based access control), access is granted not based on the rights of the subject associated with a user after authentication, but based on the attributes of the user.

Your organization is working with an international partner on a new and innovative product. All communication regarding this must be encrypted using a public domain symmetric algorithm. Which algorithm should you use? A 3DES B DES C Blowfish D IDEA

Answer C is correct. You should use Blowfish. Blowfish is a symmetric algorithm that is considered public domain. It can be used freely by anyone. Digital Encryption Standard (DES), Triple DES (3DES), and International Data Encryption Algorithm (IDEA) are not considered public domain. Symmetric algorithms include DES, 3DES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, Advanced Encryption Standard (AES), SAFER, and Serpent. Asymmetric algorithms include Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), LUC, Knapsack, and Zero Knowledge Proof.

You are performing a forensic investigation of a recent computer security breach. You have been asked to use disk imaging to create a copy of a hard drive's contents. Which statement is true of disk imaging when performed in a forensic investigation?

Answer D is correct. A bit-level copy of the original disk proves helpful in the forensic investigation. A bit-level copy of a hard disk refers to making a copy at the sector level to cover every part of the area that can store user data, such as slack space and free space. A byte-level copy of the hard disk is not preferred for forensic analysis after an incident has occurred. A byte-level copy initiates the forensic imaging of the attacked workstation. To ensure the integrity of the evidence, the forensic investigation is not performed on the actual system. The system is taken offline by disconnecting it from the network, dumping the contents of the memory, and powering down the system. A backup copy of the system is taken, and this backup copy is used for investigation purposes. The output from the forensic imaging software should be directed towards a small computer system interface (SCSI) drive or some other media that is external to the system being investigated. This is done to initiate the forensic imaging of the attacked workstation. Changing elements of the system, such as changing the file timestamps and modifying the files, can destroy the evidence. Therefore, skilled personnel should perform the forensic investigation to ensure that the evidence is unharmed and uncorrupted.

Which of the following is not a denial-of-service attack? A Sending malformed packets to a system, causing it to freeze B Exploiting a flaw in a program to consume 100 percent of the CPU C Sending thousands of emails to a single address D Performing a brute-force attack against a known user account when account lockout is not present

Answer D is correct. A brute-force attack is not considered a DoS.

You are examining an access control matrix for your organization. Which entity corresponds to a row in this matrix? A object B subject C access control list (ACL) D capability

Answer D is correct. A capability corresponds to a row in the access control matrix. A capability is a list of all the access permission that a subject has been granted. An object is an entity in the access control matrix to which subjects can be granted permissions. A column in an access control matrix corresponds to the access control list (ACL) for an object. A row in an access control matrix corresponds to a subject's capabilities, not just the subject. By storing a list of rights on each subject, the granting of capabilities is accomplished.

What is a list of serial numbers of digital certificates that have not expired, but should be considered invalid? A UDP B KDC C CA D CRL

Answer D is correct. A certificate revocation list (CRL) contains a list of serial numbers for digital certificates that have not expired but that a certification authority (CA) has specified to be invalid. Typically, the serial number of a digital certificate is placed in a CRL because the digital certificate has been compromised in some way. A CA generates and validates digital certificates. A key distribution center (KDC) is used in Kerberos network authentication to distribute resource access keys. User Datagram Protocol (UDP) provides connectionless communications on TCP/IP network.

Which of the following is an attack where the cryptanalyst can define his own plaintext, feed it into the cipher, and analyze the resulting ciphertext? A Brute force attack B Implementation attack C Chosen cipher-text attack D Chosen plaintext attack

Answer D is correct. A chosen plaintext attack is an attack where the cryptanalyst can define his own plaintext, feed it into the cipher, and analyze the resulting ciphertext. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen plaintext attack could reveal the scheme's secret key. Answer B is incorrect because an implementation attack exploits weaknesses in the implementation of a cryptography system. Answer C is incorrect because a chosen cipher-text attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. Answer A is incorrect because a brute force attack is a password attack that doesn't try to decrypt any information, but continue to try every possible valid combination for a key or password.

Your data center has its own lock to prevent entry. Your organization's security plan states that the lock to the data center should be programmable. Which type of lock should you use? A combination lock B tumbler lock C mechanical lock D cipher lock

Answer D is correct. A cipher lock is a lock that is programmable. Cipher locks are keyless. Users must enter the appropriate cipher using the lock's keypad. None of the other options is correct. The two main types of mechanical locks are warded locks and tumbler locks. Warded locks are basic padlocks. The lock has wards (metal projections around the keyhole), and only a particular key will work with the wards to unlock the lock. A tumbler lock has more pieces than a warded lock. The key fits into the cylinder, raising the lock pieces to the correct height. There are three types of tumbler locks: pin tumbler locks, wafer tumbler locks, and level tumbler locks. Combination locks require the correct combination of numbers to unlock.

Which fault tolerant solution is the most expensive to implement? A backups B RAID C redundant disk controllers D clusters

Answer D is correct. A cluster is the most expensive fault tolerant solution to implement of the solutions given. A cluster provides a fault tolerant server solution that allows multiple servers to appear as a single server to users. If one of the servers in the cluster fails, the remaining servers take up the load. Redundant Array of Independent Disks (RAID) is a fault tolerant disk solution where multiple disks within a computer are implemented. Generally, hard drives are not as expensive as computers. Backups are a fault tolerant solution that ensure that data is protected by backing up to tape, compact disc (CD), and other media. Backups are generally considered to be an inexpensive fault tolerance solution. Redundant disk controllers ensure that data has multiple paths through which to connect to hard drives. Disk controllers are generally less expensive than computers.

Which statement is true of covert channels? A A covert channel is addressed by a C2 rating provided by TCSEC. B A covert channel acts a trusted path for authorized communication. C A covert channel regulates the information flow and implements the security policy. D A covert channel is not controlled by a security mechanism.

Answer D is correct. A covert channel is not controlled by a security mechanism. A covert channel is a communication path that accesses information in an unauthorized manner and violates the security policy. A covert channel is not a regulated path of the information flow and is an effect of a software bug or a compromised system. Covert channels are addressed by the Trusted Computer System Evaluation Criteria (TCSEC) rating B2 and above. Covert storage channels are addressed in level B2, and covert timing channels are addressed in level B3.Unlike the covert channel that is specifically designed as an authorized communication channel, the covert channel is used by the attackers to violate the security policy of a system. Therefore, the covert channel is avoided for communication because it lacks the mandatory control. The two types of covert channels are as follows: Covert timing channel: In a covert timing channel, a process sends information to another process but modulates the use of system resources. For example, the process enables you to access a hard disk and the information regarding the number of CPU cycles. When the second process is completing a job, the first process waits for the signal and then performs the unauthorized job. Covert timing channels convey information by modifying the timing of a system resource in some measurable way. Covert storage channel: In a covert storage channel, the security risk arises due to the storage location. For example, a problem may arise when a process writes data to a specific location and another process is able to read this information either directly or indirectly, irrespective of the security level it occurs in. A covert storage channel is an information transfer that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Both the covert timing channel and the covert storage channel violate the security policy of a system. A Loki attack is an example of a covert channel.

As a network administrator of a corporate network, you want to monitor all network traffic on your local network for suspicious activities and receive a notification when a possible attack is in process. What will you do? A Install a DMZ firewall. B Install a host-based IDS. C Enable verbose logging on the firewall. D Install a network-based IDS.

Answer D is correct. A network-based IDS monitors all traffic on your entire network. This would give you coverage for all network traffic. It can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. Answer B is incorrect because a host-based IDS simply monitors attempted attacks on an individual host. Answer C is incorrect because verbose logging on the firewall will only give you clues regarding attacks on the firewall. Answer A is incorrect because a DMZ firewall, although a good suggestion and usually more secure, wouldn't give you any monitoring of the traffic on the LAN.

Which type of firewall only examines the packet header information? A stateful firewall B kernel proxy firewall C application-level proxy firewall D packet-filtering firewall

Answer D is correct. A packet-filtering firewall only examines the packet header information. A stateful firewall usually examines all layers of the packet to compile all the information for the state table. A kernel proxy firewall examines every layer of the packet, including the data payload. An application-level proxy firewall examines the entire packet. Packet-filtering firewalls are based on access control lists (ACLs). They are application independent and operate at the Network layer of the OSI model. They cannot keep track of the state of the connection. A packet-filtering firewall only looks at a data packet to obtain the source and destination addresses and the protocol and port used. This information is then compared to the configured packet-filtering rules to decide if the packet will be dropped or forwarded to its destination.

Which of the following types of virus changes characteristics as it spreads? A File B Boot sector C Stealth D Polymorphic

Answer D is correct. A polymorphic virus changes characteristics as it spreads. It has the ability to change its own signature at the time of infection. This virus is very complicated and hard to detect. When the user runs the infected file in the disk, it loads the virus into the RAM. The new virus starts making its own copies and infects other files of the operating system. The mutation engine of the polymorphic virus generates a new encrypted code, thus changing the signature of the virus. Answer C is incorrect. A stealth virus is a virus that can redirect the disk head to read another sector instead of one in which it resides. It can also alter the reading of the infected file size shown in the directory listing. A stealth virus can change a file's date and time. Since a stealth virus uses encryption techniques, it becomes totally hidden from antiviruses and operating systems. Frodo and Whale are some good examples of stealth viruses. Answer B is incorrect. A boot sector virus infects the master boot files of the hard disk or floppy disk. Boot record programs are responsible for booting the operating system and the boot sector virus copies these programs into another part of the hard disk or overwrites these files. Therefore, when the floppy or the hard disk boots, the virus infects the computer. Answer A is incorrect. A file virus infects programs that can execute and load into the memory to perform predefined steps to infect systems.

Which type of firewall hides a packet's true origin before sending it through another network? A bastion host B stateful firewall C packet-filtering firewall D proxy firewall

Answer D is correct. A proxy firewall hides a packet's true origin before sending it through another network. The primary security feature of a proxy firewall is that it hides the client information. It is the only computer on a network that communicates with untrusted computers. A bastion host is a hardened system that usually resides on a demilitarized zone (DMZ) and is accessed frequently. A stateful firewall forwards packets on behalf of the client. It examines each packet and permits or denies it passage based on many factors, including the state table. The state table is used to track where in the TCP handshake a connection is so that any frames that arrive that are received out of normal sequence (an indicator of possible malicious activity) can be dropped. This type of firewall is also often referred to as a stateful-inspection firewall. A packet-filtering firewall forwards packets based on rules that define which traffic is permitted and denied on the network. A packet filtering firewall examines the data packet to get information about the source and destination addresses of an incoming packet, the session's communications protocol (TCP, UDP or ICMP), and the source destination application port for the desired service.

What is a retrovirus? A a virus which is based on an old virus but has been modified to prevent detection B a virus that modifies other programs and databases C a virus that includes protective code that prevents outside examination of critical elements D a virus that attacks or bypasses anti-virus software

Answer D is correct. A retrovirus virus attacks or bypasses anti-virus software. Retroviruses even attack the anti-virus program to destroy the virus definitions or to create bypasses for itself. As of the writing of this exam, there is no name for a virus based on an old virus that has been modified to prevent detection. A phage virus modifies other programs and databases. The only way to remove the virus is to reinstall the infected applications. An armored virus includes protective code that prevents examination of critical elements. The armor attempts to protect the virus from destruction.

Which of the following best describes a rule-based access control model? A It uses local rules applied to all users equally. B It uses global rules applied to users individually. C It uses local rules applied to users individually. D It uses global rules applied to all users equally.

Answer D is correct. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.

You have been asked to design and implement a security awareness program for your organization. Which option is NOT an objective of this program? A to communicate ramifications of violating the security policy B to enforce compliance to the information security program C to promote acceptable use and behavior D to ensure non-violation of the security policy

Answer D is correct. A security awareness program does NOT ensure non-violation of the security policy. A security awareness program promotes acceptable use and behavior, enforces compliance to the information security program, and communicates ramifications of violating the security policy. The main objective of security-awareness training is to make employees aware of their security responsibilities and of the expected ethical conduct and acceptable activities. The user must understand the acceptable and unacceptable activities and the implication of violating the security policy. A security awareness program focuses on compliance and the acceptable use of resources and ethical conduct in the organization. Users can either be penalized through disciplinary action or terminated for noncompliance to the security policy. The implementation of the security policy should be routinely monitored to trace security policy violations and attempted violations to ensure that appropriate personnel can be held responsible.

Which statement correctly defines spamming attacks? A sending multiple spoofed packets with the SYN flag set to the target host on an open port B sending spoofed packets with the same source and destination address C using ICMP oversized echo messages to flood the target computer D repeatedly sending identical e-mails to a specific address

Answer D is correct. A spamming attack involves flooding an e-mail server or specific e-mail addresses repeatedly with identical unwanted e-mails. Spamming is the process of using an electronic communications medium, such as e-mail, to send unsolicited messages to users in bulk. Packet filtering routers typically do not prove helpful in such attacks because packet filtering routers do not examine the data portion of the packet. E-mail filter programs are now being embedded either in the e-mail client or in the server. E-mail filter programs can be configured to protect from spamming attacks to a great extent. A ping of death is a type of DoS attack that involves flooding target computers with oversized packets and exceeding the acceptable size during the process of reassembly. This causes the target computer to either freeze or crash. Other DoS attacks, named smurf and fraggle, deny access to legitimate users by causing a system to either freeze or crash. In a SYN flood attack, the attacker floods the target with the spoofed IP packets, causing it to either freeze or crash. The Transmission Control Protocol (TCP) uses the synchronize (SYN) and acknowledgment (ACK) packets to establish communication between two host computers. The exchange of the SYN, SYN-ACK, and ACK packets between two host computers is referred to as handshaking. Attackers flood the target computers with a series of SYN packets to which the target host computer replies. The target host computer then allocates resources to establish a connection. The IP address is spoofed. Therefore, the target host computer never receives a valid response in the form of ACK packets from the attacking computer. When the target computer receives many SYN packets, it runs out of resources to establish a connection with the legitimate users and becomes unreachable for the processing of valid requests. A land attack involves sending multiple spoofed TCP SYN packets with the target host's IP address and an open port as both the source and the destination to the target host on an open port. The land attack causes the system to either freeze or crash because the computer replies to itself.

What is system certification? A Formal acceptance of a certified configuration from a designated authority B A manufacturer's certificate stating that all components were installed and configured correctly C A functional evaluation of the manufacturer's goals for each hardware and software component to meet integration standards D A technical evaluation of each part of a computer system to assess its compliance with security standards

Answer D is correct. A system certification is a technical evaluation of each part of a computer system to assess its compliance with security standards. Option A describes system accreditation. Options C and B refer to manufacturer standards, not implementation standards.

Who has the responsibility to integrate security considerations into application and system purchasing decisions and development projects? A Auditor B Security professional C Data custodian D System owner

Answer D is correct. A system owner has the responsibility to integrate security considerations into application and system purchasing decisions and development projects. The primary responsibility is to conduct security control assessments. A system owner should also ensure that necessary security controls, remote access controls, password management, operating system configurations, and so on, are providing adequate security. Answer C is incorrect because a data custodian is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. Answer B is incorrect because a security professional has the functional responsibility for security, including writing the security policy and implementing it. The security professional role is often filled by a team that is responsible for designing and implementing security solutions based on the approved security policy. Answer A is incorrect because an auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

What is a trapdoor function? A an attack where messages between two entities are intercepted so that an attacker can masquerade as one of the entities B an attack that repeatedly tries different values to determine the key used C a mechanism built into an algorithm that allows an individual to bypass or subvert the security in some fashion D a mechanism that enables the implementation of the reverse function in a one-way function

Answer D is correct. A trapdoor function is a mechanism that enables the implementation of the reverse function in a one-way function. A backdoor is a mechanism built into an algorithm that allows an individual to bypass or subvert the security in some fashion. A brute force attack is an attack that repeatedly tries different values to determine the key used. A man-in-the-middle attack is an attack where messages between two entities are intercepted so that an attacker can discover the legitimate entities' keys. The end result is that the attacker can read all the messages transmitted between the two legitimate entities.

What would detect when a user has more privileges than necessary? A Account management B Reporting C Logging D User entitlement audit

Answer D is correct. A user entitlement audit can detect when users have more privileges than necessary. Account management practices attempt to ensure that privileges are assigned correctly. The audit detects whether the management practices are followed. Logging records activity, but the logs need to be reviewed to determine if practices are followed. Reporting is the result of an audit.

What would an organization do to identify weaknesses? A Access review B Asset valuation C Threat modeling D Vulnerability analysis

Answer D is correct. A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Answers B, C, and A are incorrect. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, and threats are often paired with vulnerabilities to identify risk, but threat modeling doesn't identify weaknesses. An access review audits account management and object access practices.

A company's security policy comes under which of the following controls? A Technical B Physical C Detective D Administrative

Answer D is correct. Administrative controls are management-driven actions that usually reveal themselves in the form of policies, directives, advisories, and procedures. Security policies, awareness training, and incident response planning are all examples of administrative controls. Answer A is incorrect. Technical controls are the hardware or software mechanisms used to manage access and provide protection for resources and systems. Answer B is incorrect. Physical controls are used to prevent, monitor, or detect direct contact with systems or areas within a facility. Answer C is incorrect. Detective controls search for unwanted or unauthorized activities.

In the wake of the September 11, 2001, terrorist attacks, what industry made drastic changes that directly impact DRP/BCP activities? A Banking B Tourism C Airline D Insurance

Answer D is correct. All the industries listed in the options made changes to their practices after September 11, 2001, but the insurance industry's change toward noncoverage of acts of terrorism most directly impacts the BCP/DRP process.

Which statement best describes an access control list (ACL)? A a list of all subjects that have been granted access to a particular object B a list of all access levels that can be granted to a particular object C a list of all objects to which a subject has been granted access D a list of subjects that have been granted access to a specific object, including the level of access granted

Answer D is correct. An access control list (ACL) is a list of subjects that have been granted access to a specific object, including the level of access granted. An ACL must include the subjects, the objects, and the level of access. Access control allows you to control the behavior, use, and content of any system, for example, an IS system. It is primarily used by the system administrator to control system usage by explicitly enabling or restricting access. The primary purpose of access controls is to mitigate risks and reduce loss potential. An ACL coordinates access to system resources (objects) based on some user or computer entity (subject) identifier. This identifier can be a user name, personal identifier, or even an IP address. An ACL usually either explicitly allows or explicitly denies certain rights or permissions. Typically, the types of access are read, write, execute, append, modify, delete, and create. Access controls can be actual physical controls that control access to physical objects, such as buildings or rooms, or actual system controls that control access to objects within a particular system once physical access has been granted, such as the use of user names and passwords for logging in.

Which entity can an administrator use to designate which users can access a file? A a proxy server B a NAT server C a firewall D an ACL

Answer D is correct. An access control list (ACL) is a security mechanism that is used to designate which users can gain various types of access, such as read, write, and execute access to resources on a network. An ACL provides security as granular as the file level. The DAC model uses ACL to identify the users who have permissions to a resource. A firewall allows and denies network access through communications ports. A NAT server presents public Internet Protocol (IP) addresses to the Internet on behalf of computers on a private network. A proxy server can be used to enable hosts to access Internet resources. A proxy server can increase the performance of a network by caching Web pages, which can reduce the amount of time required for clients to access Web pages.

What is another term for two-factor authentication? A user name/password authentication B smart card authentication C biometric authentication D strong authentication

Answer D is correct. Another term for two-factor authentication is strong authentication. Strong authentication uses two methods to authenticate a user. This type of authentication can be implemented in many ways. Sometimes a user must provide a user name and password, and must also use biometric authentication to verify identity. Other times a user must provide a user name and password, and use a smart card to verify identity. Strong authentication authenticates using something a person knows, has, or is. Any two of these can be included as part of the authentication process. Biometric authentication authenticates a user based on something the person is and conducts a one-to-one search to verify an individual's claim of an identity. This includes fingerprints, iris scans, retinal scans, palm scans, and voice prints. Smart card authentication authenticates a user based on something the user has. The smart card is inserted into or placed within the reading range of a smart card reader. Once the card is read, the user sometimes inputs a personal identification number (PIN). User name/password authentication authenticates a user based on something the user knows. The user name and password must be provided by the user.

Your organization has asked that you work with a team to develop a business continuity plan for your organization. The members of the team have suggested many events that should be considered as part of the business continuity plan. Which events should be considered? natural disaster hardware failure server relocation employee resignation A point d B points c and d C all of these D points a and b E point a F point b G point c

Answer D is correct. As part of the business continuity plan, natural disasters should be considered. Natural disasters include tornadoes, floods, hurricanes, and earthquakes. A business continuity strategy needs to be defined to preserve computing elements, such as the hardware, software, and networking elements. The strategy needs to address facility use during a disruptive event and define personnel roles in implementing continuity. Hardware failure should also be considered. This hardware can be limited a single computer component, but can include network link or communications line failures. The majority of the unplanned downtime experienced by a company is usually due to hardware failure. The business continuity plan should only include those events that interrupt services. Normally, server relocation is planned in such a way as to ensure either no interruption or minimal interruption of services. As such, it is usually no part of the business continuity plan. Employee resignation, even the resignation of a high-level IT manager, should not be considered as part of the business plan. Employee resignation is a normal part of doing business. However, employee strikes and the actions of disgruntled employees should be considered as part of the business continuity plan. At the incipient stage of a disaster, emergency actions should be taken to prevent injuries and loss of life. You should attempt to diminish damage to corporate function to avoid the need for recovery. The purpose of initiating emergency actions right after a disaster takes place is to prevent loss of life and injuries and to mitigate further damage.

Eavesdropping is an example of what kind of attack? A Bonk attack B DoS attack C Active attack D Passive attack

Answer D is correct. Attacks may be passive or active. Eavesdropping is an example of a passive attack. Eavesdropping is simply listening to communication traffic for the purpose of duplicating it. It usually requires physical access to the IT infrastructure to connect a physical recording device to an open port or cable splice or to install a software-recording tool onto the system. Answer C is incorrect. An active attack requires the attacker to be able to transmit data to one or both of the parties, or block the data stream in one or both directions. Answer B is incorrect. In a Distributed Denial of Service (DDoS) attack, the attacker uses multiple computers throughout the network that it has previously infected. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. Answer A is incorrect. Bonk attack is a variant of the teardrop attack that affects mostly Windows computers by sending corrupt UDP packets to DNS port 53. It is a type of DoS attack. It manipulates a fragment offset field in TCP/IP packets. This field tells a computer how to reconstruct a packet that was fragmented, because it is difficult to transmit big packets.

Your company has a backup solution that performs a full backup each Saturday evening and an incremental backup all other evenings. A vital system crashes on Monday morning. How many backups will need to be restored? A one B three C four D two

Answer D is correct. Because the system crashes on Monday morning, you will need to restore two backups: the full backup from Saturday evening and the incremental backup from Sunday evening. When incremental backups are included in your backup plan, you will need to restore the full backup and all incremental backups that have been taken since the full backup. Because the failure occurred on Monday morning, only the full Saturday backup and the incremental Sunday backup need to be restored. If the crash had occurred on Tuesday morning, you would have needed to restore three backups: Saturday evening's full backup, Sunday evening's incremental backup, and Monday evening's incremental backup. If the crash had occurred on Wednesday morning, you would have needed to restore four backups: Saturday evening's full backup, Sunday evening's incremental backup, Monday evening's incremental backup, and Tuesday evening's incremental backup.

In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against PBX fraud and abuse? A Encrypting communications B Taping and archiving all conversations C Using transmission logs D Changing default passwords

Answer D is correct. Changing default passwords on PBX systems provides the most effective increase in security.

Which one of the following storage locations provides a good option when the organization does not know where it will be when it tries to recover operations? A Field office B Primary data center C IT manager's home D Cloud computing

Answer D is correct. Cloud computing services provide an excellent location for backup storage because they are accessible from any location.

Which of the following is known as management of changes made to a system's hardware, software, or firmware throughout its operational life cycle? A Capacity management B Problem management C Incident management D Configuration management

Answer D is correct. Configuration management is known as management of changes made to a system's hardware, software, or firmware throughout its operational life cycle. Answer C is incorrect. Incident management is the process of restoring normal service operation as fast as possible while reducing unfavorable impact on business operations. Answer B is incorrect. Problem management reduces the adverse impact of incidents and problems on the business that occur due to errors in the IT infrastructure. Answer A is incorrect. Capacity management ensures that the service provider has, at all times, sufficient capacity so that the current and the future needs of the customer get fulfilled.

Local law enforcement contacts you regarding a recent computer crime. You supply evidence to the investigators. The investigators tell you that the evidence you supplied is corroborative evidence. Which statement is true of this type of evidence? A It always acts as concrete evidence. B It can sometimes be used alone. C It should be controlled by multiple sources. D It enables you to prove either a point or an idea.

Answer D is correct. Corroborative evidence enables you to prove either a point or an idea. Corroborative evidence is additional evidence that is credible and admissible in the court of law. Although corroborative evidence cannot prove a fact on its own, it is used to supplement other evidences. Corroborative evidence confirms, supports, or strengthens other evidence by rendering evidence more probable. Corroborative evidence is maintained and controlled by a single independent source different from either the accuser or the accused. Corroborative evidence may be either circumstantial or direct in nature. Corroborative evidence must be gathered from independent sources to confirm that the crime is committed and that the accused committed the crime.

You are the security administrator for a consulting firm. One of your clients' needs to encrypt traffic. However, he has specific requirements for the encryption algorithm. It must be a symmetric key block cipher. Which of the following should you choose for this client? A RC4 B SSH C PGP D DES

Answer D is correct. DES (Data Encryption Standard) is a block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is based on a symmetric-key algorithm that uses a 56-bit key. DES consequently came under intense academic scrutiny, which motivated the modern understanding of block ciphers and their cryptanalysis. Answer C is incorrect. PGP (Pretty Good Privacy) is a public key/asymmetric encryption algorithm. PGP is an encryption method that uses public-key encryption to encrypt and digitally sign e-mail messages during communication between e-mail clients. PGP is effective, easy to use, and free. Therefore, it is one of the most common ways to protect messages on the Internet. Answer B is incorrect. SSH (Secure Shell) is a network protocol that allows data to be exchanged using a secure channel between two networked devices. It uses public-key cryptography to authenticate the remote computer. Answer A is incorrect. RC4 (Rivest Cipher 4) is a stream cipher. RC4 is a stream cipher designed by Ron Rivest. It is used in many applications including Transport Layer Security (TLS), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and so on. RC4 is fast and simple. Some ways of using RC4 can lead to very insecure cryptosystems such as WEP.

What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem? A 128 bits B 192 bits C 256 bits D 56 bits

Answer D is correct. DES uses a 56-bit key. This is considered one of the major weaknesses of this cryptosystem.

Your company implements several databases. You are concerned with the security of the data in the databases. Which statement is correct for database security? A Bind variables provide access control through implementing granular restrictions. B Data manipulation language (DML) implements access control through authorization. C Data identification language implements security on data components. D Data control language (DCL) implements security through access control and granular restrictions.

Answer D is correct. Data control language (DCL) implements security through access control and granular restrictions. DCL is used to configure which DML statements users can use. None of the other statements is true. Data identification language is not a valid language used in databases. A bind variable is a placeholder in a SQL statement that must be replaced with a valid value or value address for the statement to execute successfully. Data manipulation language (DML) is used to change the values of data within a database.

Which of the following does not erase data? A Overwriting B Purging C Clearing D Remanence

Answer D is correct. Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data

In computing environments, the process of removal of data remanence from media devices has many names. Which of the following terms does not describe this process? A Purging B Degaussing C Overwriting D Deleting

Answer D is correct. Deleting data does not ensure that the data remanence is properly removed. Answers A, B, and C are incorrect. Purging, degaussing, and overwriting are the terms that describe the process of removal of data remanence from media devices in computing environments.

The research department at your company has decided to implement a new file server. The department manager will be responsible for granting access to the folders and files based on a user's or a group's identity. Which type of access control model is being used? A RBAC B MAC C ACL D DAC

Answer D is correct. Discretionary access control (DAC) is based on identity. This identity can be a user's identity or a group's identity, and is sometimes referred to as identity-based access control. DAC is the type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources certain users can access. An access control list (ACL) is not an access control model, although it is used in a DAC model. It is an access control entity that lists user access levels to a given object. Mandatory access control (MAC) is a model based upon security labels. Role-based access control (RBAC) is a model based upon user roles. An access control model should be applied in a preventative manner. A company's security policy determines which access control model will be used

What type of electrical component serves as the primary building block for dynamic RAM chips? A Transistor B Flip-flop C Resistor D Capacitor

Answer D is correct. Dynamic RAM chips are built from a large number of capacitors, each of which holds a single electrical charge. These capacitors must be continually refreshed by the CPU in order to retain their contents. The data stored in the chip is lost when power is removed.

You are reviewing the Common Criteria security standards. Which Common Criteria Evaluation Assurance Level (EAL) is the common benchmark for operating systems and products? A EAL 5 B EAL 6 C EAL 7 D EAL 4 E EAL 3

Answer D is correct. EAL 4 is the common benchmark for operating systems and products. Common Criteria has designed the evaluation criteria into seven EALs: EAL 1 - A user wants the system to operate but ignores security threats. EAL 2 - Developers use good design practices but security is not a high priority. EAL 3 - Developers provide moderate levels of security. EAL 4 - Security configuration is based on good commercial development. This level is the common benchmark for commercial systems, including operating systems and products. EAL 5 - Security is implemented starting in early design. It provides high levels of security assurance. EAL 6 - Specialized security engineering provides high levels of assurance. This level will be highly secured from penetration attackers. EAL 7 - Extremely high levels of security are provided. This level requires extensive testing, measurement, and independent testing.

When working around electrical equipment, including computers, what type of fire extinguisher should you have on hand? A Class A B Class B C Class D D Class C

Answer D is correct. Electrical equipment are involved in Class C fires; therefore, when working around electrical equipment including computers, you should keep a Class C fire extinguisher on hand. Answer A is incorrect. Class A fires involve organic solids such as paper and wood; therefore, a Class A extinguisher will be used to put off fire of paper or wood. Answer B is incorrect. Class B fires involve flammable or combustible liquids. Gasoline, grease, and oil fires are included in this class; therefore, a Class B fire extinguisher will be used to put off fire of gasoline, grease, and oil. Answer C is incorrect. Class D fires involve combustible metals; therefore, a Class D fire extinguisher is used to put off fires of combustible metals.

Which of the following protocols is an IPSec protocol that provides confidentiality? A CHAP B MD5 C AH D ESP

Answer D is correct. Encapsulating Security Payload (ESP) is an IPSec protocol that provides confidentiality, in addition to authentication, integrity, and anti-replay. ESP can be used alone or in combination with Authentication Header (AH). It can also be nested with the Layer Two Tunneling Protocol (L2TP). ESP does not sign the entire packet unless it is being tunneled. Usually, only the data payload is protected, not the IP header. Answer C is incorrect. AH provides authentication, integrity, and replay protection of the sender. Answers B and A are incorrect. These two are not IPSec protocols.

Which of the following is also known as encrypted text? A Plaintext B Hypertext C Cookies D Ciphertext

Answer D is correct. Encrypted text is referred to as ciphertext while original text is referred to as plaintext. Ciphertext is text encrypted using an encryption key. It is meaningless to anyone without the decryption key. The process of conversion from plaintext to ciphertext is known as encryption and that from ciphertext to plaintext is known as decryption. Answer A is incorrect because plaintext is information a sender wishes to transmit to a receiver. It includes an ordinary sequential file readable as textual material without much processing. Answer B is incorrect because hypertext is a document with links to other documents. Users click a link to view the linked document. Answer C is incorrect because a cookie is a small bit of text that accompanies requests and pages as they move between Web servers and browsers. It contains information that is read by a Web application whenever a user visits a site.

What are ethics? A Regulations set forth by a professional organization B Laws of professional conduct C Mandatory actions required to fulfill job requirements D Rules of personal behavior

Answer D is correct. Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.

Which method is NOT recommended for removing data from a storage media that is used to store confidential information? A zeroization B degaussing C destruction D formatting

Answer D is correct. Formatting is not recommended for removing data from a storage media that is used to store confidential information. Formatting or deleting the data from a storage media, such as a hard drive, does not ensure the actual removal of the data, but instead removes the pointers to the location where the data resides on the storage media. The residual data on the storage media is referred to as data remanence. The main issue with media reuse is remanence. The residual data can be recovered by using data recovery procedures. This can pose a serious security threat if the erased information is confidential in nature. Sanitization is the process of wiping the storage media to ensure that its data cannot be recovered or reused. Sanitization includes several methods, such as zeroization, degaussing, and media destruction. All of these methods can be used to remove data from storage media, depending on the type of media used. Most storage media having a magnetic base can be sanitized. However, CDs and DVDs often cannot be degaussed. If this is the case, the only option is physical destruction of the CD or DVD. Zeroization implies that a storage media is repeatedly overwritten with null values, such as multiple ones and zeros, for sanitization. Zeroization is generally used in a software development environment. Degaussing is the process of reducing or eliminating an unwanted magnetic field of a storage media. Degaussing refers to a method of sanitizing storage media by using magnetic forces. Degaussing devices produce powerful opposing magnetic fields that reduce the magnetic flux density of the storage media to zero. Degaussing is the preferred method for erasing data from magnetic media, such as floppy disks, hard drives, and magnetic tapes. Media destruction implies physically destroying the media to make it unusable. Security of the storage media can be crucial if the data stored is of confidential nature. Some storage media, such as CD-ROMs, cannot be sanitized due to the lack of a magnetic base. Therefore, it is recommended that you physically destroy them to prevent disclosure of confidential information. Media viability controls are used to protect the viability of data storage media. Media viability control measures include proper labeling or marking, secure handling and storage, and storage media disposal.

Company management has decided to implement group policies to ensure that the company's security policies are enforced across the organization. You must develop the appropriate group policies for your company. Which entities can you manage with these new policies? users client computers server computers domain controllers A option c B option b C option a D all of the options E none of the options F option d

Answer D is correct. Group policies can be used to manage users, client computers, server computers, and domain controllers. Group policies are the most efficient way to manage a large number of users or computers. For example, you can configure a group policy that forces users to change their password at the next login. Lesson

Which of the following is not a typical security measure implemented in relation to a media storage facility containing reusable removable media? A Using sanitization tools on returned media B Employing a librarian or custodian C Using a check-in/check-out process D Hashing

Answer D is correct. Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, while data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media.

Your company network has reached such a large size that it is becoming increasingly difficult to manage user accounts and passwords. Management has asked you to investigate a cloud solution that you could deploy to make administration easier and to implement single sign-on. Which cloud deployment solution should you suggest? A PaaS B DBaas C IPaaS D IDaas

Answer D is correct. Identity as a Service (IDaaS) is a cloud-based identity management solution that will allow an organization to implement single sign-on. An IDaaS solution via a cloud provider usually includes the following: Single sign-on Provisioning Password management Access governance Granular access controls Centralized administration Integration with internal directory services Integration with external services Integration Platform as a Service (IPaaS) is a cloud-based solution that enables the development, execution, and governance of integration flows to connect on premises and cloud-based processes, services, applications and data within individual or across multiple organizations. Database as a Service (DBaaS) is a cloud-based solution that supports applications, without the application team assuming responsibility for traditional database administration functions. Platform as a Service (PaaS) is a cloud-based solution that allows customers to develop, run, and manage Web applications without having to build and maintain the infrastructure typically associated with developing and launching an app.

An organization has a datacenter that processes highly sensitive information and is staffed 24 hours a day. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on internet sites, exposing the organization's internal sensitive data. Which of the following administrator actions might have prevented this incident? A Add the tapes to an asset management database. B Degauss the tapes before backing up data to them. C Purge the tapes before backing up data to them. D Mark the tapes before sending them to the warehouse.

Answer D is correct. If the tapes were marked before they left the datacenter, employees would recognize their value and it is more likely someone would challenge their storage in an unstaffed warehouse. Purging or degaussing the tapes before using them will erase previously held data but won't help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn't prevent this incident.

In which of the following attacks does an attacker somehow pick up the information to be encrypted and take a copy of it with the encrypted data? A Man-in-the-middle attack B Replay attack C Ciphertext only attack D Chosen plaintext attack

Answer D is correct. In a chosen plaintext attack, an attacker somehow picks up the information to be encrypted and takes a copy of it with the encrypted data. This is used to find patterns in the cryptographic output that might uncover vulnerability or reveal a cryptographic key. Answer A is incorrect because in a man-in-the-middle attack, the attacker places himself in the middle of the communications flow between two parties. Answer B is incorrect because in the replay attack, the attacker tries to repeat or delay a cryptographic transmission. Answer C is incorrect because in a ciphertext only attack, the attacker obtains encrypted messages that have been encrypted using the same encryption algorithm.

What is an agent in a distributed computing environment? A an identifier used to uniquely identify users, resources, and components within an environment B a protocol that encodes messages in a Web service setup C the middleware that establishes the relationship between objects in a client/server environment D a program that performs services in one environment on behalf of a principal in another environment

Answer D is correct. In a distributed computing environment, an agent is a program that performs services in one environment on behalf of a principal in another environment. A globally unique identifier (GUID) and a universal unique identifier (UUID) uniquely identify users, resources, and components within a Distributed Component Object Model (DCOM) or Distributed Computer Environment (DCE) environment, respectively. Simple Object Access Protocol (SOAP) is an XML-based protocol that encodes messages in a Web service setup. Object request brokers (ORBs) are the middleware that establishes the relationship between objects in a client/server environment. A standard that uses ORB to implement exchanges among objects in a heterogeneous, distributed environment is Common Object Request Broker Architecture (CORBA). A distributed object model that has similarities to CORBA is DCOM. The Object Request Architecture (ORA) is a high-level framework for a distributed environment. It consists of ORBs, object services, application objects, and common facilities. The following are characteristics of a distributed data processing (DDP) approach: It consists of multiple processing locations that can provide alternatives for computing in the event that a site becomes inoperative. Distances from a user to a processing resource are transparent to the user. Data stored at multiple, geographically separate locations is easily available to the user.

In which attack is an attacker able to position themselves within the pathway between a client and a server? A Spamming B Spoofing C Brute force D Man-in-the-middle

Answer D is correct. In a man-in-the-middle attack, an attacker is able to position themselves within the pathway between a client and a server so that when the client initiates communication with the server, it is done across the attacker's system without either party being aware of the attacker's presence. Answer C is incorrect. A brute force attack attempts every possible valid combination of letters and numbers for a key or password. Answer B is incorrect. In a spoofing attack, a program masquerades as another by falsifying data, thereby gaining unauthorized advantages. Answer A is incorrect. The spamming attack sends significant amounts of spam to a system in order to consume bandwidth, or consume storage spaces and processing capabilities.

In PKI, which term refers to a public key that can be used to verify the certificate used in a digital signature? A a target B a relying party C an issuer D a trust anchor

Answer D is correct. In a public key infrastructure (PKI), a trust anchor is a public key that verifies the certificate used in a digital signature. PKI is a system for securely sharing public keys. An issuer is a PKI entity that signs certificates provided by a subject. A PKI entity that verifies a certificate chain is referred to as a relying party or a verifier. In PKI, a target is a path to a public key.

Which of the following statements are true of the principle of least privilege? A It allows access of confidential data to only management. B It allows access to sensitive resources only. C It is the act of exploiting a bug or design flaw in a software application to gain access to resources. D It allows only access to those resources needed to perform a job function.

Answer D is correct. In information security, the principle of least privilege states that every program and every user of the system must operate using the least set of privileges necessary to complete the job. It allows only access to those resources needed to perform a job function. Answers A and B are incorrect. Since the principle of least privilege allows only those resources required to complete a job function, it makes no difference whether an employee belongs to management or the resources are sensitive or insensitive. However, if any resource is not required to perform a job, access should not be granted for that resource. Answer C is incorrect. Privilege escalation is the act of exploiting a bug or design flaw in a software application to gain access to resources, which normally would have been protected, from an application or user. The result is that the application performs actions with more privileges than intended by the application developer or system administrator.

Which statement is NOT true regarding multicast transmissions? A Data, multimedia, video, and voice clips can be transmitted. B The protocols use Class D addresses. C A packet is transmitted to a specific group of devices. D A message has one source and destination address.

Answer D is correct. In multicast transmissions, a message does NOT have one source and destination address. This is a description of unicast transmissions. Multicast transmission packets are transmitted to a specific group of devices. Multicast protocols use Class D addresses. Data, multimedia, video, and voice clips can be transmitted using multicast. It is a one-to-many transmission. The three types of transmission methods are: unicast, multicast, and broadcast. Unicast transmissions are intended for a single device. It is a one-to-one transmission. Broadcast transmissions are intended for all devices on a subnet. It is a one-to-all transmission.

Which of the following models involves the concept of subject/program binding? A Bell-LaPadula B Biba C Chinese Wall D Clark-Wilson

Answer D is correct. In the Clark-Wilson model, subjects cannot access objects directly. They are accessed through specified programs. This layer of protection enforces integrity. It involves the concept of subject/object binding. It provides a foundation for specifying and analyzing an integrity policy for a computing system. The core of the model is based on the notion of a transaction. Answers C, B, and A are incorrect. These models do not involve the concept of subject/program binding.

Which programs are tools used to obtain user passwords? L0phtCrack John the Ripper Tripwire Crack A option d B options a and b only C options a, b, and c only D options a, b and d only E option a F option b G option c

Answer D is correct. L0phtCrack, John the Ripper, and Crack are tools used to obtain user passwords. Tripwire is NOT used to obtain user passwords.

Which protocol uses encryption to protect transmitted traffic and supports the transmission of multiple protocols? A FTP B HTTPS C HTTP D L2TP over IPSec

Answer D is correct. Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol that is used to transmit traffic on virtual private network (VPN) connections. L2TP supports multiple protocols, such as Transmission Control Protocol (TCP), Internet Protocol (IP), Internetwork Packet Exchange (IPX), and Systems Network Architecture (SNA). L2TP is based on two older tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). When L2TP is implemented with Internet Protocol Security (IPSec), it also provides encryption. Hypertext Transfer Protocol (HTTP) transmits information in clear text. Hypertext Transfer Protocol Secure (HTTPS) uses Secure Sockets Layer (SSL) to encrypt HTTP traffic. HTTPS only supports the encryption of HTTP traffic. File Transfer Protocol (FTP) transmits data in clear text.

You have recently implemented a public key infrastructure on a Windows Server 2008 network. Digital certificates will be issued to all valid users and computers. Which statement is NOT true of digital certificates? A X.509 is a digital certificate standard. B Level 1 assurance for a digital certificate only requires an e-mail address. C Digital certificates provide authentication before securely sending information to a Web server. D Level 2 assurance for a digital certificate only verifies a user's name and e-mail address.

Answer D is correct. Level 2 verifies a user's name, address, social security number, and other information against a credit bureau database. X.509 is a digital certificate standard. X.509 defines the manner in which a certificate authority creates a digital certificate. X.509 defines the various fields, such as distinguished names of the subject, serial number, version number, lifetime dates, and digital signature identifier, and the signature of the issuing authority, present in digital certificates. There are several versions of X.509 since its inception. The current version is X.509v4. The X.509 standard is used in many security protocols, such as secure socket layer (SSL) protocol. Level 1 assurance for a digital certificate only requires an e-mail address. Digital certification provides authentication before securely sending information to a Web server. Certificates act as safeguards for Internet transactions in which a user makes an online transaction with a Web server by providing services, such as nonrepudiation, authentication, and encryption and decryption of data. When a certificate is created, the user's public key and the validity period are combined with the certificate issuer and the digital signature algorithm identifier before computing the digital signature.

John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message? A Confidentiality B Availability C Integrity D Nonrepudiation

Answer D is correct. Nonrepudiation prevents the sender of a message from later denying that they sent it.

Which database interface language is a replacement for Open Database Connectivity (ODBC) and can only be used by Microsoft Windows clients? A ADO B JDBC C XML D OLE DB

Answer D is correct. Object Linking and Embedding Database (OLE DB) is the database interface language that is a replacement for ODBC and can only be used by Microsoft Windows clients. OLE is the Common Object Model (COM) that supports the exchange of objects among programs. A COM allows two software components to communicate with each other independent of their operating systems and languages of implementation. ActiveX Data Objects (ADO) is a set of ODBC interfaces that allow client applications to access back-end database systems. A developer will use ADO to access OLE DB servers. ADO can be used by many different types of clients. Java Database Connectivity (JDBC) allows a Java application to communicate with a database through ODBC or directly. Instead of using ODBC, it uses Java database applications. Extensible Markup Language (XML) structures data so that it can be shared easily over the Internet. Web browsers are designed to interpret the XML tags.

Which crime term is used to indicate when and where a crime occurred? A MOM B motive C means D opportunity

Answer D is correct. Opportunity is used to indicate when and where a crime occurred. Means is used to indicate how a criminal committed the crime. Motive is the term used to indicate why a crime is committed. Motive, opportunity, and means (MOM) are the three crime tenets that are investigated when a crime occurs.

What authentication protocol offers no encryption or protection for logon credentials? A RADIUS B SSL C CHAP D PAP

Answer D is correct. Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It simply provides a means to transport the logon credentials from the client to the authentication server.

Which one of the following controls provides fault tolerance for storage devices? A Clustering B HA pairs C Load balancing D RAID

Answer D is correct. Redundant arrays of inexpensive disks (RAID) are fault tolerance controls that allow an organization's storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and HA pairs are all fault tolerance services designed for servers, not storage.

What type of database backup strategy involves maintenance of a live backup server at the remote site? A Electronic vaulting B Remote journaling C Transaction logging D Remote mirroring

Answer D is correct. Remote mirroring is the only backup option in which a live backup server at a remote site maintains a bit-for-bit copy of the contents of the primary server, synchronized as closely as the latency in the link between primary and remote systems will allow.

Which of the following statements correctly identifies a problem with sanitization methods? A Stored data is physically etched into the media. B Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data. C Even fully incinerated media can offer extractable data. D Personnel can perform sanitization steps improperly.

Answer D is correct. Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.

What is employed when user accounts are created by one employee and user permissions are configured by another employee? A rotation of duties B a two-man control C a collusion D separation of duties

Answer D is correct. Separation of duties is employed when user accounts are created by one employee and user permissions are configured by another employee. An administrator who is responsible for creating a user account should not have the authorization to configure the permissions associated with the account. Therefore, duties should be separated. Collusion is the involvement of more than one person in fraud. Separation of duties drastically reduces the chances of collusion and helps prevent fraud. A two-man control implies that two operators review and approve each other's work. A two-man control acts as a crosscheck and reduces chances of fraud, minimizing the risks associated with operations involving highly sensitive information. An operator generally performs disk or tape mounting, backup and recovery, and handling hardware. They usually do not perform data entry. Rotation of duties or job rotation implies the ability of an employee to carry out tasks of another employee within the organization. In an environment using job rotation, an individual can perform the tasks of more than one role in the organization. This maintains a check on other employees' activities, provides a backup resource, and acts as a deterrent for possible fraud. Separation of duties requires the involvement of more than one individual to accomplish a critical task. Separation of duties ensures that no individual can compromise a system and is considered valuable in deterring fraud. Separation of duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and to the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can have a dual role where he can initiate as well as authorize transactions.

What is the term used for a short duration increase in voltage? A Surge B Fault C Sag D Spike

Answer D is correct. Spike is a short duration increase in voltage. It occurs due to power outage, short circuits, lightning strikes, and many other reasons. Answer C is incorrect. Sag is a short duration decrease in voltage. It occurs when the rms (root mean square) voltage decreases between 10 and 90 percent of nominal voltage for one-half cycle to one minute. Answer B is incorrect. Fault is a momentary loss of power. It is an abnormal flow of electric current. Answer A is incorrect. Surge is a prolonged high voltage. It causes more damage as it lasts for a longer period of time during which the electric circuit has to deal with the excessive power.

Which of the following IP addresses is not a private IP address as defined by RFC 1918? A 172.31.8.204 B 192.168.6.43 C 10.0.0.18 D 169.254.1.119

Answer D is correct. The 169.254.x.x subnet is in the APIPA range, which is not part of RFC 1918. The addresses in RFC 1918 are 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255.

Which security models are built on a state machine model? A Bell-LaPadula and Take-Grant B Biba and Clark-Wilson C Clark-Wilson and Bell-LaPadula D Bell-LaPadula and Biba

Answer D is correct. The Bell-LaPadula and Biba models are built on the state machine model.

A customer has requested a computer with a Clipper chip. What is a Clipper chip? A It is a modem chip. B It is an encryption algorithm. C It is a unique serial number in the computer chip. D It is an encryption chip.

Answer D is correct. The Clipper chip is an encryption chip based on Skipjack algorithm. It was designed by the U.S. Government to be used in devices such as computers and modems that might use encryption. The chip was designed for surveillance of the enemy activities. The Escrowed Encryption Standard (EES) describes the Clipper chip. The unit key in the Clipper chip encrypts and decrypts the session key, but the message is not encrypted by using the unit key. Messages are encrypted by using the session key, which is again encrypted and decrypted by the unit key. Therefore, the Clipper chip consists of a unit key and a session key. The Clipper chip has the following components: A unique serial number in the database A copy of the unit key corresponding to the serial number in the database The Law Enforcement Access Field (LEAF) value is included in the encrypted message that is sent by the Clipper chip. The field value contains the serial number that was originally used to encrypt the message. Based on the serial key, the law enforcement agency can identify the unit key to be retrieved from the database and can decrypt the message. The correct sequence for using LEAF is as follows: Decrypt the LEAF with the family key, Kf. Recover the unique identifier, U, for the Clipper chip. Obtain a court order to obtain the two halves of the unit key, Ku, that is unique to each Clipper chip. Recover the Ku. Recover the session key, Ks. Use the session key to decrypt the message. The Clipper chip has the following disadvantages: The 80-bit unit key employed by the Clipper chip is considered weak. The 16-bit checksum used by the Clipper chip can be defeated. Each communication session can be easily identified by enabling the law enforcement agency to use the tag of the Clipper chip ID to invade the privacy of citizens. The Clipper chip is based on the classified Skipjack algorithm and is never opened for public review and testing. The Clipper chip has lost its support due to threats to personal privacy. Most companies turned to software-based encryption programs instead of hardware chips, such as Clipper chip. Therefore, in most cases, the use of Clipper chip has been abandoned.

Which of the following books is used to examine integrity and availability? A Brown Book B Purple Book C Orange Book D Red Book

Answer D is correct. The Red Book is used to examine integrity and availability. It is so named because of the red color of its cover. This book's official name is Trusted Network Interpretation. Answer C is incorrect. The Orange Book deals with confidentiality. It is so named because of the orange color of its cover. It is also known as the Department of Defense (DoD) Trusted Computer System Evaluation Criteria. It provides the information needed to classify computer systems as security levels of A, B, C, or D, defining the degree of trust. Answer A is incorrect. The Brown Book is used for understanding trusted facility management. It is so named because of the brown color of its cover. Answer B is incorrect. The Purple Book deals with database management. It is so named because of the purple color of its cover.

Which of the following offers facilities for the secure generation of cryptographic keys and limitation of their use, in addition to a hardware pseudo-random number generator? A CDN B SDN C MPLS D TPM

Answer D is correct. The Trusted Platform Module (TPM) offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a hardware pseudo-random number generator. It also includes capabilities such as remote attestation and sealed storage. It provides identity information for authentication purposes in mobile computing. It assures secure startup and integrity and generates values used with whole-disk encryption. Answer B is incorrect. Software-defined networking (SDN) is a unique approach to network operation, design, and management. The concept is based on the theory that the complexities of a traditional network with on-device configuration often force an organization to stick with a single device vendor, such as Cisco, and limit the flexibility of the network to respond to changing physical and business conditions. Answer A is incorrect. A content distribution network (CDN), or content delivery network, is a collection of resource services deployed in numerous data centers across the internet in order to provide low latency, high performance, and high availability of the hosted content. Answer C is incorrect. Multiprotocol Label Switching (MPLS) is a high throughput high-performance network technology that directs data across a network based on short path labels rather than longer network addresses. This technique saves significant time over traditional IP-based routing processes, which can be quite complex.

What is the term used for the percentage of loss an organization would experience in the event of violation of a specific threat by a realized risk? A Single loss expectancy B Annualized rate of occurrence C Annualized loss expectancy D Exposure factor

Answer D is correct. The exposure factor (EF) refers to the percentage of loss an organization would experience in the event of violation of a specific threat by a realized risk. It is also known as loss potential and is expressed as a percentage. Answer C is incorrect. The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset. Answer B is incorrect. The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat will occur within a year. Answer A is incorrect. The single loss expectancy (SLE) is the cost related to a single realized risk against a specific asset. It specifies the exact amount of loss an organization would experience if an asset were harmed by a specific threat.

Which term refers to the amount of time a company can tolerate the outage of a certain asset, entity, or service? A maximum recovery time B business impact analysis C mean time to repair D maximum tolerable downtime E mean time between failure

Answer D is correct. The maximum tolerable downtime (MTD) is the amount of time a company can tolerate the outage of a certain asset, entity, or service. The MTD can range from a few minutes to a few hours for the most critical assets to 30 days or more for nonessential assets. MTD is based on the criticality of the asset's operations. Critical assets usually cannot be replaced using manual methods. For example, a Web server that provides e-commerce functions will probably be more critical than a file server that provides a storage facility for users' files. A business impact analysis (BIA) identifies critical business operations and calculates the risk and threats those operations can incur. The maximum recovery time is an estimate of the maximum amount of time it will take to recover a system. This recovery usually includes recovering data backups. The mean time between failure (MTBF) is the estimated time a piece of equipment will last before it needs replacement. This is usually provided by the equipment vendor. The mean time to repair (MTTR) is the estimated time a piece of equipment will be down due to failure. A system is considered more reliable when it has a higher MTBF and lower MTTR.

What would be a valid argument for not immediately removing power from a machine when an incident is discovered? A Too many users are logged in and using the system. B There is no other system that can replace this one if it is turned off. C All of the damage has been done. Turning the machine off would not stop additional damage. D Valuable evidence in memory will be lost.

Answer D is correct. The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.

Which notation is the network prefix that is used to denote an unsubnetted Class C IP address? A /8 B /16 C /32 D /24

Answer D is correct. The network prefix /24 is used to denote an unsubnetted Class C IP address. Class-based IP addresses were the first types of addresses assigned on the Internet. The first octet of a Class A IP address is from 1 through 126 in decimal notation; the first octet of a Class A IP address is the network address. The first octet of a Class B IP address is from 128 through 191 in decimal notation; the first two octets of a Class B IP address are the network address. The first octet of a Class C IP address is from 191 through 223; the first three octets of a Class C IP address are the network address. Subnetting was introduced to enable more efficient use of the IP address space. In subnetting, some host bits of a Class-based IP address are used as network address bits to enable smaller groupings of IP addresses to be created than the groupings offered by Class-based IP addresses. For example, you have an office with 200 computers that reside on four separate networks that consists of 50 computers each. If each network has been assigned its own Class C IP address range, then 204 IP addresses will not be used in each range, for a total of 816 wasted IP addresses. With subnetting, a single Class C IP address range can provide IP addresses for the hosts on all four networks. If you subnetted a single Class C IP address range, then only 48 IP addresses would be wasted. Before Classless Interdomain Routing (CIDR) was introduced, networks were commonly organized by classes. In a Class C address, the first two bits of the address are set to one, and the third bit of the address is set to zero. A subnet mask is a 32-bit binary number that can be compared to an IP address to determine which part of the IP address is the host address and which part of the IP address is the network address. Every 1 bit in a subnet mask indicates a bit in the network address, and every 0 bit in the subnet mask indicates a bit in the host address. For example, on a network that uses an unsubnetted Class C IP address range, the IP address 192.168.0.1 has a subnet mask of 255.255.255.0. In binary notation, 255 is represented as 11111111. In binary notation, the subnet mask 255.255.255.0 is represented as 11111111 11111111 11111111 00000000. The binary representation of the IP address 192.168.0.1 is 11000000 10101000 00000000 00000001. The following is a comparison of the binary subnet mask and the binary IP address: 11111111 11111111 11111111 00000000 Subnet Mask 11000000 10101000 00000000 00000001 IP Address From this comparison, you can see that the first 24 bits of the IP address, or 192.168.0 in decimal notation, are the network address and the last eight bits of the IP address, or 1 in decimal notation, are the host address. Another method, called a network prefix, is also used to determine which part of an IP address is the network address and which part of an IP address is the host address. The network prefix method appends a slash (/) character and a number after the IP address, as in the following example:192.168.0.1/24. In this example, the network prefix indicates that the first 24 bits of the IP address, or 192.168.0 in decimal notation, are the network address and the last 8 bits of the IP address are the host address. This is sometimes referred to as CIDR notation.

You have been asked to work with a team to design your company's business continuity plan. The team has defined the scope of the business continuity plan. What is the next step? A Determine the acceptable downtime. B Identify dependencies between the business areas and critical functions. C Identify critical functions. D Identify the key business areas.

Answer D is correct. The next step in designing the business continuity plan is to identify the key business areas. The steps in designing the business continuity plan are as follows: Identify the plan's scope. Identify key business areas. Identify critical functions. Identify dependencies between business areas and critical functions. Determine acceptable downtime for each critical function. Create a plan to maintain operations.

Your organization has decided to use one-time pads to ensure that certain confidential data is protected. All of the following statements are true regarding this type of cryptosystem, EXCEPT: A The pad must be distributed and stored in a secure manner. B The pad must be as long as the message. C Each one-time pad can be used only once. D The pad must be made up of sequential values.

Answer D is correct. The pad must NOT be made up of sequential values. It should be made up of random values. The following statements regarding one-time pads are true: Each pad can be used only once. The pad must be made up of random values. The pad must be as long as the message. The pad must be distributed and stored in a secure manner.

What is the intent of least privilege? A Enforce the least restrictive rights required by users to complete assigned tasks. B Enforce the most restrictive rights required by users to run system processes. C Enforce the least restrictive rights required by users to run system processes. D Enforce the most restrictive rights required by users to complete assigned tasks.

Answer D is correct. The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don't execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.

Which statement is true of the staff members of an organization in the context of information security? A They require extensive understanding of security. B They are responsible for protecting and backing up confidential data. C They must be trained to handle internal violations of the security policy. D They pose more threat than external hackers.

Answer D is correct. The staff members of an organization pose more threat than external hackers. Disgruntled employees typically attempt the security breaches in an organization. Existing employees can accidentally commit a security breach and may put the security of the organization at risk. User accounts should be immediately deleted and the associated privileges should be revoked for employees who have been terminated or have left the organization. It is not the job of the staff member to handle and respond to issues of information security violation. Staff members should report the incident to the department manager. The department manager will take the necessary steps as a part of incident response. Typically, it is the job of the IT department to ensure that critical data is duly backed up on a periodical basis and that only identified employees with necessary privileges have access to confidential information. Only those staff members with a direct role in the security function of an organization need extensive security knowledge. Most staff members will need security awareness training on security policies, security practices, acceptable resource usage, and noncompliance implications.

The business continuity team has determined that a demilitarized zone (DMZ) should be implemented to ensure that public users only access certain servers. Which step of the business continuity process is the team completing? A Develop the contingency plan. B Develop recovery strategies. C Develop the continuity planning policy statement. D Identify preventative controls.

Answer D is correct. The team is identifying preventative controls. During this step, the team mitigates risk by identifying preventative controls, such as a DMZ or a firewall. None of the other steps is being completed. The steps of business continuity are as follows: Develop the continuity planning policy statement. Conduct the BIA. Identify preventative controls. Develop recovery strategies. Develop the contingency plan. Test the plan, and conduct training and exercises. Maintain the plan.

Which of the following terms refers to the act of obtaining plain text from cipher text without a cryptographic key? A Algorithm B Ciphertext C Hacking D Cryptanalysis

Answer D is correct. The term cryptanalysis refers to the act of obtaining plain text from cipher text without a cryptographic key. It is a method of obtaining the meaning of encrypted information without accessing the secret information or key, which is normally required for encryption purposes. Answer B is incorrect. Ciphertext is a text that is converted to a non-readable format. Answer A is incorrect. Algorithm is a set of rules used to encrypt and decrypt data. Answer C is incorrect. Hacking is a process by which a person acquires illegal access to a computer or network through a security break or by implanting a virus on the computer or network.

Which pair of processes should be separated from each other to manage the stability of the test environment? A validity and production B validity and security C testing and validity D testing and development

Answer D is correct. The testing and development processes should be separated from each other to manage the stability of the test environment. Separating the test environment and the development environment is an example of separation of duties. The responsibilities of the test and development staff in the software development life cycle (SDLC) process should be clearly distinguished. For example, debugging is performed by the programmer while coding the instructions. This process is known as unit testing. After the software program is submitted, it is again verified by the quality assurance team by using formal procedures and practices. It is recommended that a software programmer develop the software, test it, and submit it to production. Separation of duties ensures that the quality assurance team conducts checks by using formal procedures. Software should be tested thoroughly before it is sent to the production environment. This will ensure that the software does not adversely affect the business operations of the organization.

What are the main types of mechanical locks? combination locks cipher locks warded locks tumbler locks A option c B options a and b C option d D options c and d E option b F option a

Answer D is correct. The two main types of mechanical locks are warded locks and tumbler locks. Warded locks are basic padlocks. The lock has wards (metal projections around the keyhole), and only a particular key will work with the wards to unlock the lock. A tumbler lock has more pieces than a warded lock. The key fits into the cylinder, raising the lock pieces to the correct height. There are three types of tumbler locks: pin tumbler locks, wafer tumbler locks, and level tumbler locks. Combination locks require the correct combination of numbers to unlock. Combination locks are not considered to be mechanical locks according to (ISC)2.Cipher locks are programmable and use keypads to control access. A specific combination must be entered.

Which statement is true of Compartmented Mode Workstations (CMW)? A CMW, by default, grants information-related access to all users having security clearance. B CMW operates on the principle of maximum privilege. C CMW operates in a dedicated security mode. D CMW requires the use of information labels.

Answer D is correct. The use of information labels as a security measure is unique to compartmented mode workstations (CMW). CMW deploys information labels and sensitivity labels. Information labels define the security protection level of objects and sensitivity labels define the permissions. CMW works in the compartmented security mode. In the compartmented security mode, the users have access to all the information, but may not have the need-to-know access to data or the formal approval required for data access. This process ensures that a user only has the access privileges required for the information specific to the user's job. For example, a user in the software testing department should not require access to the internal financial data of the organization. Therefore, the user need not know the methods used to access the information. The user is granted access according to the need to know principle and by using a formal approval process. In CMW minimum, data access is allowed to users at each level based on their respective segment or compartment. Therefore, CMW does not work on the concept of maximum privilege but on the concept of least privilege. The dedicated security mode is another category of security modes of operation. The dedicated mode manages a single classification of information unlike the compartmented security mode where users can simultaneously process multiple compartments of information.

Mark is studying an application developed by his colleague. To understand the crucial part of the application, Mark needs to ensure that the details are suppressed. What concept is this referring to? A Encryption B Authentication C Polymorphism D Abstraction

Answer D is correct. This is referring to abstraction. Abstraction is used when objects are classified or roles are assigned to subjects. It is used to suppress unnecessary details to examine and review the important and inherent properties. It allows the separation of conceptual aspects of a system. Answer B is incorrect. Authentication is the act of establishing or confirming something (or someone) as authentic, that is, the claims made by or about the subject are true. Answer A is incorrect. Encryption is used to hide the meaning or intent of a communication from unintended recipients. Answer C is incorrect. Polymorphism is a programming language feature that allows values of different data types to be handled using a uniform interface.

What encryption technique does WPA use to protect wireless communications? A AES B 3DES C DES D TKIP

Answer D is correct. WiFi Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to protect wireless communications. WPA2 uses AES encryption.

You are defining and implementing an information security continuous monitoring (ISCM) program for your organization according to NIST SP 800-137. You are currently collecting the security-related information required for metrics, assessments, and reporting. Which step of NIST SP 800-137 are you completing? A Define an ISCM strategy. B Establish an ISCM program. C Analyze the data collected, and report findings. D Implement an ISCM program.

Answer D is correct. You are completing the Implement an ISCM program step of NIST SP 800-137. NIST SP 800-137 guides the development of and provides information about information security continuous monitoring (ISCM) for federal information systems and organizations. It defines the following steps to establish, implement, and maintain ISCM: Define an ISCM strategy. Establish an ISCM program. Implement an ISCM program. Analyze data, and report findings. Respond to findings. Review and update the ISCM strategy and program. Defining an ISCM strategy involves determining your organization's official ISCM strategy. Establishing an ISCM program determines the metrics, monitoring, and assessment frequencies in addition to the ISCM architecture. Analyzing the data collected and reporting findings determines any issues and implements the appropriate response. Responding to the findings involves implementing new controls that address any findings you have. Reviewing and updating the monitoring program involves ensuring that the program is still relevant and allows you to make any necessary changes to the program.

As a member of your organization's security team, you are examining all aspects of operations security for your network. You must determine the countermeasures that can be used in operations security. You have already examined the resources and information that must be protected. What is the third asset type that must be examined? A network media B personnel C network servers D hardware

Answer D is correct. You should also examine the hardware on which the resources and information reside. Operations security examines the countermeasures used to protect resources, information, and the hardware on which the resources and information reside. None of the other options is correct. Personnel are not assets that must be examined in operations security. Operations security is concerned with protecting resources, information, and the hardware on which the resources and information reside. Management is responsible for personnel. Network media and network servers may be part of the hardware that you examine during operations security. However, either of those options is not the sole asset type that must be examined.

During the recent development of a new application, the customer requested a change. You must implement this change according to the change control process. What is the first step you should implement? A Record the change request. B Acquire management approval. C Submit the change results to the management. D Analyze the change request.

Answer D is correct. You should analyze the change request. The change control procedures ensure that all modifications are authorized, tested, and recorded. Therefore, these procedures serve the primary aim of auditing and review by the management. The necessary steps in a change control process are as follows: Make a formal request. Analyze the request. This step includes developing the implementation strategy, calculating the costs of the implementation, and reviewing the security implication of implementing the change. Record the change request. Submit the change request for approval. This step involves getting approval of the actual change once all the work necessary to complete the change has been analyzed. Make changes. The changes are implemented and the version is updated in this step. Submit results to management: In this step, the change results are reported to management for review. A stringent change management process ensures that all the changes are implemented and recorded related to production systems, and enforces separation of duties. For instance, in a software development environment, changes made to production software programs are performed by operational staff rather than the software programmers, who are responsible for coding software applications for clients. Such a process ensures that the changes are implemented in the proper manner and the process is documented. Change management is about the decision to make the change. Configuration management is not the same as change management. Configuration management is about tracking the actual change. It is the discipline of identifying the components of a continually evolving system for the purposes of controlling changes to those components and maintaining integrity and traceability throughout the life cycle. Configuration management controls the changes that take place in hardware, software, and operating systems by assuring that only the proposed and approved system changes are implemented. In configuration management, a configuration item is a component whose state is to be recorded and against which changes are to be progressed. In configuration management, a software library is a controlled area accessible only to approved users who are restricted to the use of an approved procedure. Configuration control is controlling changes to the configuration items and issuing versions of configuration items from the software library. Configuration management includes configuration control, configuration status accounting, and configuration auditing.

Which safeguards should you employ to protect cell phones owned by an organization? Enable wireless interfaces. Maintain physical control. Enable user authentication. Disable unneeded features. A option c B option b C option a D options b, c, and d E options a, b, and c F option d

Answer D is correct. You should employ many safeguards to protect cell phones owned by an organization. The safeguards include: Maintain physical control. Enable user authentication. Back up data. Minimize data exposure and encrypt data. Disable unneeded features, including wireless interfaces. Deactivate compromised devices. Any handheld devices should have these safeguards in place. Cell phones, satellite cards, handheld computers, and PDAs all use Smart Card Technology, meaning data cards can be stolen. You should not enable wireless interfaces. Wireless interfaces should only be enabled when you need to use them and only for the time they are needed.

Because of the value of your company's data, your company has asked you to ensure data availability. You want to implement the techniques that can help to ensure data availability. Which mechanism(s) should you implement? auditing techniques data recovery techniques authentication techniques fault tolerance techniques access control techniques A option d B option e C options a and c only D options b and d only E option a F option b G option c

Answer D is correct. You should implement data recovery and fault tolerance techniques to ensure data availability. Fault tolerance techniques work to ensure that data is available in the event of hardware failure. Data recovery techniques work to ensure that an alternate copy of data can be made available in event of system failure. None of the other techniques works to ensure data availability. Auditing and authentication techniques work to ensure user accountability and data integrity. Access control techniques work to ensure data confidentiality and integrity.

As a security professional, you have been asked to determine the appropriate retention policies for media, hardware, data, and personnel. You decide to first document the appropriate data retention policies. Which of the following statements is NOT true of developing these policies? A The personnel that are most familiar with each data type should work with you to determine the data retention policy. B You must understand where data is stored and the type of data stored. C Once you create the data retention policies, personnel must be trained to comply with the data retention policies. D You should work with data custodians to develop the appropriate data retention policy for each type of data the organization owns.

Answer D is correct. You should not work with the data custodians to develop the appropriate data retention policy for each type of data the organization owns. You should work with data owners, not data custodians, to develop the appropriate data retention policy for each type of data the organization owns. The personnel that are most familiar with each data type should work with you to determine the data retention policy. You must understand where data is stored and the type of data stored. Once you create the data retention policies, personnel must be trained to comply with the data retention policies.

You have been asked to carry out a penetration test on your organization's network. You obtain a footprint of the network. What should you do next? A Attempt to gain unauthorized access by exploiting the vulnerabilities. B Identify vulnerabilities in systems and resources. C Report to management. D Perform port scans and resource identification.

Answer D is correct. You should perform port scans and resource identification. A penetration test should include the following steps: Discovery - Obtain the footprint and information about the target and attack methods that can be used. Enumeration - Perform ports scans and resource identification. Vulnerability mapping - Identify vulnerabilities in systems and resources. Exploitation - Attempt to gain unauthorized access by exploiting the vulnerabilities. Report - Report the results to management with suggested countermeasures. The formal steps in the penetration test are as follows: Document information about the target system or device. (This is discovery.) Gather information about attack methods against the target system or device. This includes performing port scans. (This is enumeration.) Identify the known vulnerabilities of the target system or device. (This is vulnerability mapping.) Execute attacks against the target system or device to gain user and privileged access. (This is exploitation.) Document the results of the penetration test and report the findings to management, with suggestions for remedial action. (This is reporting.)

An attacker is in the process of making an unauthorized change to some data in your database. You need to cancel any database changes from the transaction and return the database to its previous state. Which database operation should you use? A commit B savepoint C checkpoint D rollback

Answer D is correct. You should use a rollback operation. A rollback operation cancels any database changes from the current transaction and returns the database to its previous state. It prevents a transaction from updating the database with partial or corrupt data. Rollbacks occur during the operations/maintenance phase of the SDLC. A commit operation finalizes any database changes from the current transaction, making the changes available to other users. A savepoint operation creates a logged point to which the database can be restored. It allows data to be restored to a certain point in time. A checkpoint operation saves data that is stored in memory to the database. It allows the memory to be cleared. When a database detects an error, a checkpoint enables it to start processing at a designated place.

Recently, an attacker injected malicious code into a Web application on your organization's Web site. Which type of attack did your organization experience? A path traversal B SQL injection C buffer overflow D cross-site scripting

Answer D is correct. Your organization experienced a cross-site scripting (XSS) attack. A XSS attack occurs when an attacker locates a vulnerability on a Web site that allows the attacker to inject malicious code into a Web application. A buffer overflow occurs when an invalid amount of input is written to the buffer area. A SQL injection occurs when an attacker inputs actual database commands into the database input fields instead of the valid input. Path traversal occurs when the ../ characters are entered into the URL to traverse directories that are not supposed to be available from the Web. Some possible countermeasures to input validation attacks include the following: Filter out all known malicious requests. Validate all information coming from the client, both at the client level and at the server level. Implement a security policy that includes parameter checking in all Web applications. The system design specification phase of the software development life cycle (SDLC) focuses on providing details on which kind of security mechanism will be a part of the software product. The system design specification phase also conducts a detailed design review and develops a plan for validation, verification, and testing. The organization developing the application will review the product specifications with the customer to ensure that the security requirements are clearly stated and understood, and that the planned functionality is embedded in the product. Involving security analysts at this phase maximizes the benefit to the organization. It also enables you to understand the security requirements and features of the product and to report existing loopholes. The system development phase of the SDLC includes coding and scripting of software applications. The system development stage ensures that the program instructions are written according to the defined security and functionality requirements of the product. The programmers build security mechanisms, such as audit trails and access control, into the software according to the predefined security assessments and the requirements of the application. The SDLC includes the following phases: Plan/Initiate Project Gather Requirements Design (including system design) Develop (including system development) Test/Validate Release/Maintain Certify/Accredit Change Management and Configuration Management/Replacement

Which options are components of the security kernel? software hardware reference monitor trusted computing base A point b B point c C point d D points c and d E points a and b F point a

Answer E is correct. Hardware, software, and firmware are the components of a security kernel. These components are a part of the trusted computing base (TCB). The components of a security kernel act as a mediator between the subjects and the objects by implementing and enforcing the reference monitor that acts as an abstract machine and regulates the information flow. The security kernel and the reference monitor work together to help protect the TCB. TCB is defined as a combination of security kernel components. The security kernel provides a foundation to build a trusted computing system. The four requirements of the security kernel are as follows: The security kernel should provide isolation for the processes. Every attempt to access the system should invoke the reference monitor. The reference monitor should be verified, and all the decisions logged. The security kernel should be small enough to be tested in a comprehensive manner. A computer system that employs the necessary hardware and software assurance measures to enable it to process multiple levels of classified or sensitive information is called a trusted system.

Your organization implements hybrid encryption to provide a high level of protection of your data. Which statements are true of this type of encryption? The secret key protects the encryption keys. Public keys decrypt the secret key for distribution. Asymmetric cryptography is used for secure key distribution. The symmetric algorithm generates public and private keys. Symmetric cryptography is used for encryption and decryption of data. A option d B option e C options a and b D options c and d E options c and e F option a G option b H option c

Answer E is correct. Hybrid encryption methods use both asymmetric and symmetric algorithms. Asymmetric algorithms are slow, complex, intensive, and require added system resources and extra time to encrypt and decrypt the data. Therefore, asymmetric algorithms are used to generate public and private keys that protect encryption keys, such as session keys and secret keys, and are responsible for automated key distribution. A symmetric algorithm generates a secret key that is used for bulk encryption and decryption of data. The following characteristics sum up the hybrid encryption method: The public and private keys generated by the asymmetric algorithm secure the process of session or secret key exchange. The public and private keys encrypt and decrypt the secret key between two communication points. It is important to note that both public and private keys can be used for the encryption and decryption processes. The secret key generated by the symmetric algorithm is used for bulk encryption and decryption of data. The secret key encrypts the actual message.

Your organization's data center design plan calls for glass panes to be used for one wall of the data center to ensure that personnel in the center can be viewed at all times. Which type of glass should be used? A standard B tempered C acrylic D wired E shatter-resistant

Answer E is correct. Shatter-resistant glass should be used in the glass panes used for one wall of the data center. This is because the wall will be acting as an exterior wall. Standard windows provide no extra protection. Tempered windows are those in which the glass is heated and then cooled suddenly to increase glass integrity and strength. Acrylic is a type of plastic instead of glass. Acrylic windows are usually stronger than glass windows. Polycarbonate acrylics are the strongest acrylics. Wired windows have a mesh of wire embedded between two sheets of glass. The wire helps to prevent shattering.

Recently, an employee of your organization made illegal copies of your organization's intellectual property. This is a direct violation of your organization's employment policies. You need to create an incident response team to investigate the crime.Who should NOT be a part of an incident response team? HR department a Public Relations department senior management Federal government Information Technology department A options a and b B option e C option d D option c E options b and d F option a G option b H options c and e

Answer E is correct. The Public Relations department and the federal government should not be part of the incident response team that investigates a crime involving an internal employee. The incident response team should include the following members: Human Resources (HR) department representative, because the representative is aware of the rules that protect and prosecute an employee. HR should always be involved if an employee is suspected of wrongdoing. Senior management representative, because the final action against the suspected employee will be taken by the management. An IT department representative to provide evidence against the suspected employee if required.

The business continuity committee has developed the business impact analysis (BIA), identified the preventative controls that can be implemented, and developed the recovery strategies. Next, the committee should develop a contingency plan. Which teams should be included in this plan's development to aid in the execution of the final plan? restoration team damage assessment team salvage team risk management team incident response team A option c B option d C option e D options a, d, and e E options a, b, and c F option a G option b

Answer E is correct. The teams that should be included in the contingency plan's development to aid in the execution of the final plan are the restoration, damage assessment, and salvage teams. Other teams that should also be included are the legal, media relations, network recovery, relocation, security, and telecommunications teams. The risk management team, while taking part in the actual development of the contingency plan, usually does not aid in the execution of the final plan. The risk management team helps to discover the risks and decide the probability of the risks. The incident response team is responsible for handling all responses for security incidents. They are not part of the execution of a contingency plan. The incident response team is responsible for handling all responses for security incidents. They are not part of the execution of a contingency plan.

To improve security, which mechanisms should be utilized with a cipher lock? door delay key override master keying hostage alarm A option a B option b C option c D option d E options a and b F options c and d G all of the options

Answer G is correct. All of the listed mechanisms should be utilized with a cipher lock. A door delay is an alert that triggers if the door remains open for too long. A key override is a combination that overrides normal procedures. It is often used by supervisors. A master keying is used to change the access code. A hostage alarm is a combination that a person enters if he is in a hostage situation. This combination allows the user to access the secure area while alerting law enforcement officials and/or security guards. Another option that is important is a visibility shield to ensure that someone cannot see the combination that is keyed in. Battery backups are also important for cipher locks to ensure that the lock still functions in the event of power failure. You should also configure the cipher lock to unlock during a power failure to ensure that no one is stuck inside the facility. Once the battery backup fails, the cipher lock automatically opens.

During a software development project, you need to ensure that the period progress of the project is monitored appropriately. Which technique(s) can be used? Gantt charts Unit testing Delphi technique Program Evaluation Review Technique charts Prototype Evaluation Review Technique charts A option c B option d C option e D options a and b only E options c and d only F options c and e only G options a and d only H option a I option b

Answer G is correct. Periodical progress of a project can be monitored by using Gantt charts and the Program Evaluation Review Technique (PERT) charts. Gantt charts are bar charts that represent the progress of tasks and activities over a period of time. Gantt charts depict the timing and the interdependencies between the tasks. Gantt charts are considered a project management tool to represent the scheduling of tasks and activities of a project, the different phases of the project, and their respective progress. Gantt charts serve as an industry standard. A PERT chart is a project management model invented by the United States Department of Defense. PERT is a method used for analyzing the tasks involved in completing a given project and the time required to complete each task. PERT can also be used to determine the minimum time required to complete the total project. Unit testing refers to the process in which the software code is debugged by a developer before it is submitted to the quality assurance team for further testing. The Delphi technique is used to ensure that each member in a group decision-making process provides an honest opinion on the subject matter in question. Group members are asked to provide their opinion on a piece of paper in confidence. All these papers are collected, and a final decision is taken based on the majority. Delphi technique is generally used either during the risk assessment process or to estimate the cost of a software development project. A prototype is a model or a blueprint of the product and is developed according to the requirements of customers. There is no process known as the Prototype Evaluation Review Technique charts. Cost-estimating techniques include the Delphi technique, expert judgment, and function points.

During a software development project, you need to ensure that the period progress of the project is monitored appropriately. Which technique(s) can be used? Gantt charts Unit testing Delphi technique Program Evaluation Review Technique charts Prototype Evaluation Review Technique charts A options a and b only B option e C option d D option c E option b F option a G options a and d only H options c and e only I options c and d only

Answer G is correct. Periodical progress of a project can be monitored by using Gantt charts and the Program Evaluation Review Technique (PERT) charts. Gantt charts are bar charts that represent the progress of tasks and activities over a period of time. Gantt charts depict the timing and the interdependencies between the tasks. Gantt charts are considered a project management tool to represent the scheduling of tasks and activities of a project, the different phases of the project, and their respective progress. Gantt charts serve as an industry standard. A PERT chart is a project management model invented by the United States Department of Defense. PERT is a method used for analyzing the tasks involved in completing a given project and the time required to complete each task. PERT can also be used to determine the minimum time required to complete the total project. Unit testing refers to the process in which the software code is debugged by a developer before it is submitted to the quality assurance team for further testing. The Delphi technique is used to ensure that each member in a group decision-making process provides an honest opinion on the subject matter in question. Group members are asked to provide their opinion on a piece of paper in confidence. All these papers are collected, and a final decision is taken based on the majority. Delphi technique is generally used either during the risk assessment process or to estimate the cost of a software development project. A prototype is a model or a blueprint of the product and is developed according to the requirements of customers. There is no process known as the Prototype Evaluation Review Technique charts. Cost-estimating techniques include the Delphi technique, expert judgment, and function points.

Which attacks are considered common access control attacks? spoofing phreaking SYN flood dictionary attacks brute force attacks A option b B option c C option d D option e E all of the options F options b and c only G options a, d, and e only H option a

Answer G is correct. Spoofing, dictionary attacks, and brute force attacks are common access control attacks. Spoofing occurs when an attacker implements a fake program that steals user credentials. A dictionary attack is a method where the attacker attempts to identify user credentials by feeding lists of commonly used words or phrases. A brute force attack is one in which the attacker tries all possible input combinations to gain access to resources. Phreaking is an attack performed by a group of hackers who specialize in telephone fraud. It is considered a telecommunications and network security attack. A SYN flood occurs when a network is flooded with synchronous (SYN) packages. As a result, the system is overloaded and performance suffers. Many times, legitimate users are denied access. A SYN flood is usually considered an application or system attack.

Which security threats are NOT self-replicating? worm virus spyware Trojan horse A option a B option b C option c D option d E all of the options F options a and b G options c and d

Answer G is correct. Spyware and Trojan horses are security threats that are NOT self-replicating. Spyware is actually a type of Trojan horse. These programs are downloaded and installed inadvertently when the user is downloading other programs. Viruses and worms can both self-replicate, meaning that the virus or worm can actually copy itself to multiple locations.

Which type or types of firewalls operate at the Network layer of the OSI model? stateful firewall kernel proxy firewall packet-filtering firewall circuit-level proxy firewall application-level proxy firewall A all of the options B option e C option d D option c E option b F option a G options a and c only H options b, d, and e only

Answer G is correct. Stateful and packet-filtering firewalls operate at the Network and Transport layer of the OSI model. Stateful firewalls also operate at the data-link layer. Circuit-level proxy firewalls operate at the Session layer. Kernel proxy and application-level proxy firewalls operate at the Application layer of the OSI model. Firewalls connect private and public networks. Their primary purpose is to protect the private network from security breaches by creating security checkpoints at the boundaries between the private and public networks. Firewalls create bottlenecks between the private and public networks because they must examine the packets that pass through them. If a dedicated firewall exists on your network, it will allow the centralization of security services. Firewalls provide packet filtering, Network Address Translation (NAT), proxy, and encrypted tunnel services, among other things. The encrypted tunnel services are probably the least important service provided by firewalls. Most firewalls include a protocol-filtering component that allows security administrators to configure firewall behavior based on protocols it encounters. The rule enforcement engine of a firewall ensures that the rules configured by the security administrator are enforced. Most firewalls include an extended logging function that allows security administrators to audit firewall activities.

You are designing the procedures for your company's user account review. Which actions should you include as part of this review? Ensure that all inactive accounts are disabled. Ensure that there are no duplicate accounts. Ensure that all active accounts have a password. Ensure that all passwords follow the complexity rules. Ensure that all accounts conform to the principle of least privilege. A option b B option c C option d D option e E all of the options F options a and b only G options a, c, and e only H option a

Answer G is correct. When implementing user account reviews, you should ensure that all inactive accounts are disabled, all active user accounts have a password, and that all user accounts conform to the principle of least privilege. It is not necessary to ensure that there are no duplicate accounts. Duplicate accounts may be necessary in some cases. It is not necessary to ensure that all passwords follow the complexity rules. This is part of password maintenance, not account maintenance.

Which of the following statements relate to a stream cipher? Each correct answer represents a complete solution. Choose all that apply. A Its examples are the Caesar cipher and one-time pad. B It encrypts one character per bit at a time. C It provides 80 bits of protection against collision attacks. D It is a symmetric key cipher that operates on blocks of messages.

Answers A and B are correct. A stream cipher is a symmetric key cipher that operates on each character, or bit of a message. It encrypts one character per bit at a time. Caesar cipher and one-time pad are the examples of a stream cipher. One-time pad is a stream cipher since it independently operates on each letter of the plaintext message. Significant computational resources are required by the stream ciphers. Answer D is incorrect because a block cipher is a symmetric key cipher that operates on blocks of messages. Answer C is incorrect because SHA-1 provides 80 bits of protection against collision attacks.

Which of the following access control models are used in the commercial sector? Each correct answer represents a complete solution. Choose all that apply. A Biba model B Clark-Wilson model C Clark-Biba model D Bell-LaPadula model

Answers A and B are correct. The Biba and Clark-Wilson access control models are used in the commercial sector. The Biba model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject. The Clark-Wilson security model provides a foundation for specifying and analyzing an integrity policy for a computing system. Answer D is incorrect. The Bell-LaPadula access control model is mainly used in military systems. Answer C is incorrect. There is no such access control model as Clark-Biba.

Which of the following are based on malicious code? Each correct answer represents a complete solution. Choose two. A Trojan horse B Worm C Biometrics D Denial-of-service (DoS)

Answers A and B are correct. Worms and Trojan horses are based on malicious code. A worm is a software program that uses computer networks and security holes to replicate itself from one computer to another. It usually performs malicious actions, such as using the resources of computers as well as shutting down computers. A Trojan horse (Trojan) is a malicious software program code that masquerades itself as a normal program. When a Trojan horse program is run, its hidden code runs to destroy or scramble data on the hard disk. An example of a Trojan horse is a program that masquerades as a computer logs on to retrieve user names and password information. Answer D is incorrect. A denial-of-service (DoS) attack is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as network saturation attack or bandwidth consumption attack. Answer C is incorrect. Biometrics is a method of authentication that uses physical characteristics, such as fingerprints, scars, retinal patterns, and other forms of biophysical qualities to identify a person.

Which of the following are tunneling protocols used in a virtual private network (VPN)? Each correct answer represents a complete solution. Choose all that apply. A L2TP B MD5 C SCP D PPTP

Answers A and D are correct. The tunneling protocols used in a virtual private network (VPN) are: Layer 2 Tunneling Protocol (L2TP) is a more secure version of Point-to-Point Tunneling Protocol (PPTP). It provides tunneling, address assignment, and authentication. It allows the transfer of Point-to-Point Protocol (PPP) traffic between different networks. L2TP combines with IPsec to provide tunneling and security for Internet Protocol (IP), Internetwork Packet Exchange (IPX), and other protocol packets across IP networks. Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP does not provide confidentiality or encryption. It relies on the protocol being tunneled to provide privacy. It is used to provide secure, low-cost remote access to corporate networks through public networks such as the Internet. Using PPTP, remote users can use PPP-enabled client computers to dial a local ISP and connect securely to the corporate network through the Internet. PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPsec. Answer C is incorrect. The Secure Copy protocol (SCP) is a network protocol that supports file transfers. It runs on port 22 and is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. It might not even be considered a protocol itself, but merely a combination of RCP and SSH. Answer B is incorrect. Message Digest 5 (MD5) is a cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.

Which of the following policies and controls should you deploy for the client systems based on their identified risks? Each correct answer represents a complete solution. Choose all that apply. A Deploy only licensed, supported operating systems. B Deploy anti-malware and anti-virus software on all client systems. C Deploy firewall and host-based intrusion detection systems on the client systems. D Use drive encryption on all client system hard drives.

Answers A, B, C, and D are correct. You should deploy all of the listed policies and controls for the client systems based on their identified risks.

Which of the following policies and controls should you deploy for the client systems based on their identified risks? Each correct answer represents a complete solution. Choose all that apply. A Use drive encryption on all client system hard drives. B Deploy firewall and host-based intrusion detection systems on the client systems. C Deploy anti-malware and anti-virus software on all client systems. D Deploy only licensed, supported operating systems.

Answers A, B, C, and D are correct. You should deploy all of the listed policies and controls for the client systems based on their identified risks.

Which of the following statements are true of CDN? Each correct answer represents a complete solution. Choose all that apply. A It has multiple replicas of each data item being hosted. B It helps improve web performance by delivering content to end users from multiple servers. C It is arranged to deliver web content efficiently. D It provides a dynamic picture of the ongoing system activities.

Answers A, B, and C are correct. A CDN (content-distribution network) is an architecture of web-based network elements. It is also known as a content delivery network that is arranged to deliver web content efficiently. CDNs help improve web performance by delivering content to end users from multiple, geographically-dispersed servers. Web content includes various forms of data items such as GIF files, PDFs, and so on. In past days, all request for web content go to the origin server. In contrast, a CDN has multiple replicas of each data item being hosted. Answer D is incorrect. Log reviews provide a dynamic picture of the ongoing system activities compared with the intent and content of the security policy. To identify changes in the security policy, system administrators use log-reduction tools for detecting the suspicious activities and system logs.

Which of the following tools are used to provide security of the outgoing traffic? Each correct answer represents a complete solution. Choose all that apply. A Watermarking B Data loss prevention C Timeout D Steganography

Answers A, B, and D are correct. Egress monitoring helps monitor the outgoing traffic of the enterprise network with the help of egress monitors. Various tools are also used to provide security of the outgoing traffic such as steganography, watermarking, and data loss prevention. Steganography: It is an art of using cryptographic techniques to embed secret messages within another message. Watermarking: Adding digital watermarks to documents to protect intellectual property is accomplished by means of steganography. The hidden information is known only to the file's creator. If someone later creates an unauthorized copy of the content, the watermark can be used to detect the copy and trace the offending copy back to the source. Data loss prevention: It is a technology that reduces the risk of data loss even when the data is in use, in motion, or at rest. It identifies, monitors, and protects data through deep content inspection, contextual security analysis of transaction, and with a centralized management framework. Answer C is incorrect. Timeout is used to avoid session attacks. It defines that if a user works on a computer and closes the browser window, the website may not logout the user account, so in this case, the session will expire itself after a period of time.

Which of the following codes are defined under 'Provide diligent and competent service to principals' of the Code of Ethics Canons described by the (ISC)2 code of ethics? Each correct answer represents a complete solution. Choose all that apply. A Respect their trust and the privileges that they grant you. B Preserve the value of their systems, applications, and information. C Preserve and strengthen the integrity of the public infrastructure. D Avoid conflicts of interest or the appearance thereof.

Answers A, B, and D are correct. The codes defined under 'Provide diligent and competent service to principals' of the Code of Ethics Canons described by the (ISC)2 code of ethics are as follows: Preserve the value of their systems, applications, and information. Respect their trust and the privileges that they grant you. Avoid conflicts of interest or the appearance thereof. Render only those services for which you are fully competent and qualified.

The exposure factor is defined as the percentage of loss experienced by an organization when a specific asset is violated by a realized risk. Which of the following statements are true of the exposure factor? Each correct answer represents a complete solution. Choose all that apply. A Its value is small for assets that can be easily replaced, for example hardware. B Its value is large for assets that cannot be replaced, for example product designs, or a database of customers. C It is the expected frequency of occurrence of a particular threat or risk in a single year. D It is also known as the loss potential.

Answers A, B, and D are correct. The exposure factor is defined as the percentage of loss experienced by an organization when a specific asset is violated by a realized risk. It is also known as the loss potential. Its value is small for assets that can be easily replaced, for example hardware. Its value is large for assets that cannot be replaced, for example product designs, or a database of customers. Answer C is incorrect. This statement is true for annualized rate of occurrence (ARO).

Which of the following techniques are used for sanitization of data media? A Destruction B Data remanence C Overwriting D Degaussing

Answers A, C, and D are correct. Sanitization is a process of removing information from used data media. The following techniques are used for sanitization: Overwriting Degaussing Destruction Answer B is incorrect. Data remanence refers to the data that remains even after the efforts have been made for removing or erasing the data. This event occurs because of data being left intact by an insignificant file deletion operation, by storage media reformatting, or through physical properties of the storage medium. Data remanence can make unintentional disclosure of sensitive information possible. So, it is required that the storage media be released into an uncontrolled environment.

Which of the following are the properties of data mining? Each correct answer represents a complete solution. Choose all that apply. A Patterns are automatically discovered. B Only small data sets and databases are focused. C Actionable information is created. D Likely outcomes are predicted.

Answers A, C, and D are correct. The properties of data mining: Patterns are automatically discovered Likely outcomes are predicted Actionable information is created Large data sets and databases are focused Answer B is incorrect. Data mining focuses on large data sets and databases.

You are responsible for all computer security at your company. This includes initial investigation into alleged unauthorized activity. Which of the following are possible results of improperly gathering forensic evidence in an alleged computer crime by an employee? Each correct answer represents a complete solution. Choose three A Your company is sued for defaming the character of an accused party. B You are charged with criminal acts. C Your company is unable to pursue the case against a perpetrator. D You falsely accuse an innocent employee.

Answers A, C, and D are correct. There are many possible negative outcomes from mishandling forensic evidence. The most obvious is that the evidence becomes unusable in any criminal or civil proceeding, making it impossible to prosecute the offending parties. It is also possible that mishandled evidence would make it appear that an innocent party is guilty. Whether the party is actually guilty or not, if your company proceeds with criminal or civil action based on faulty evidence, your company risks litigation for defamation of character, libel, and malicious prosecution. Answer B is incorrect. Other than willfully falsifying evidence, there is no mishandling of forensics that can lead to criminal charges for the forensic investigator.

Which of the following statements are true of virtual private network (VPN)? A It is a form of wide area network (WAN) that supplies network connectivity over a possibly long physical distance. B It operates at the physical layer of the OSI model. C It provides remote offices or individual users with secure access to their organization's network. D It is a network that uses a public telecommunication infrastructure, such as the Internet.

Answers A, C, and D are correct. Virtual private network (VPN) is a form of wide area network (WAN) that supplies network connectivity over a possibly long physical distance. VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. VPN can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP).Answer B is incorrect. VPN operates at the network layer of the OSI model.

Which of the following security testing techniques are included in gray-box testing? Each correct answer represents a complete solution. Choose all that apply. A Dynamic code analysis B Vulnerability scanning C Source code fault injection D Fuzz testing E Binary fault injection

Answers A, C, and E are correct. Source code fault injection, dynamic code analysis, and binary fault injection are security testing techniques that are included in gray-box testing. Gray-box testing is a combination of white-box testing and black-box testing. In gray-box testing, the test engineer is equipped with the knowledge of system and designs test cases or test data based on system knowledge. The security tester typically performs gray-box testing to find vulnerabilities in software and network system. Answers D and B are incorrect. Fuzz testing and vulnerability scanning are security testing techniques that are included in black-box testing. Black-box testing uses external descriptions of the software, including specifications, requirements, and designs to derive test cases. These tests can be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs and determines the correct output. There is no knowledge of the test object's internal structure.

Which of the following items are representatives of an administrative access control method? Each correct answer represents a complete solution. Choose all that apply. A Incident investigation B Policy C Procedure D Encryption E Closed circuit television

Answers B and C are correct. Policy and procedure are administrative access controls, defined by an organization's security policy and other regulations or requirements. Answer A is incorrect. Incident investigation is detective access control. Answers E and D are incorrect. Closed circuit television and encryption are preventive access control.

Which of the following statements reflect the 'Code of Ethics Preamble' in the '(ISC)2 Code of Ethics'? Each correct answer represents a complete solution. Choose two. A Provide diligent and competent service to principals. B Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. C Strict adherence to this Code is a condition of certification. D Advance and protect the profession.

Answers B and C are correct. The Code of Ethics Preamble are: Safety of the commonwealth, duty to the principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Strict adherence to this Code is a condition of certification. Answers D and A are incorrect. These come under the Code of Ethics Canons.

Which of the following security models deal only with integrity? Each correct answer represents a complete solution. Choose all that apply. A Bell-LaPadula B Biba C Clark-Wilson D Biba-Wilson

Answers B and C are correct. The following security models deal only with integrity: Biba Clark-Wilson The Biba model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject. Although the Biba model works in commercial applications, another model was designed in 1987 specifically for the commercial environment. The Clark-Wilson model uses a multifaceted approach to enforcing data integrity. Instead of defining a formal state machine, the Clark-Wilson model defines each data item and allows modifications through only a small set of programs. Answer A is incorrect. The Bell-LaPadula security model deals only with confidentiality. Answer D is incorrect. There is no such security model as Biba-Wilson.

Which of the following are tunneling protocols used in a virtual private network (VPN)? Each correct answer represents a complete solution. Choose all that apply. A SCP B PPTP C L2TP D MD5

Answers B and C are correct. The tunneling protocols used in a virtual private network (VPN) are: Layer 2 Tunneling Protocol (L2TP) is a more secure version of Point-to-Point Tunneling Protocol (PPTP). It provides tunneling, address assignment, and authentication. It allows the transfer of Point-to-Point Protocol (PPP) traffic between different networks. L2TP combines with IPsec to provide tunneling and security for Internet Protocol (IP), Internetwork Packet Exchange (IPX), and other protocol packets across IP networks. Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP does not provide confidentiality or encryption. It relies on the protocol being tunneled to provide privacy. It is used to provide secure, low-cost remote access to corporate networks through public networks such as the Internet. Using PPTP, remote users can use PPP-enabled client computers to dial a local ISP and connect securely to the corporate network through the Internet. PPTP has been made obsolete by Layer 2 Tunneling Protocol (L2TP) and IPsec. Answer A is incorrect. The Secure Copy protocol (SCP) is a network protocol that supports file transfers. It runs on port 22 and is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. It might not even be considered a protocol itself, but merely a combination of RCP and SSH. Answer D is incorrect. Message Digest 5 (MD5) is a cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.

Which of the following protocols work at the Network layer of the OSI model? Each correct answer represents a complete solution. Choose all that apply. A Simple Network Management Protocol (SNMP) B Routing Information Protocol (RIP) C File Transfer Protocol (FTP) D Internet Group Management Protocol (IGMP)

Answers B and D are correct. The following protocols of the OSI model work at the Network layer: Routing Information Protocol (RIP) Internet Group Management Protocol (IGMP) Answers A and C are incorrect. Simple Network Management Protocol (SNMP) and File Transfer Protocol (FTP) work at the Application layer of the OSI model.

What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.) A Retaliation against a person or organization B Pride of conquering a secure system C Money from the sale of stolen documents D Bragging rights

Answers B and D are correct. Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

Qualitative risk analysis enables an individual to identify potential risks, and assets and resources which are susceptible to these risks. Which of the following statements are true of qualitative risk analysis? Each correct answer represents a complete solution. Choose all that apply. A It supports automation. B It includes judgment, intuition, and experience. C It depends more on scenarios rather than calculations. D It provides useful and meaningful results.

Answers B, C, and D are correct. Qualitative risk analysis includes judgment, intuition, and experience. It enables an individual to identify the potential risks, and assets and resources which are vulnerable to these risks. It depends more on scenarios rather than calculations. It requires guesswork, makes use of opinions, and provides useful and meaningful results. Answer A is incorrect. Qualitative risk analysis does not support automation; it is supported by quantitative risk analysis.

Which of the following codes are defined under 'Advance and protect the profession' of the Code of Ethics Canons described by the (ISC)2 code of ethics? Each correct answer represents a complete solution. Choose all that apply. A Promote and preserve public trust and confidence in information and systems. B Sponsor for professional advancement those best qualified. C Take care not to injure the reputation of other professionals through malice or indifference. D Maintain your competence.

Answers B, C, and D are correct. The codes defined under 'Advance and protect the profession' of the Code of Ethics Canons described by the (ISC)2 Code of Ethics are as follows: Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. Take care not to injure the reputation of other professionals through malice or indifference. Maintain your competence; keep your skills and knowledge current. Give generously your time and knowledge in training others.

What kinds of potential issues can an emergency visit from the fire department leave in its wake?

Anytime water is used to respond to fire, flame, or smoke, water damage becomes a serious concern, particularly when water is released in areas where electrical equipment is in use. Not only can computers and other electrical gear be damaged or destroyed by water, but also many forms of storage media can become damaged or unusable. Also, when seeking hot spots to put out, firefighters often use axes to break down doors or cut through walls to reach them as quickly as possible. This, too, poses the potential for physical damage to or destruction of devices and/or wiring that may also be in the vicinity.

Software Development Security

Application development in a networked environment (see Lesson 13, "Software Development Security") focuses on sound and secure application development techniques. This domain requires a good understanding of the controls needed for the software development life cycle (SDLC), and how they're applied during each phase. Topics covered in this domain include Understanding and applying security in the SDLC Understanding the environment and security controls Assessing the effectiveness of software security

Understand common web application vulnerabilities and countermeasures

As many applications move to the web, developers and security professionals must understand the new types of attacks that exist in this environment and how to protect against them. The two most common examples are cross-site scripting (XSS) and SQL injection attacks.

Know the importance of collecting evidence.

As soon you discover an incident, you must begin to collect evidence and as much information about the incident as possible. The evidence can be used in a subsequent legal action or in finding the identity of the attacker. Evidence can also assist you in determining the extent of damage.

Understand the need to control access to audit reports

Audit reports typically address common concepts such as the purpose of the audit, the scope of the audit, and the results discovered or revealed by the audit. They often include other details specific to the environment and can include sensitive information such as problems, standards, causes, and recommendations. Audit reports that include sensitive information should be assigned a classification label and handled appropriately. Only people with sufficient privilege should have access to them. An audit report can be prepared in various versions for different target audiences to include only the details needed by a specific audience. For example, senior security administrators might have a report with all the relevant details, whereas a report for executives would provide only high-level information.

need for audit trails and access logs

Audit trails and access logs are useful tools even for physical access control. They may need to be created manually by security guards. Or they can be generated automatically if sufficiently automated access control mechanisms are in place (in other words, smartcards and certain proximity readers). You should also consider monitoring entry points with CCTV. Through CCTV, you can compare the audit trails and access logs with a visually recorded history of the events. Such information is critical to reconstructing the events of an intrusion, breach, or attack.

Understand audit trails

Audit trails are the records created by recording information about events and occurrences into one or more databases or log files. They are used to reconstruct an event, to extract information about an incident, and to prove or disprove culpability. Using audit trails is a passive form of detective security control, and audit trails are essential evidence in the prosecution of criminals.

Security Functional Requirements

Audit: Security auditing functions involve recognizing, recording, storing, and analyzing information related to security-relevant activities. The resulting audit records can be examined to determine which security-relevant activities took place and which user is responsible for them. Cryptographic support: These functions are used when the TOE implements cryptographic functions in hardware, firmware, or software. Communications: These functional requirements are related to ensuring both the identity of a transmitted information originator and the identity of the recipient. These functions ensure that an originator cannot deny having sent the message, nor can the recipient deny having received it. User data protection: This class of functions is related to protecting user data within a TOE during import, export, and storage. Identification and authentication: These functions ensure that users are associated with the proper security attributes (including identity, groups, and roles). Security management: These functions are intended to specify the management of several aspects of the TOE security functions security attributes and security data. Privacy: These requirements protect a user against discovery and misuse of identity by other users. Protection of the TOE security functions (TSF): These requirements relate to the integrity and management of the mechanisms that provide the TSF and to the integrity of TSF data. Resource utilization: These functions support the availability of required resources such as CPU and storage capacity. Fault tolerance protects against unavailability of capabilities caused by failure of the TOE. Priority of service ensures that the resources will be allocated to the more important or time-critical tasks and cannot be monopolized by lower-priority tasks. TOE access: These requirements control the establishment of a user's session.

Describe the relationship between auditing and audit trails.

Auditing is a methodical examination or review of an environment and encompasses a wide variety of activities to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Audit trails provide the data that supports such examination or review and essentially are what make auditing and subsequent detection of attacks and misbehavior possible.

Understand auditing and the need for frequent security audits

Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing serves as a primary type of detective control used within a secure environment. The frequency of an IT infrastructure security audit or security review is based on risk. An organization determines whether sufficient risk exists to warrant the expense and interruption of a security audit. The degree of risk also affects how often an audit is performed. It is important to clearly define and adhere to the frequency of audit reviews.

Be able to explain the auditing process

Auditing, or monitoring, is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. Auditing is also the process by which unauthorized or abnormal activities are detected on a system. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis.

Know how cryptosystems can be used to achieve authentication goals

Authentication provides assurances as to the identity of a user. One possible scheme that uses authentication is the challenge-response protocol, in which the remote user is asked to encrypt a message using a key known only to the communicating parties. Authentication can be achieved with both symmetric and asymmetric cryptosystems.

common authorization mechanisms

Authorization ensures that the requested activity or object access is possible, given the privileges assigned to the authenticated identity. For example, it ensures that users with appropriate privileges can access files and other resources. Common authorization mechanisms include implicit deny, access control lists, access control matrixes, capability tables, constrained interfaces, content-dependent controls, and context-dependent controls. These mechanisms enforce security principles such as the need-to-know, the principle of least privilege, and separation of duties.

Know the importance of retaining investigatory data.

Because you will discover some incidents after they have occurred, you will lose valuable evidence unless you ensure that critical log files are retained for a reasonable period of time. You can retain log files and system status information either in place or in archives.

Know the network reconnaissance techniques used by attackers preparing to attack a network

Before launching an attack, attackers use IP sweeps to search out active hosts on a network. These hosts are then subjected to port scans and other vulnerability probes to locate weak spots that might be attacked in an attempt to compromise the network. You should understand these attacks to help protect your network against them, limiting the amount of information attackers may glean.

Block Ciphers

Block ciphers (DES, 3DES, and AES) ES uses a 56-bit (7 bytes plus a checksum byte) key, which is considered weak today. Triple DES uses a 112-bit (14 bytes plus 2 checksum bytes) key, and AES uses a variable-length key (256 bits, 512 bits, and so on). Block ciphers are important for encrypting/decrypting data in bulk, such as files or batches of data. They're also useful for encrypting data in storage systems to prevent unauthorized access. Block ciphers can be used to encrypt data fields (attributes) in records and tables, entire records of data, or entire files or database tables.

Explain the process Bob should use to digitally sign a message to Alice.

Bob should generate a message digest from the plaintext message using a hash function. He should then encrypt the message digest using his own private key to create the digital signature. Finally, he should append the digital signature to the message and transmit it to Alice.

Botnets

Botnets are quite common today. The computers in a botnet are like robots (referred to as bots and sometimes zombies). Multiple bots in a network form a botnet and will do whatever attackers instruct them to do. A bot herder is typically a criminal who controls all the computers in the botnet via one or more command-and-control servers

Understand botnets, botnet controllers, and bot herders

Botnets represent significant threats due to the massive number of computers that can launch attacks, so it's important to know what they are. A botnet is a collection of compromised computing devices (often called bots or zombies) organized in a network controlled by a criminal known as a bot herder. Bot herders use a command and control server to remotely control the zombies and often use the botnet to launch attacks on other systems, or to send spam or phishing emails. Bot herders also rent botnet access out to other criminals.

four steps of the business continuity planning process

Business continuity planning involves four distinct phases: project scope and planning, business impact assessment, continuity planning, and approval and implementation.

Know the legal and regulatory requirements that face business continuity planners.

Business leaders must exercise due diligence to ensure that shareholders' interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that must be met before and after a disaster.

Control Objectives for Information and Related Technology (COBIT)

COBIT is an initiative from the Information Systems Audit and Control Association (ISACA) and is preferred among IT auditors COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors. COBIT is a widely recognized and respected security control framework.

social engineering attacks

Caller ID Spoofing: Occurs when a user intentionally falsifies the information transmitted to disguise his identity Shoulder Surfing: Uses direct observation methods, such as looking over someone's shoulder, to get information Vishing: Uses the telephone system to access private, personal, and financial information of a person Eavesdropping: Allows an attacker to listen the private conversation of sender and receiver without their consent Snooping: Allows an unauthorized user to access other person's or company's data

switching technologies

Circuit Switching: Constant traffic Connection oriented Used primarily for voice Packet Switching: Bursty traffic Variable delays Sensitive to data loss

What are the main differences between circuit switching and packet switching?

Circuit switching is usually associated with physical connections. The link itself is physically established and then dismantled for the communication. Circuit switching offers known fixed delays, supports constant traffic, is connection oriented, is sensitive only to the loss of the connection rather than the communication, and was most often used for voice transmissions. Packet switching is usually associated with logical connections because the link is just a logically defined path among possible paths. Within a packetswitching system, each system or link can be employed simultaneously by other circuits. Packet switching divides the communication into segments, and each segment traverses the circuit to the destination. Packet switching has variable delays because each segment could take a unique path, is usually employed for bursty traffic, is not physically connection oriented but often uses virtual circuits, is sensitive to the loss of data, and is used for any form of communication.

three primary categories of laws within the common law system(Judicial Branch)

Civil law: Civil laws are written to compensate individuals who were harmed through wrongful acts known as torts. A tort can be either intentional or unintentional (as in the case of negligence). Common law is generally associated with civil disputes in which compensation is financial but does not involve imprisonment. Criminal law: Criminal law punishes those who violate government laws and harm an individual or group. Unlike civil law, criminal law includes imprisonment in addition to financial penalties. Regulatory law: Regulatory law is administrative laws that regulate the behavior of administrative agencies of government. Considered part of public law, regulatory law addresses issues that arise between the individual and a public entity. Regulatory laws can also exact financial penalties and imprisonment.

Advanced Models

Clark and Wilson model: Proposes "well formed transactions." It requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps, and defines separation of duties. Noninterference model: Covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy. State machine model: Acts as an abstract mathematical model consisting of state variables and transition functions. Access matrix model: Acts as a state machine model for a discretionary access control environment. Information flow model: Simplifies analysis of covert channels. A covert channel is a communication channel that allows two cooperating processes of different security levels (one higher than the other) to transfer information in a way that violates a system's security policy.

address class ranges

Class A - 00000000 - 01111111 - 0 - 126 Class B - 10000000 - 10111111 - 128 - 191 Class C - 11000000 - 11011111 - 192 - 223 Class D - 11100000 - 11101111 - 224 - 239 Class E - 11110000 - 11110111 - 240 - 255 Note that the 127 network address is used for loopback.

Trusted Computer System Evaluation Criteria (TCSEC)Discretionary Protection (Categories C1, C2):

Classes in Division C provide for discretionary protection, based on the need-to-know or least privilege principle, and for audit control mechanisms that enforce the personal accountability of subjects for the actions they take while using the system. In the commercial world, discretionary protection shelters objects from unauthorized subjects through the assignment of privilege to the subject by the object's owner. In other words, a data owner (human being) gets to decide who is authorized to access his or her objects (data, programs, and so forth). Class C1: Discretionary Security ProtectionThe TCB of a Class C1 system satisfies the discretionary access control requirements by separating users and data. It incorporates mechanisms that are capable of enforcing access limitations on an individual basis. Class C2: Controlled Access ProtectionSystems in this class enforce a more finely grained discretionary access control than C1 systems, making users individually accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.

Understand the difference between a code and a cipher and explain the basic types of ciphers.

Codes are cryptographic systems of symbols that operate on words or phrases and are sometimes secret but don't always provide confidentiality. Ciphers, however, are always meant to hide the true meaning of a message. Know how the following types of ciphers work: transposition ciphers, substitution ciphers (including one-time pads), stream ciphers, and block ciphers.

CFAA Amendments

Collectively, these changes are referred to as the Computer Abuse Amendments Act of 1994 and included the following provisions: Outlawed the creation of any type of malicious code that might cause damage to a computer system Modified the CFAA to cover any computer used in interstate commerce rather than just "federal interest" computer systems Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages Since the initial CFAA amendments in 1994, Congress passed additional amendments in 1996, 2001, 2002, and 2008 as part of other cybercrime legislation.

Understand the various network attacks and countermeasures associated with communications security

Communication systems are vulnerable to many attacks, including distributed denial of service (DDoS), eavesdropping, impersonation, replay, modification, spoofing, and ARP and DNS attacks. Be able to supply effective countermeasures for each.

Be able to list and explain the six categories of computer crimes

Computer crimes are grouped into six categories: military and intelligence attack, business attack, financial attack, terrorist attack, grudge attack, and thrill attack. Be able to explain the motive of each type of attack.

Understand the role that confidentiality, integrity, and nonrepudiation play in cryptosystems.

Confidentiality is one of the major goals of cryptography. It protects the secrecy of data while it is both at rest and in transit. Integrity provides the recipient of a message with the assurance that data was not altered (intentionally or unintentionally) between the time it was created and the time it was accessed. Nonrepudiation provides undeniable proof that the sender of a message actually authored it. It prevents the sender from subsequently denying that they sent the original message.

Understand the CIA Triad elements of confidentiality, integrity, and availability

Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified by only authorized subjects. Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects. Know why these are important, the mechanisms that support them, the attacks that focus on each, and the effective countermeasures.

USA PATRIOT Act of 2001

Congress passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 in direct response to the September 11, 2001, terrorist attacks in New York City and Washington, DC. The PATRIOT Act greatly broadened the powers of law enforcement organizations and intelligence agencies across a number of areas, including when monitoring electronic communications. One of the major changes prompted by the PATRIOT Act revolves around the way government agencies obtain wiretapping authorizations. Previously, police could obtain warrants for only one circuit at a time, after proving that the circuit was used by someone subject to monitoring. Provisions of the PATRIOT Act allow authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant. Another major change is in the way the government deals with Internet service providers (ISPs). Under the terms of the PATRIOT Act, ISPs may voluntarily provide the government with a large range of information. The PATRIOT Act also allows the government to obtain detailed information on user activity through the use of a subpoena (as opposed to a wiretap). Finally, the USA PATRIOT Act amends the Computer Fraud and Abuse Act (yes, another set of amendments!) to provide more severe penalties for criminal acts. The PATRIOT Act provides for jail terms of up to 20 years and once again expands the coverage of the CFAA.

Know the basics of COBIT

Control Objectives for Information and Related Technologies (COBIT) is a security concept infrastructure used to organize the complex security solutions of companies.

Three Types of Security Controls

Preventative, Detective, and Responsive Controls (such as documented processes) and countermeasures (such as firewalls) must be implemented as one or more of these previous types, or the controls are not there for the purposes of security. Shown in another triad, the principle of defense in depth dictates that a security mechanism serve a purpose by preventing a compromise, detecting that a compromise or compromise attempt is underway, or responding to a compromise while it's happening or after it has been discovered.

Understand access review and user entitlement audits

An access review audit ensures that object access and account management practices support the security policy. User entitlement audits ensure that the principle of least privilege is followed and often focus on privileged accounts.

Know basic preventive measures

Basic preventive measures can prevent many incidents from occurring. These include keeping systems up-to-date, removing or disabling unneeded protocols and services, using intrusion detection and prevention systems, using anti-malware software with up-to-date signatures, and enabling both host-based and network-based firewalls.

cryptosystems

Hashing functions (SHA-1 and SHA-3) Block ciphers (DES, 3DES, and AES) Implementations of RSA Public-Private Key (PPK)

types of computer crime

Military and Intelligence attacks: Launched to obtain secret and restricted information from technological research sources Business attacks: Focus on illegally obtaining an organization's confidential information Financial attacks: Carried out to unlawfully obtain services Grudge attacks: Carried out to damage an organization or a person

Know how authorization fits into a security plan

Once a subject is authenticated, its access must be authorized. The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity.

How far backward does the waterfall model allow developers to travel when a development flaw is discovered?

One phase

the functional order of controls

These are deterrence, then denial, then detection, and then delay.

What is the main motivation behind a thrill attack?

Thrill attacks are motivated by individuals seeking to achieve the "high" associated with successfully breaking into a computer system.

intellectual property

and a whole host of laws exist to protect the rights of their owners.

National Data Conversion Institute (NDCI)

makes a case for using expert investigative services to solve computer crimes.

substitution cipher (ROT13 cipher)

shifts the alphabet by 13 places. letters are exchanged with other letters based on a substitution pattern known to both sender and receiver.

Abstraction

the concept of abstraction is used when classifying objects or assigning roles to subjects.

Password strength

use combo of letters, numbers, symbols. Don't use common phrases.

host-based IDS (HIDS)

monitors a single computer or host

What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site? A Parallel test B Full-interruption test C Simulation test D Structured walk-through

Answer A is correct. Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center.

Which networking technology is based on the IEEE 802.3 standard? A FDDI B Token Ring C Ethernet D HDLC

Answer C is correct. Ethernet is based on the IEEE 802.3 standard.

OSI Model Layers

Physical layer (layer 1) transmit bit streams on a physical medium. They manage the interfaces of physical devices with physical transmission media, such as coax cable. This layer has the fewest tasks to perform. It sends bit streams across the network to another device and receives a bit stream response in return. The High Speed Serial Interface (HSSI) is one example of a standard interface working at the Physical Layer level. Data Link Layer (layer 2) transfers units of information to the other end of the physical link. Protocols at this level establish communication links between devices over a physical link(physical devices) or channel, converting data into bit streams for delivery to the lowest layer, the Physical Layer. 802.11 wireless LANs operate at Layer 2 and Layer 1 Network layer (layer 3) decides how small bundles, or packets, of data route between destination systems on the same network or interconnected networks. Routers and bridge routers (brouters) are among the network hardware devices that function at layer 3 Network (Internet) Layer protocols: Internet Protocol: The protocol of protocols, IP addresses are assigned by the Internet Assigned Numbers Authority to each host computer on the network. This serves as a logical ID. The IP address assists with the routing of information across the Internet. Outgoing data packets have the originator's IP address and the IP address of the recipient. Address Resolution Protocol (ARP): ARP matches an IP address to an Ethernet address, which is a physical device (network adapter) that has a unique media access control (MAC) address assigned by the manufacturer of the device. MAC addresses are much longer numbers than IP addresses, and humans tend to work better with IP addresses than with MAC addresses. Thus, ARP and RARP (covered next) exist to help with network addressing tasks. Reverse Address Resolution Protocol (RARP): If ARP translates an IP address to a MAC address, then RARP translates hardware interface (MAC) addresses to IP protocol addresses. Internet Control Message Protocol (ICMP): The ICMP is tightly integrated with the IP protocol. Some of its functions include announcing network errors and congestion, troubleshooting, and reporting timeouts. ICMP is the management protocol for TCP/IP and is often the source of security issues; network hackers use it to select targets and determine network level information about these targets. For example, the common ping command, used to determine whether an IP or host name is online, is an ICMP command. Transport layer (layer 4) Protocols at this level provide the point-to-point integrity of data transmissions. They determine how to address the other computer, establish communication links, handle the networking of messages, and generally control the session. The Transmission Control Protocol (TCP) operates at this level. TCP allows two computers to connect with each other and exchange streams of data while guaranteeing delivery of the data and maintaining it in the same order. Although the context of communications works at the higher layers of the protocol stack, the transport of this context over the network occurs at Layer 4. Transport Layer (host-to-host) protocols: Transmission Control Protocol: TCP is a reliable service that maintains the proper sequence of incoming packets and acknowledges receipt to the user. User Datagram Protocol (UDP): UDP is a less robust version of TCP. It does not acknowledge receipt of packets and is a connectionless and less reliable service. Its advantage over TCP is its faster speed and lower overhead. Session layer (layer 5) is responsible for establishing, maintaining, and terminating communication sessions between two computers. When you request information about your checking account balance from your bank's web application, the Session Layer makes the initial contact with the host computer, formats the data you are sending for transmission, establishes the necessary communication links, and handles recovery and restart functions. Presentation Layer (Layer 6) translates or "presents" data to the Application Layer. Data encryption and decryption occur in this layer along with data translation. Whenever you view a photograph in JPEG format on the Internet, watch a video someone has sent you in MPEG format, or listen to an MP3 file , you are interacting with OSI Presentation Layer protocol services. Application layer (layer 7) is called the data stream. the highest layer in the stack, is the one most directly related to the computer user. It provides several application services, such as file transfer, resource allocation, and the identification and verification of computer availability. Each time you send an email, you are invoking protocols at the Application Layer level.

functional order when designing physical security

Deterrence Denial Detection Delay

levels in Software Capability Maturity Model (SW-CMM)

Initial: Processes are usually ad hoc and chaotic Repeatable: Basic life cycle management processes are introduced Defined: Software developers operate according to a set of formal documented software development processes Managed: Management of the software process proceeds to the next level Optimizing: A process of continuous improvement occurs

types of storage to maintain system and user data

Primary memory: Consists of the main memory resources directly available to a system's CPU Virtual storage: Allows a system to simulate secondary storage resources through the use of primary storage Random access storage: Allows the operating system to request contents from any point within the media Sequential access storage: Requires scanning through the entire media from the beginning to reach a specific address Volatile storage: Loses its contents when power is removed from the resource

Trade Secrets

Unlike trademarks or patents, trade secrets do not benefit from legal protection. As long as no one but you knows about your idea, it belongs to you. Usually, a trade secret is a patent in process, an embryonic but unofficial and legally unprotected idea.

Transport Layer Security (TLS)

a cryptographic protocol that ensures data security and integrity over public networks, such as the Internet

Governance and vendor managers

are needed to ensure that outsourced functions are operating within security policies and standards. The IT industry continues to rely on off-shore developers, managed security services, and outsourced computer operations, so the growth of governance personnel is assured.

Which of the following is a type of connection that can be described as a logical circuit that always exists and is waiting for the customer to send data? A ISDN B PVC C VPN D SVC

Answer B is correct. A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data.

Know the types of log files

Log data is recorded in databases and different types of log files. Common log files include security logs, system logs, application logs, firewall logs, proxy logs, and change management logs. Logs files should be protected by centrally storing them and using permissions to restrict access, and archived logs should be set to read-only to prevent modifications.

mean time to repair (MTTR)

MTTR is the average length of time required to perform a repair on the device.

Understand monitoring and uses of monitoring tools

Monitoring is a form of auditing that focuses on active review of the log file data. Monitoring is used to hold subjects accountable for their actions and to detect abnormal or malicious activities. It is also used to monitor system performance. Monitoring tools such as IDSs or SIEMs automate monitoring and provide real-time analysis of events.

Define the difference between need-to-know and the principle of least privilege.

Need to know focuses on permissions and the ability to access information, whereas the principle of least privilege focuses on privileges. Privileges include both rights and permissions. Both limit the access of users and subjects to only what they need. Following these principles prevents and limits the scope of security incidents.

Understand service-level agreements

Organizations use service-level agreements (SLAs) with outside entities such as vendors. They stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn't meet expectations.

Explain the techniques that attackers use to compromise password security

Passwords are the most common access control mechanism in use today, and it is essential that you understand how to protect against attackers who seek to undermine their security. Know how password crackers, dictionary attacks, and social engineering attacks, such as phishing, can be used to defeat password security.

Security is synonymous with

Protection, Armor, Shield terms that impact people.

RSA public key cryptosystems

RSA is the most famous public key cryptosystem; it was developed by Rivest, Shamir, and Adleman in 1977. It depends on the difficulty of factoring the product of prime numbers. El Gamal is an extension of the Diffie-Hellman key exchange algorithm that depends on modular arithmetic. The elliptic curve algorithm depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length.

Understand sampling

Sampling, or data extraction, is the process of extracting elements from a large body of data to construct a meaningful representation or summary of the whole. Statistical sampling uses precise mathematical functions to extract meaningful information from a large volume of data. Clipping is a form of nonstatistical sampling that records only events that exceed a threshold.

processes of designing facility security:

Site selection Natural disaster Visibility Facility design

What are the four components of a complete organizational security policy and their basic purpose?

The four components of a security policy are policies, standards, guidelines, and procedures. Policies are broad security statements. Standards are definitions of hardware and software security compliance. Guidelines are used when there is not an appropriate procedure. Procedures are detailed step-by-step instructions for performing work tasks in a secure manner.

mean time between failures (MTBF)

This is an estimation of the time between the first and any subsequent failures. If the MTTF and MTBF values are the same or fairly similar, manufacturers often only list the MTTF to represent both values.

Know how cryptographic salts improve the security of password hashing

When straightforward hashing is used to store passwords in a password file, attackers may use rainbow tables of precomputed values to identify commonly used passwords. Adding salts to the passwords before hashing them reduces the effectiveness of rainbow table attacks. Common password hashing algorithms that use key stretching to further increase the difficulty of attack include PBKDF2, bcrypt, and scrypt.

Secure Sockets Layer (SSL)

a standard security technology for establishing an encrypted link between a web server and a browser, ensuring that all data passed between them remain private

Pseudo flaws

are false vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt attackers. They are often used on honeypot systems to emulate well-known operating system vulnerabilities.

Incident response team members

are alerted when an intrusion or security incident occurs. They decide how to stop the attack or limit the damage as they collect and analyze forensics data while interacting with law enforcement personnel and executive management.

Access coordinators

are delegated the authority on behalf of a system owner to establish and maintain the user base that is permitted to access and use the system in the normal course of their job duties.

digital signature

can be attached to an electronically transmitted message that uniquely identifies the sender. The purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. X.509 is a widely used standard for defining digital certificates. X.509 certificates attach a person's identity to a pair (or pairs) of cryptographic keys.

Permanent Virtual Circuit (PVC)

can be described as a logical circuit that always exists and is waiting for the customer to send data.

Compliance officers

check to see that employees remain in compliance with security policies and standards as they use information systems in their daily work. Compliance officers usually work with outside regulators when audits are conducted and are often charged with employee security training and awareness programs to help maintain compliance.

International Traffic in Arms Regulations (ITAR)

controls the export of items that are specifically designated as military and defense items, including technical information related to those items. The items covered under ITAR appear on a list called the United States Munitions List (USML), maintained in 22 CFR 121.

two of the tools security specialists use to protect information systems

cryptography and firewalls

Security architects and network engineers

design and implement network infrastructures that are built with security in mind. Skills needed here include understanding firewall designs, designing and developing intrusion detection/prevention systems and processes, and determining how to configure servers, desktop computers, and mobile devices to comply with security policies.

system-specific security policy

focuses on individual systems or typ e s of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls.

organizational security policy

focuses on issues relevant to every aspect of an organization.

Mandatory Access Control (MAC)

model is prohibitive, and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules. Security labels are the most important entity and are required.

Data hiding

preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Fixed-temperature detection systems

trigger suppression when a specific temperature is reached. The trigger is usually a metal or plastic component that is in the sprinkler head and melts at a specific temperature.

Cold Sites

Unlike the hot site, the cold site provides facilities (including power, air conditioning, heat, and other environmental systems) necessary to run a data processing center without any of the computer hardware or software. The customer must deliver the hardware and software necessary to bring up the site. The cold site is a cheaper solution than a hot site, but you get what you pay for.

cable plant management policy

A cable plant is the collection of interconnected cables and intermediary devices (such as cross-connects, patch panels, and switches) that establish the physical network.

What character should always be treated carefully when encountered as user input on a web form? A * B ' C ! D &

Answer B is correct. The single quote character (') is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.

Which one of the following tests provides the most accurate and detailed information about the security state of a server? A Port scan B Half-open scan C Authenticated scan D Unauthenticated scan

Answer C is correct. Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.

What is the major disadvantage of using certificate revocation lists? A Key management B Vulnerability to brute-force attacks C Record keeping D Latency

Answer D is correct. Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.

Which of the following is a conduction of independent technical review of a software product to determine whether specific security controls have been implemented as planned? A Authorization B Identification C Accreditation D Certification

Answer D is correct. Certification is a conduction of independent technical review of a software product to determine whether specific security controls have been implemented as planned. Answer C is incorrect. Accreditation should take place between the implementation and the beginning of operational use of the system or application. This process follows the certification process. Certification is the process used to review and evaluate security controls and functionality. The accreditation is the formal acceptance of the system by management and an explicit acceptance of risk. Answer B is incorrect. Identification is the capability to find, retrieve, report, change, or delete specific data without ambiguity. Answer A is incorrect. Authorization is the process of granting permission. It is a process that verifies whether a user has permission to access a Web resource.

Understand the importance of declassification

Declassification is required once an asset no longer warrants the protection of its currently assigned classification or sensitivity level.

Due Care and Due Diligence

Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort.

Alice wants to digitally sign a message she's sending to Bob. Click to select the steps that she follows, and then drag them into the correct order.

Explanation Here are the steps followed by Alice in a digital signature system: Generates a message digest of the original plain-text message using one of the cryptographically sound hashing algorithms, such as SHA-512. Encrypts only the message digest using her private key. This encrypted message digest is the digital signature. Appends the signed message digest to the plain-text message. Transmits the appended message to Bob.

Know the common applications of cryptography to secure email.

The emerging standard for encrypted messages is the S/MIME protocol. Another popular email security tool is Phil Zimmerman's Pretty Good Privacy (PGP). Most users of email encryption rely on having this technology built into their email client or their web-based email service.

recovery time objective (RTO)

This is the amount of time in which you think you can feasibly recover the function in the event of a disruption.

need for clean power

Power supplied by electric companies is not always consistent and clean. Most electronic equipment demands clean power in order to function properly. Equipment damage because of power fluctuations is a common occurrence. Many organizations opt to manage their own power through several means. A UPS is a type of self-charging battery that can be used to supply consistent clean power to sensitive equipment. UPSs also provide continuous power even after the primary power source fails. A UPS can continue to supply power for minutes or hours depending on its capacity and the draw by equipment.

Know the common applications of cryptography to secure web activity.

The de facto standard for secure web traffic is the use of HTTP over Transport Layer Security (TLS) or the older Secure Sockets Layer (SSL). Most web browsers support both standards, but many websites are dropping support for SSL due to security concerns.

Which Orange Book level is considered mandatory protections and is based on the Bell-LaPadula security model? A B B D C C D A

Answer A is correct. The Trusted Computer System Evaluation Criteria (TCSEC) classifies the systems into four hierarchical divisions of security levels: Level A (verified protection and the highest level of security), Level B (mandatory protection enforced with security labels), Level C (discretionary protection), and Level D (minimal protection). The evaluation criteria are published in a book referred to as the Orange Book. Each level may have numbered sublevels. A higher rating implies a higher degree of trust and assurance. For example, a B2 rating provides more assurance than a C2 rating. A higher rating includes the requirements of a lower rating. For example, a B2 rating includes the features and specifications of a C2 rating. Level A is verified protection, offering the highest level of security. An A1 rating implies that the security assurance, design, development, implementation, evaluation, and documentation of a computer is performed in a very formal and detailed manner. An infrastructure containing A1-rated systems is the most secure environment and is typically used to store highly confidential and sensitive information. This level implements trusted facility management. Level B is mandatory protection based on the Bell-LaPadula security model and enforced by the use of security labels. A B1 rating refers to labeled security, where each object has a classification label, and each subject has a security clearance level. To access the contents of the object, the subject should have an equal or higher level of security clearance than the object. A system compares the security clearance level of a subject with the object's classification to allow or deny access to the object. The B1 category offers process isolation, the use of device labels, the use of design specification and verification, and mandatory access controls. B1 systems are used to handle classified information. A B2 rating refers to structured protection. A stringent authentication procedure should be used in B2-rated systems to enable a subject to access objects by using the trusted path without any backdoors. This level is the lowest level to implement trusted facility management; levels B3 and A1 implement it also. Additional requirements of a B2 rating include the separation of operator and administrator duties, sensitivity labels, and covert storage channel analysis. A B2 system is used in environments that contain highly sensitive information. Therefore, a B2 system should be resistant to penetration attempts. A B3 rating refers to security domains. B3 systems should be able to perform a trusted recovery. A system evaluated against a B3 rating should have the role of the security administrator fully defined. A B3 system should provide the monitoring and auditing functionality. A B3 system is used in environments that contain highly sensitive information and should be resistant to penetration attempts. Another feature of B3 rating is covert timing channel analysis. This category specifies trusted recovery controls. Level C is discretionary protection based on discretionary access of subjects, objects, individuals, and groups. A C1 rating refers to discretionary security protection. To enable the rating process, subjects and objects should be separated from the auditing facility by using a clear identification and authentication process. A C1 rating system is suitable for environments in which users process the information at the same sensitivity level. A C1 rating system is appropriate for environments with low security concerns. A C2 rating refers to controlled access protection. The authentication and auditing functionality in systems should be enabled for the rating process to occur. A system with a C2 rating provides resource protection and does not allow object reuse. Object reuse implies that an object should not have remnant data that can be used by a subject later. A C2 system provides granular access control and establishes a level of accountability when subjects access objects. A system with C2 rating is suitable for a commercial environment. Level D is a minimal protection rating that is offered to systems that fail to meet the evaluation criteria of higher levels.

Which one of the following is the final step of the Fagin inspection process? A Rework B Inspection C None of the above D Follow-up

Answer D is correct. The Fagin inspection process concludes with the follow-up phase.

protocol

is a set of rules and restrictions that define how data is transmitted over a network medium (e.g., twisted-pair cable, wireless transmission)

Understand sniffer attacks.

In a sniffer attack (or snooping attack) an attacker uses a packet-capturing tool (such as a sniffer or protocol analyzer) to capture, analyze, and read data sent over a network. Attackers can easily read data sent over a network in cleartext, but encrypting data in transit thwarts this type of attack.

Masquerading

is using someone else's security ID to gain entry into a facility.

business continuity plan (BCP) & disaster recovery plan (DRP)

The business continuity plan (BCP) describes the critical processes, procedures, and personnel that must be protected in the event of an emergency (preventative) and The disaster recovery plan (DRP) describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations (reactive).

Be able to explain what social engineering is

Social engineering is a means by which an unknown person gains the trust of someone inside your organization by convincing employees that they are, for example, associated with upper management, technical support, or the help desk. The victim is often encouraged to make a change to their user account on the system, such as reset their password, so the attacker can use it to gain access to the network. The primary countermeasure for this sort of attack is user training.

Process for Attack Simulation and Threat Analysis (PASTA)

Stage I: Definition of the Objectives (DO) for the Analysis of Risks Stage II: Definition of the Technical Scope (DTS) Stage III: Application Decomposition and Analysis (ADA) Stage IV: Threat Analysis (TA) Stage V: Weakness and Vulnerability Analysis (WVA) Stage VI: Attack Modeling & Simulation (AMS) Stage VII: Risk Analysis & Management (RAM)

Hot Sites

A hot-site facility assumes the entire burden of providing backup computing services for the customer. This includes hosting the application software and data in a so-called mirror site.

Defense in Depth

A defense that uses multiple types of security devices to protect a network. Also called layered security. This security is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response. Defense in depth also seeks to offset the weaknesses of one security layer by the strengths of two or more layers.

Understand how email security works

Internet email is based on SMTP, POP3, and IMAP. It is inherently insecure. It can be secured, but the methods used must be addressed in a security policy. Email security solutions include using S/MIME, MOSS, PEM, or PGP.

Understand how to handle visitors in a secure facility

. If a facility employs restricted areas to control physical security, then a mechanism to handle visitors is required. Often an escort is assigned to visitors, and their access and activities are monitored closely. Failing to track the actions of outsiders when they are granted access to a protected area can result in malicious activity against the most protected assets.

The Internet Assigned Numbers Authority (IANA) implemented classful IPv4 addresses

A 1.0.0.0 - 126.0.0.0 The first octet is network ID; the last three octets are Host ID. The default subnet mask is 255.0.0.0. B 128.0.0.0 - 191.255.0.0 The first two octets are network ID; the last three octets are Host ID. The default subnet mask is 255.255.0.0. C 192.0.0.0 - 223.255.255.0 The first three octets are network ID; the last octet is Host ID. The default subnet mask is 255.255.255.0. D 224.0.0.0 - 239.0.0.0 Multicasting addresses E 240.0.0.0 - 255.0.0.0 Experimental use

Information warfare:

A concern of the U.S. Department of Homeland Security, information warfare includes attacks upon a country's computer network to gain economic or military advantage. You can learn more about information warfare at the Institute for the Advanced Study of Information Warfare.

What kind of device helps to define an organization's perimeter and also serves to deter casual trespassing?

A fence is an excellent perimeter safeguard that can help to deter casual trespassing. Moderately secure installations work when the fence is 6 to 8 feet tall and will typically be cyclone (also known as chain link) fencing with the upper surface twisted or barbed to deter casual climbers. More secure installations usually opt for fence heights over 8 feet and often include multiple strands of barbed or razor wire strung above the chain link fabric to further deter climbers.

Qualitative risk analysis

A qualitative analysis assigns real dollar figures to the loss of an asset. includes judgment, intuition, and experience. It enables an individual to identify the potential risks, and assets and resources which are vulnerable to these risks. It depends more on scenarios rather than calculations. It requires guesswork, makes use of opinions, and provides useful and meaningful results. risk analysis does not support automation; it is supported by quantitative risk analysis.

Which type of password provides maximum security because a new password is required for each new log-on?

A user is challenged to provide the one-time password displayed on the device at that moment in time as the "dynamic" password plus the password only the user knows. One-time passwords are a commonly used type of dynamic password—a machine-generated, random string that is used once to authenticate. Every time an end user wants to log in, instead of entering their usual static password every time, they would simply input a unique, machine-generated password.

Understand how to maintain accountability

Accountability is maintained for individual subjects through the use of auditing. Logs record user activities and users can be held accountable for their logged actions. This directly promotes good user behavior and compliance with the organization's security policy.

Recognize IDS/IPS responses

An IDS can respond passively by logging and sending notifications or actively by changing the environment. Some people refer to an active IDS as an IPS. However, it's important to recognize that an IPS is placed in line with the traffic and includes the ability to block malicious traffic before it reaches the target.

What type of memory device is usually used to contain a computer's motherboard BIOS? A EEPROM B ROM C EPROM D PROM

Answer A is correct. BIOS and device firmware are often stored on EEPROM chips to facilitate future firmware updates.

Your company implements several databases. You are concerned with the security of the data in the databases. Which statement is correct for database security? A Data control language (DCL) implements security through access control and granular restrictions. B Bind variables provide access control through implementing granular restrictions. C Data manipulation language (DML) implements access control through authorization. D Data identification language implements security on data components.

Answer A is correct. Data control language (DCL) implements security through access control and granular restrictions. DCL is used to configure which DML statements users can use. None of the other statements is true. Data identification language is not a valid language used in databases. A bind variable is a placeholder in a SQL statement that must be replaced with a valid value or value address for the statement to execute successfully. Data manipulation language (DML) is used to change the values of data within a database.

What will be the major resource consumed by the BCP process during the BCP phase? A Personnel B Processing time C Software D Hardware

Answer A is correct. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

What does IPsec define? A A framework for setting up a secure communication channel B All possible security classifications for a specific configuration C TCSEC security categories D The valid transition states in the Biba model

Answer A is correct. IPsec is a security protocol that defines a framework for setting up a secure channel to exchange information between two entities.

During an XOR operation, two bits are combined. Both values are the same. What will be the result of this combination? A 0 B 1 C X D OR

Answer A is correct. If two bits are combined in an XOR operation and both bit values are the same, the result of the combination is 0. If two bits are combined in an XOR operation and both bit values are different, the result of the combination is 1. The other two options are invalid.

What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment? A Time B Monetary C Utility D Importance

Answer B is correct. The quantitative portion of the priority identification should assign asset values in monetary units. Answers C, D, and A are incorrect. These are invalid options.

You have been asked to implement a system that detects network intrusion attempts and controls access to the network for the intruders. Which system should you implement? A firewall B VPN C IPS D IDS

Answer C is correct. An intrusion prevention system (IPS) detects network intrusion attempts and controls access to the network for the intruders. An IPS is an improvement over an intrusion detection system (IDS) because an IPS actually prevents intrusion. A firewall is a device that is configured to allow or prevent certain communication based on preconfigured filters. A firewall can protect a computer or network from unwanted intrusion using these filters. However, any communication not specifically defined in the filters is either allowed or denied. Firewalls are not used to detect network intrusion. However, firewalls do prevent unwanted communication based on pre-defined rules. An IDS only detects the intrusion and logs the intrusion or notifies the appropriate personnel. A virtual private network (VPN) is a private network that users can connect to over a public network.

Which of the following statements is true related to the RBAC model? A A RBAC model is nonhierarchical. B A RBAC model uses labels. C A RBAC model allows users membership in multiple groups. D A RBAC model allows users membership in a single group.

Answer C is correct. The Role Based Access Control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The Mandatory Access Control (MAC) model uses assigned labels to identify access.

What combination of backup strategies provides the fastest backup creation time? A Partial backups and incremental backups B Full backups and differential backups C Incremental backups and differential backups D Full backups and incremental backups

Answer D is correct. Any backup strategy must include full backups at some point in the process. Incremental backups are created faster than differential backups because of the number of files it is necessary to back up each time.

Which one of the following key types is used to enforce referential integrity between database tables? A Super key B Candidate key C Primary key D Foreign key

Answer D is correct. Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship.

According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a moderate risk of seismic activity? A 20 percent B 40 percent C 60 percent D 80 percent

Answer D is correct. Forty-one of the 50 U.S. states are considered to have a moderate, high, or very high risk of seismic activity. This rounds to 80 percent to provide the value given in option D.

You are deploying a virtual private network (VPN) for remote users. You want to meet the following goals: the VPN gateway should require the use of Internet Protocol Security (IPSec), all remote users must use IPSec to connect to the VPN gateway, and no internal hosts should use IPSec. Which IPSec mode should you use? A host-to-host B gateway-to-gateway C This configuration is not possible. D host-to-gateway

Answer D is correct. You should deploy host-to-gateway IPSec mode. In this configuration, the VPN gateway requires the use of IPSec for all remote clients. The remote clients use IPSec to connect to the VPN gateway. Any communication between the VPN gateway and the internet hosts on behalf of the remote clients does not use IPSec. Only the traffic over the Internet uses IPSec. In host-to-host IPSec mode, each host must deploy IPSec. This mode would require that any internal hosts that communicate with the VPN clients would need to deploy IPSec. In gateway-to-gateway IPSec mode, the gateways at each end of the connection provide IPSec functionality. The individual hosts do not. For this reason, the VPN is transparent to the users. This deployment best works when a branch office or partner company needs access to your network.

You are responsible for managing the virtual computers on your network. Which guideline is important when managing virtual computers? A Install and update the antivirus program only on the host computer. B Implement a firewall only on the host computer. C Update the operating system and applications only on the host computer. D Isolate the host computer and each virtual computer from each other.

Answer D is correct. You should isolate the host computer and each virtual computer from each other. None of the other statements is correct when managing virtual computers. You should update the operating system and application on the host computer and all virtual computers. You should implement a firewall on the host computer and all virtual computers. You should install and update the antivirus program on the host computer and all virtual computers.

An organization requires that a research facility is protected by the highest form of access control system. The organization decides to implement biometrics. You have been consulted regarding which biometric system to implement. Management wants to minimize privacy intrusion issues for users. Which biometric method should you suggest based on management's concern? A retinal scan B fingerprint C iris scan D voice print

Answer D is correct. You should suggest a voice print biometric system based on management's concern. A voice print is considered less intrusive than the other options given. Both an iris scan and retinal scan are considered more intrusive because of the nature in which the scan is completed. Most people are reluctant to have a scanner read any eye geometrics. A fingerprint is more intrusive than a voice print. Most people are reluctant to give their fingerprint because fingerprints can be used for law enforcement. A voice print is very easy to obtain. Its primary purpose is to distinguish a person's manner of speaking and voice patterns. Voice print systems are easy to implement as compared to some other biometric methods. Voice prints are usually reliable and flexible.

Which of the following statements regarding cloud computing and grid computing are true? Both cloud computing and grid computing are scalable. Grid computing is suited for storing objects as small as 1 byte. Cloud computing may be more environmentally friendly than grid computing. Cloud computing is made up of thin clients, grid computing, and utility computing. A option d B options a and b C options a, b, and c D all of the options E options a, c, and d F option a G option b H option c

Answer E is correct. Both cloud computing and grid computing are scalable. Cloud computing is made up of thin clients, grid computing, and utility computing. Cloud computing may be more environmentally friendly than grid computing. Grid computing is NOT suited for storing objects as small as 1 byte.

At which layer of the OSI model do routers operate? A Session B Physical C Data-link D Transport E Network

Answer E is correct. Routers operate at the Network layer of the OSI networking model. They use source and destination addresses, which are located at the Network layer, to route packets. Switches use MAC addresses, which are located at the Data-link layer, to forward frames. The Session layer starts, maintains, and stops sessions between applications on different network devices. The Physical layer provides the functions to establish and maintain the physical link between network devices. Repeaters work at the Physical layer. The Transport layer of the OSI model segments and reassembles data into a data stream and provides reliable and unreliable end-to-end data transmission. Bridges work at the Data-Link layer.

As part of your organization's security policy, you must monitor access control violations. Which method(s) should you use? ACLs IDSs backups audit logs A option d B option c C option b D option a E options b, c, and d only F options b and d only G all of the options

Answer F is correct. Intrusion detection systems (IDSs) and audit logs are used to monitor access control violations. Access control lists (ACLs) are al method of access control. They cannot be used to monitor violations. Backups are a method used to compensate for access violations because they allow you to recover your data. Other compensating measures include business continuity planning and insurance.

Which of the following represents security concerns in cloud computing? access of privileged users location of data segregation of data recovery of data A option b B option c C option d D options a and b E options c and d F all of the options G option a

Answer F is correct. The following are security concerns in cloud computing: Access of privileged users Location of data Segregation of data Recovery of data Other security concerns in cloud computing include the following: Support of investigations Long-term viability Compliance with governmental and industry regulations

You must ensure that a complete inventory of your organization's assets is maintained. Which components are necessary in the asset management inventory? firmware versions operating system versions application versions hardware devices installed A point a B point b C point c D point d E points a and b F points c and d G al

Answer G is correct. All of the points are correct. Asset management must include a complete inventory of hardware and software. This includes firmware version, operating system versions, and application versions. All network hardware and software should be inventoried, including servers, clients, and network devices. Having a comprehensive asset management inventory will ensure that needed security updates will be managed in a controlled manner. Without a comprehensive inventory, security updates may not be deployed to assets that require them, resulting in possible security breaches. Assets are considered the physical and financial assets that are owned by the company. Examples of business assets that could be lost or damaged during a disaster are: Revenues lost during the incident On-going recovery costs Fines and penalties incurred by the event. Competitive advantage, credibility, or good will damaged by the incident

As part of your organization's security policy, you must monitor access control violations. Which method(s) should you use? ACLs IDSs backups audit logs A all of the options B option d C option c D option b E option a F options b, c, and d only G options b and d only

Answer G is correct. Intrusion detection systems (IDSs) and audit logs are used to monitor access control violations. Access control lists (ACLs) are al method of access control. They cannot be used to monitor violations. Backups are a method used to compensate for access violations because they allow you to recover your data. Other compensating measures include business continuity planning and insurance.

Which of the following are DoS attacks? (Choose three.) A Teardrop B Spoofing C Ping of death D Smurf

Answers A, C, and D are correct. Teardrop, smurf, and ping of death are all types of denial-of-service (DoS) attacks. Attackers use spoofing to hide their identity in a variety of attacks, but spoofing is not an attack by itself. Note that this question is an example that can easily be changed to a negative type of question such as "Which of the following is not a DoS attack?"

Which type of fire are extinguished by CO2? Each correct answer represents a complete solution. Choose two. A Metal B Electrical C Common combustible D Liquid

Answers B and D are correct. Liquid and electrical fire are extinguished by CO2. Answer C is incorrect. Common combustibles are extinguished by water, soda acid (a dry powder or liquid chemical). Answer A is incorrect. Metal fire is extinguished by dry powder.

architectural layers in the TCP/IP model

Application layer: Provides access to network resources Transport layer: Responsible for preparing data to be transported across the network Internet layer: Responsible for logical addressing (such as IP Addresses) and routing Network Access layer: Translates logical network address into physical machine address

malware types

Backdoor - a developer hook in a system or application that allows developers to circumvent normal authentication Logic bomb - a program that executes when a certain predefined event occurs Spyware - a program that monitors and tracks user activities Trojan horse - a program that infects a system under the guise of another legitimate program

Know various issues related to remote access security

Be familiar with remote access, dial-up connections, screen scrapers, virtual applications/desktops, and general telecommuting security concerns.

Explain the process Bob should use if he wants to send a confidential message to Alice using asymmetric cryptography.

Bob should encrypt the message using Alice's public key and then transmit the encrypted message to Alice.

National Information Infrastructure Protection Act of 1996

Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony

Be able to explain common cryptographic attacks.

Brute-force attacks are attempts to randomly find the correct cryptographic key. Known plaintext, chosen ciphertext, and chosen plaintext attacks require the attacker to have some extra information in addition to the ciphertext. The meet-in-the-middle attack exploits protocols that use two rounds of encryption. The man-in-the-middle attack fools both parties into communicating with the attacker instead of directly with each other. The birthday attack is an attempt to find collisions in hash functions. The replay attack is an attempt to reuse authentication requests.

Business Continuity and Disaster Recovery Planning

Business Continuity Planning (BCP), along with the Business Impact Assessment (BIA) and the Disaster Recovery Plan (DRP), is the core of this domain. The following topics are included in this domain: Understanding business continuity requirements Conducting business impact analysis Developing a recovery strategy Understanding the disaster recovery process Exercising, assessing, and maintaining the plans

How do change management processes help prevent outages?

Change management processes help prevent outages by ensuring that proposed changes are reviewed and tested before being deployed. They also ensure that changes are documented.

Who Is Responsible for Security

Chief information security officer (CISO): Establishes and maintains security and risk-management programs for information resources. Information resources manager: Maintains policies and procedures that provide for security and risk management of information resources. Information resources security officer: Directs policies and procedures designed to protect information resources (identifies vulnerabilities, develops security awareness program, and so forth). Owners of information resources: Have the responsibility of carrying out the program that uses the resources. This does not imply personal ownership. These individuals might be regarded as program managers or delegates for the owner. Custodians of information resources: Provide technical facilities, data processing, and other support services to owners and users of information resources. Technical managers (network and system administrators): Provide technical support for security of information resources. Internal auditors: Conduct periodic risk-based reviews of information resources security policies and procedures. Users: Have access to information resources in accordance with the owner-defined controls and access rules.

Know the threats associated with PBX systems and the countermeasures to PBX fraud

Countermeasures to PBX fraud and abuse include many of the same precautions you would employ to protect a typical computer network: logical or technical controls, administrative controls, and physical controls.

Understand data hiding.

Data hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject. It is often a key element in security controls as well as in programming.

Explain how a data integrity assurance package like Tripwire provides some secondary virus detection capabilities.

Data integrity assurance packages like Tripwire compute hash values for each file stored on a protected system. If a file infector virus strikes the system, this would result in a change in the affected file's hash value and would, therefore, trigger a file integrity alert

Know why and how data is classified.

Data is classified to simplify the process of assigning security controls to groups of objects rather than to individual objects. The two common classification schemes are government/military and commercial business/private sector. Know the five levels of government/military classification and the four levels of commercial business/private sector classification.

Understand the information lifecycle

Data needs to be protected throughout its entire lifecycle. This starts by properly classifying and marking data. It also includes properly handling, storing, and destroying data.

Describe the process used to develop a continuity strategy.

During the strategy development phase, the BCP team determines which risks will be mitigated. In the provisions and processes phase, mechanisms and procedures that will mitigate the risks are designed. The plan must then be approved by senior management and implemented. Personnel must also receive training on their roles in the BCP process.

The following cost functions are related to quantitative risk analysis:

Exposure factor (EF): It is defined as the percentage of loss experienced by an organization when a particular asset is violated by a realized risk. Single loss expectancy (SLE): It is defined as the cost related to a single realized risk against a particular asset. The following formula is used to calculate the SLE:SLE = asset value (AV) * exposure factor (EF) Annualized rate of occurrence (ARO): It is defined as the expected frequency of occurrence of a particular threat or risk in a single year. Annualized loss expectancy (ALE): It is defined as the yearly cost of all instances of a particular threat against a particular asset. The following formula is used to calculate the ALE:ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)

degree of a risk

Extreme risk: Immediate action is required. High risk: Senior management's attention is needed. Moderate risk: Management responsibility must be specified. Low risk: Management is handled by routine procedures.

Computer Security Depends on Two Types of Requirements

Functional requirements describe what a system should do. Assurance requirements describe how functional requirements should be implemented and tested. Both sets of requirements are needed to answer the following questions: Does the system do the right things (behave as promised)? Does the system do the right things in the right way?

Health Information Technology for Economic and Clinical Health Act of 2009

In 2009, Congress amended HIPAA by passing the Health Information Technology for Economic and Clinical Health (HITECH) Act. This law updated many of HIPAA's privacy and security requirements and was implemented through the HIPAA Omnibus Rule in 2013.

Describe how to perform the business organization analysis.

In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis is used as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development.

List the different phases of incident response identified in the CISSP Security Operations domain.

Incident response steps listed in the CISSP Security Operations domain are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

The formal study of information security has accelerated primarily for what reason?

Increasingly interconnected global networks

terms commonly associated with power issues

Know the definitions of the following: fault, blackout, sag, brownout, spike, surge, inrush, noise, transient, clean, and ground.

authentication services

LDAP (Lightweight Directory Access Protocol): A standardized directory access protocol that enables directory queries Kerberos: A protocol that provides strong authentication through secret-key cryptography Single Sign-On Initiatives: Provide user access to all applications upon login

Know how layering simplifies security

Layering is the use of multiple controls in series. Using a multilayered solution allows for numerous controls to guard against threats

mean time to failure (MTTF)

MTTF is the expected typical functional lifetime of the device given a specific operating environment

The (ISC)2 is a global, not-for-profit organization dedicated to these goals:

Maintaining a Common Body of Knowledge for information security Certifying industry professionals and practitioners according to the international IS standard Administering training and certification examinations Ensuring that credentials are maintained, primarily through continuing education

Name the common methods used to manage sensitive information.

Managing sensitive information includes properly marking, handling, storing, and destroying it based on its classification.

Explain configuration and change control management.

Many outages and incidents can be prevented with effective configuration and change management programs. Configuration management ensures that systems are configured similarly and the configurations of systems are known and documented. Baselining ensures that systems are deployed with a common baseline or starting point, and imaging is a common baselining method. Change management helps reduce outages or weakened security from unauthorized changes. A change management process requires changes to be requested, approved, tested, and documented. Versioning uses a labeling or numbering system to track changes in updated versions of software.

network attacks

Masquerading: Pretends to be someone to gain unauthorized access to a system DoS: Renders the target unable to respond to legitimate traffic Modification: Alters the captured packets and then plays against a system Replay: Attempts to re-establish a communication session by repeating captured traffic against a system

Be able to explain NAT

NAT protects the addressing scheme of a private network, allows the use of the private IP addresses, and enables multiple internal clients to obtain internet access through a few public IP addresses. NAT is supported by many security border devices, such as firewalls, routers, gateways, and proxies.

Types of Disruptive Events (BIA Risks)

Natural events capable of disrupting a business include these: Earthquakes, fires, floods, mudslides, snow, ice, lightning, hurricanes, and tornadoes Explosions, chemical fires, hazardous waste spills, and smoke and water damage Power outages caused by utility failures, high heat and humidity, and solar flares Events for which man, not nature, is directly responsible for disruptive events can include these: Strikes, work stoppages, and walkouts Sabotage, burglary, and other forms of hostile activity Massive failure of technology, including utility and communication failure caused by human intervention or error

Information Network Institute (INI)

One major educational institution, Carnegie Mellon, established the Information Network Institute (INI) in 1989 as a leading research and education center in the field of information networking.

What should an organization do to verify that accounts are managed properly?

Organizations should regularly perform access reviews and audits. These can detect when an organization is not following its own policies and procedures related to account management. They can be performed manually or using automation techniques available in some identity and access management (IAM) systems

Understand patch management

Patch management ensures that systems are kept up-to-date with current patches. You should know that an effective patch management program will evaluate, test, approve, and deploy patches. Additionally, be aware that system audits verify the deployment of approved patches to systems. Patch management is often intertwined with change and configuration management to ensure that documentation reflects the changes. When an organization does not have an effective patch management program, it will often experience outages and incidents from known issues that could have been prevented.

Understand the key types used in asymmetric cryptography.

Public keys are freely shared among communicating parties, whereas private keys are kept secret. To encrypt a message, use the recipient's public key. To decrypt a message, use your own private key. To sign a message, use your own private key. To validate a signature, use the sender's public key

Quantitative decision-making:

Quantitative decision-making involves the use of numbers and formulas to reach a decision. This type of data often expresses options in terms of the dollar value to the business. To begin the quantitative assessment, the BCP team should sit down and draw up a list of organization assets and then assign an asset value (AV) in monetary terms to each asset. These numbers will be used in the remaining BIA steps to develop a financially based BIA.

Be familiar with the three major public key cryptosystems.

RSA is the most famous public key cryptosystem; it was developed by Rivest, Shamir, and Adleman in 1977. It depends on the difficulty of factoring the product of prime numbers. El Gamal is an extension of the Diffie-Hellman key exchange algorithm that depends on modular arithmetic. The elliptic curve algorithm depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length.

Explain the various types of evidence that may be used in a criminal or civil trial.

Real evidence consists of actual objects that can be brought into the courtroom. Documentary evidence consists of written documents that provide insight into the facts. Testimonial evidence consists of verbal or written statements made by witnesses.

Audit access controls

Regular reviews and audits of access control processes help assess the effectiveness of access controls. For example, auditing can track logon success and failure of any account. An intrusion detection system can monitor these logs and easily identify attacks and notify administrators.

basic risk elements

Risk is the possibility or likelihood that a threat can exploit a vulnerability and cause damage to assets. Asset valuation identifies the value of assets, threat modeling identifies threats against these assets, and vulnerability analysis identifies weaknesses in an organization's valuable assets. Access aggregation is a type of attack that combines, or aggregates, nonsensitive information to learn sensitive information and is used in reconnaissance attacks.

Email security solutions

S/MIME (Secure Multipurpose Internet Mail Extensions): Offers authentication and confidentiality to email through public key encryption and digital signatures MOSS (MIME Object Security Services): Provides authentication, confidentiality, integrity, and nonrepudiation for email messages PGP (Pretty Good Privacy): Uses a variety of encryption algorithms to encrypt files and email messages

Hashing Functions

Secure Hashing Algorithm (SHA) variants are the most common forms of hashing functions you'll encounter with most commercial software

Security administrators

Security administrators work alongside system administrators and database administrators to ensure that an appropriate separation of duties can prevent abuse of privilege when new computer systems are implemented and users begin to access these systems. The security administrators help to establish new user accounts, ensure that auditing mechanisms are present and operating as needed, ensure that communications between systems are securely implemented, and assist in troubleshooting problems and responding to incidents that could compromise confidentiality, integrity, or availability of the systems.

Understand the importance of security audits and reviews

Security audits and reviews help ensure that management programs are effective and being followed. They are commonly associated with account management practices to prevent violations with least privilege or need-to-know principles. However, they can also be performed to oversee patch management, vulnerability management, change management, and configuration management programs.

three types of security controls

Security controls are the basic toolkit for the security practitioner who mixes and matches them to carry out the objectives of confidentiality, integrity, and/or availability by using people, processes, and technology to bring them to life.

Understand security governance.

Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization.

stages of fire

Stage 1: The Incipient Stage—At this stage, there is only air ionization but no smoke. Stage 2: The Smoke Stage—In Stage 2, smoke is visible from the point of ignition. Stage 3: The Flame Stage—This is when a flame can be seen with the naked eye. Stage 4: The Heat Stage—At Stage 4, the fire is considerably further down the timescale to the point where there is an intense heat buildup and everything in the area burns.

Explain the difference between static and dynamic analysis of application code.

Static analysis performs assessment of the code itself, analyzing the sequence of instructions for security flaws. Dynamic analysis tests the code in a live production environment, searching for runtime flaws.

gateway firewalls

Static packet-filtering: Filters traffic by examining data from a message header Application-level gateway: Copies packets from one network into another Circuit-level gateway: Establishes communication sessions between trusted partners Stateful inspection: Evaluates the state or the context of network traffic

Understand the need for strong passwords.

Strong passwords make password-cracking utilities less successful. Strong passwords include multiple character types and are not words contained in a dictionary. Password policies ensure that users create strong passwords. Passwords should be encrypted when stored and encrypted when sent over a network. Authentication can be strengthened by using an additional factor beyond just passwords.

Symmetric encryption

Symmetric key cryptosystems (or secret key cryptosystems) rely on the use of a shared secret key(one key). They are much faster than asymmetric algorithms, but they lack support for scalability, easy key distribution, and nonrepudiation. (DES, 3DES, and AES algorithms are types) Symmetric encryption is a two-way algorithm because the mathematical algorithm is reversed when decrypting the message along with using the same secret key. Symmetric encryption is also known as private-key encryption and secure-key encryption.

Speeds of Connection Types

T1 1.544 Mbps E1 2.108 Mbps T3 44.736 Mbps E4 34.368 Mbps

list the technical physical security controls

Technical physical security controls can be access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression.

Business Impact Analysis

The BIA identifies the risks that specific threats pose to the business, quantifies the risks, establishes priorities, and performs a cost/benefit analysis for countering risks. In pursuit of these goals, these are the three most important steps: Prioritize the business processes After critical processes have been identified and prioritized, determine how long each process can be down before business continuity is seriously compromised. Identify the resources required to support the most critical processes. The committee responsible for drafting the BIA must present it to the executive team for evaluation and recommendation when it is complete.

Communications Assistance for Law Enforcement Act (CALEA) of 1994

The Communications Assistance for Law Enforcement Act (CALEA) of 1994 amended the Electronic Communications Privacy Act of 1986. CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

Know the components of the Digital Signature Standard (DSS).

The Digital Signature Standard uses the SHA-1, SHA-2, and SHA-3 message digest functions along with one of three encryption algorithms: the Digital Signature Algorithm (DSA); the Rivest, Shamir, Adleman (RSA) algorithm; or the Elliptic Curve DSA (ECDSA) algorithm.

Economic Espionage Act of 1996

The Economic Espionage Act of 1996 extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage. This changed the legal definition of theft so that it was no longer restricted by physical constraints.

Electronic Communications Privacy Act of 1986

The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual. This act broadened the Federal Wiretap Act, which previously covered communications traveling via a physical wire, to apply to any illegal interception of electronic communications or to the intentional, unauthorized access of electronically stored data. It prohibits the interception or disclosure of electronic communication and defines those situations in which disclosure is legal. It protects against the monitoring of email and voicemail communications and prevents providers of those services from making unauthorized disclosures of their content.

The Trusted Network Interpretation of the TCSEC

The Trusted Network Interpretation (TNI) of the TCSEC is also referred to as the Red Book of the Rainbow Series. The TNI restates the requirements of the TCSEC in a network context as contrasted with TCSEC on stand-alone and non-networked environments. For more information on the purpose and meaning of TNI, consult the Rainbow Books description of TNI at Trusted Network Interpretation.

Encrypt the message "I will pass the CISSP exam and become certified next month" using columnar transposition with the keyword SECURE.

The first step in encrypting this message requires the assignment of numeric column values to the letters of the secret keyword: S E C U R E 5 2 1 6 4 3 Next, the letters of the message are written in order underneath the letters of the keyword: S E C U R E 5 2 1 6 4 3 I W I L L P A S S T H E C I S S P E X A M A N D B E C O M E C E R T I F I E D N E X T M O N T H Finally, the sender enciphers the message by reading down each column; the order in which the columns are read corresponds to the numbers assigned in the first step. This produces the following ciphertext: I S S M C R D O W S I A E E E M P E E D E F X H L H P N M I E T I A C X B C I T L T S A O T N N

Crime Prevention through Environmental Design (CPTED)

The guiding idea is to structure the physical environment and surroundings to influence individual decisions that potential offenders make before committing any criminal acts.

What are the major categories of computer crime?

The major categories of computer crime are military/intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, and thrill attacks.

What is the major hurdle preventing the widespread adoption of one-time pad cryptosystems to ensure data confidentiality?

The major obstacle to the widespread adoption of onetime pad cryptosystems is the difficulty in creating and distributing the very lengthy keys on which the algorithm depends.

What is the main purpose of a primary key in a database table?

The primary key uniquely identifies each row in the table. For example, an employee identification number might be the primary key for a table containing information about employees

What is the primary objective of data classification schemes? A To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity B To establish a transaction trail for auditing accountability C To manipulate access controls to provide for the most efficient means to grant or restrict functionality D To control access to objects for authorized subjects

The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.

Understand key security roles

The primary security roles are senior manager, organizational owner, upper management, security professional, user, data owner, data custodian, and auditor. By creating a security role hierarchy, you limit risk overall.

What should be the role of the management in developing an information security program? A It is mandatory. B It is limited to the sanctioning of funds. C It is not required at all. D It should be minimal.

The role of the management in developing an information security program is mandatory. The primary purpose of security management is to protect the information assets of the organization.

three categories of security controls implemented to manage physical security

The security controls implemented to manage physical security can be divided into three groups: administrative, technical, and physical. Understand when and how to use each, and be able to list examples of each kind.

What are the three classic ways of authenticating yourself to the computer security software?

There are three common factors used for authentication: Something you know (such as a password) Something you have (such as a smart card) Something you are (such as a fingerprint or other biometric method)

how to design and configure secure work areas

There should not be equal access to all locations within a facility. Areas that contain assets of higher value or importance should have restricted access. Valuable and confidential assets should be located in the heart or center of protection provided by a facility. Also, centralized server or computer rooms need not be human compatible.

Be familiar with the various protocols and mechanisms that may be used on LANs and WANs for data communications.

These are SKIP, SWIPE, SSL, SET, PPP, SLIP, CHAP, PAP, EAP, and S-RPC. They can also include VPN, TLS/SSL, and VLAN.

Legal Regulations, Investigations, and Compliance

This domain covers the different targets of computer crimes, bodies of law, and the different types of laws and regulations as they apply to computer security. Other topics included in this domain are Understanding legal issues that pertain to information security internationally Adopting professional ethics Understanding and supporting investigations Understanding forensic procedures Following compliance requirements and procedures Ensuring security in contractual agreements and procurement processes (such as cloud computing, outsourcing, and vendor governance)

Operations Security

This domain covers the kind of operational procedures and tools that eliminate or reduce the capability to exploit critical information. It includes defining the controls over media, hardware, and operators with special systems privileges. Specific topics include Understanding security operations concepts (need-to-know, separation of duties, and so on) Employing resource protection Managing incident response Implementing preventable measures against attacks Implementing and supporting patch and vulnerability management Understanding change and configuration management Understanding system resilience and fault-tolerant requirements

Dumpster diving:

This no-tech criminal technique is the primary cause of ID theft. A criminal simply digs through trash and recycling bins looking for receipts, checks, and other personal and sensitive information. (If you don't shred all your receipts or lock up your recycling bin where you dispose of protected information, someone might be rummaging through your personal or proprietary information at this very moment.)

Know the basic requirements for evidence to be admissible in a court of law

To be admissible, evidence must be relevant to a fact at issue in the case, the fact must be material to the case, and the evidence must be competent or legally collected.

What are the three basic requirements that evidence must meet in order to be admissible in court?

To be admissible, evidence must be reliable, competent, and material to the case

Explain how an attacker might construct a rainbow table.

To construct a rainbow table, the attacker follows this process: a. Obtain or develop a list of commonly used passwords. b. Determine the hashing function used by the password mechanism. c. Compute the hash value of each password on the commonly used list and store it with the password. The result of this operation is the rainbow table.

Know the elements of a formalized security policy structure

To create a comprehensive security plan, you need the following items in place: security policy, standards, baselines, guidelines, and procedures. Such documentation clearly states security requirements and creates due diligence on the part of the responsible parties.

Understand how digital signatures are generated and verified.

To digitally sign a message, first use a hashing function to generate a message digest. Then encrypt the digest with your private key. To verify the digital signature on a message, decrypt the signature with the sender's public key and then compare the message digest to one you generate yourself. If they match, the message is authentic.

Physical (Environmental) Security

Topics covered in this domain include securing the physical site using policies and procedures coupled with the appropriate alarm and intrusion detection systems, monitoring systems, and so forth. Topics include Understanding site and facility design considerations Supporting the implementation and operation of perimeter security (physical access controls and monitoring, keys, locks, safes, and so on) Supporting the implementation and operation of facilities security (badges, smart cards, PINs, and so on) Supporting the protection and securing of equipment Understanding personnel privacy and safety (duress, travel, and so on)

Trike

Trike is another threat modeling methodology that focuses on a risk-based approach instead of depending upon the aggregated threat model used in STRIDE and Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD) (see the "Prioritization and Response" section later in this lesson). Trike provides a method of performing a security audit in a reliable and repeatable procedure. It also provides a consistent framework for communication and collaboration among security workers. Trike is used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions.

Rings of Trust

Trust in a system moves from the outside to the inside in a unidirectional mode. The ring model of security was originally derived from the concept of execution domains developed by the Multics project.

Know what tunneling is.

Tunneling is the encapsulation of a protocol-deliverable message within a second protocol. The second protocol often performs encryption to protect the message contents.

Social engineering:

Using deception, the attacker solicits information such as passwords or personal identification numbers (PINs) from unwitting victims. For example, a thief might call a help desk pretending to be a user whose password needs resetting.

Wireless Encryption Protocols

WEP - Uses a 40-bit or 104-bit key WPA/WPA2 Personal - Uses a 256-bit pre-shared key WPA/WPA2 Enterprise - Requires a RADIUS server

need to manage water leakage and flooding

Water leakage and flooding should be addressed in your environmental safety policy and procedures. Plumbing leaks are not an everyday occurrence, but when they occur, they often cause significant damage. Water and electricity don't mix. If your computer systems come in contact with water, especially while they are operating, damage is sure to occur. Whenever possible, locate server rooms and critical computer equipment away from any water source or transport pipes.

Know how cryptographic salts improve the security of password hashing.

When straightforward hashing is used to store passwords in a password file, attackers may use rainbow tables of precomputed values to identify commonly used passwords. Adding salts to the passwords before hashing them reduces the effectiveness of rainbow table attacks. Common password hashing algorithms that use key stretching to further increase the difficulty of attack include PBKDF2, bcrypt, and scrypt.

Understand work function (work factor)

Work function, or work factor, is a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages. Usually the time and effort required to perform a complete brute-force attack against an encryption system is what a work function rating represents. The security and protection offered by a cryptosystem is directly proportional to the value of its work function/factor.

Know how to investigate intrusions and how to gather sufficient information from the equipment, software, and data.

You must have possession of equipment, software, or data to analyze it and use it as evidence. You must acquire the evidence without modifying it or allowing anyone else to modify it.

Understand the concept of zero-knowledge proof.

Zero-knowledge proof is a communication concept. A specific type of information is exchanged, but no real data is transferred, as with digital signatures and digital certificates.

three groups of physical security

administrative, technical, and physical.

mandatory access control (MAC)

also called nondiscretionary access control), the system decides who gains access to information based on the concepts of subjects, objects, and labels, as defined here. MAC is most often used in military and governmental systems and is rarely seen in the commercial world. In a MAC environment, objects (including data) are labeled with a classification (Secret, Top Secret, and so forth), and subjects, or users, are cleared to that class of access.

Shared-site agreements

are arrangements between companies with similar (if not identical) data processing centers. This compatibility in hardware, software, and services allows companies that enter into an agreement to back up each other when one partner has an emergency. Instead of having to build an entire infrastructure to back up its applications and data, Company A enters into an agreement with Company B to share resources in case of a disaster. Such an arrangement can save substantial time and money because the computers and software already exist and do not have to be procured

Policymakers and standards developers

are the people who look to outside regulators and executive management to set the tone and establish the specific rules of the road when interacting with or managing information systems. Policymakers formally encode the policies or management intentions in how information will be secured.

Security testers

are the white-hat hackers paid to test the security of newly acquired and newly developed or redeveloped systems. Testers who can mimic the activities of outside hackers are hired to find software problems and bugs before the system is made available. Their work reduces the likelihood that the system will be compromised when it's in day-to-day operating mode.

Gas discharge systems

are usually more effective than water discharge systems. However, gas discharge systems should not be used in environments in which people are located. Gas discharge systems usually remove the oxygen from the air, thus making them hazardous to personnel.

Encryption

art and science of hiding the meaning or intent of a communication from unintended recipients

Secure Electronic Transactions (SET)

as developed in 1997 to provide protection from electronic payment fraud. SET uses Data Encryption Standard (DES) to encrypt credit card information transfers and RSA for key exchange. SET provides the security for both internet-based credit card transactions and credit card swipe systems in retail stores.

man-in-the-middle (MITM)

attack occurs when a malicious user can gain a position logically between the two endpoints of an ongoing communication. There are two types of man-in-the-middle attacks. One involves copying or sniffing the traffic between two parties, which is basically a sniffer attack as described in Lesson 14. The other type involves attackers positioning themselves in the line of communication where they act as a store-and-forward or proxy mechanism

Export Administration Regulations (EAR)

cover a broader set of items that are designed for commercial use but may have military applications. Items covered by EAR appear on the Commerce Control List (CCL) maintained by the U.S. Department of Commerce. Notably, EAR includes an entire category covering information security products.

Trademarks

defines a trademark as "any word, name, symbol, or device, or any combination thereof" that the individual intends to use commercially and wants to distinguish as coming from a unique source.

Assurance requirements

describe how the functional requirements should be implemented and tested. needed to answer the following questions: Does the system do the right things? Does the system do the right things in the right way?

Functional requirements

describe what a system should do by design. needed to answer the following questions: Does the system do the right things? Does the system do the right things in the right way?

disaster recovery plan (DRP)

describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations.

discretionary access control (DAC)

dictates that the information owner is the one who decides who gets to access the system(s). This is how most corporate systems operate. DAC authority can be delegated to others who then are responsible for user setup, revocation, and changes (department moves, promotions, and so forth). Most of the common operating systems on the market today (Windows, Mac OS X, UNIX, Novell's NetWare, and so forth) rely on DAC principles for access and operation.

Role-based access control (RBAC)

groups users with a common access need. You can assign a role for a group of users who perform the same job functions and require similar access to resources. Role-based controls simplify the job of granting and revoking access by simply assigning users to a group and then assigning rights to the group for access control purposes.

Open Web Application Security Project (OWASP)

has the goal of improving security for software applications and products. It is a community project with different types of initiatives such as incubator projects, laboratory projects, and flagship projects intended to evolve the software process. It is also an organization that provides unbiased, practical, and cost-effective information about computer and internet applications.

Software as a service(SaaS)

is a derivative of PaaS. SaaS provides on-demand online access to specific software applications or suites without the need for local installation. In many cases, there are few local hardware and OS limitations. SaaS can be implemented as a subscription service (for example, Microsoft Office 365), a pay-as-you-go service, or a free service (for example, Google Docs).

type II hypervisor

is a hosted hypervisor. In this configuration, a standard regular OS is present on the hardware, and then the hypervisor is installed as another software application. Type II hypervisors are often used in relation to desktop deployments, where the guest OSs offer safe sandbox areas to test new code, allow the execution of legacy applications, support apps from alternate OSs, and provide the user with access to the capabilities of a host OS.

access control list (ACL)

is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Within the file is a user ID and an associated privilege or set of privileges for that user and that resource.

cloud access security broker (CASB)

is a security policy enforcement solution that may be installed on-premises, or it may be cloud-based. The goal of a CASB is to enforce and ensure that proper security measures are implemented between a cloud solution and a customer organization.

hash

is a transformation of data into distilled forms that are unique to the data. This is a one-way function—it's easy to do and nearly impossible to undo.

Administrative law

is also referred to as natural justice. We owe this legal concept to the Romans, who believed certain legal principles were "natural" or self-evident and did not need to be codified by statute. In this case, disputes are resolved before an administrative tribunal, not in a court.

single point of failure (SPOF)

is any component that can cause an entire system to fail. If a computer has data on a single disk, failure of the disk can cause the computer to fail, so the disk is a single point of failure. If a database-dependent website includes multiple web servers all served by a single database server, the database server is a single point of failure.

Application layer (layer 7)

is called the data stream. the highest layer in the stack, is the one most directly related to the computer user. It provides several application services, such as file transfer, resource allocation, and the identification and verification of computer availability. Each time you send an email, you are invoking protocols at the Application Layer level.

DREAD rating system

is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat: Damage potential: How severe is the damage likely to be if the threat is realized? Reproducibility: How complicated is it for attackers to reproduce the exploit? Exploitability: How hard is it to perform the attack? Affected users: How many users are likely to be affected by the attack (as a percentage)? Discoverability: How hard is it for an attacker to discover the weakness?

ethical conduct

is expected of all IS specialists, helps define a high moral code of professional behavior, and speaks to the credibility of the individual.

Piggybacking

is following someone through a secured gate or doorway without being identified or authorized personally.

Defense in depth is needed to ensure that which three mandatory activities are present in a security system?

is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response.

Confidentiality

is sometimes referred to as the principle of least privilege, meaning that users should be given only enough privilege to perform their duties, and no more. Some other synonyms for confidentiality you might encounter include privacy, secrecy, and discretion. Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible. Common confidentiality controls are user IDs and passwords.

Rijndael encryption

is the block cipher algorithm recently chosen by the National Institute of Science and Technology (NIST) as the Advanced Encryption Standard (AES). It supersedes the Data Encryption Standard (DES).

Transparency

is the characteristic of a service, security control, or access mechanism that ensures that it is unseen by users. It is often a desirable feature for security controls. The more transparent a security mechanism is, the less likely a user will be able to circumvent it or even be aware that it exists.

Security governance

is the collection of practices related to supporting, defining, and directing the security efforts of an organization. Ultimately, security governance is the implementation of a security solution and a management method that are tightly interconnected. Security governance directly oversees and gets involved in all levels of security.

single loss expectancy (SLE)

is the monetary loss that is expected each time the risk materializes. You can compute the SLE using the following formula: SLE = AV x EF

Data Classification or categorization

is the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities. These similarities could include value, cost, sensitivity, risk, vulnerability, power, privilege, possible levels of loss or damage, or need to know. The following are benefits of using a data classification scheme: It demonstrates an organization's commitment to protecting valuable resources and assets. It assists in identifying those assets that are most critical or valuable to the organization. It lends credence to the selection of protection mechanisms. It is often required for regulatory compliance or legal restrictions. It helps to define access levels, types of authorized uses, and parameters for declassification and/or destruction of resources that are no longer valuable. It helps with data lifecycle management which in part is the storage length (retention), usage, and destruction of the data. To implement a classification scheme, you must perform seven major steps, or phases: Identify the custodian, and define their responsibilities. Specify the evaluation criteria of how the information will be classified and labeled. Classify and label each resource. (The owner conducts this step, but a supervisor should review it.) Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria. Select the security controls that will be applied to each classification level to provide the necessary level of protection. Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity. Create an enterprise-wide awareness program to instruct all personnel about the classification system.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

offers another standard for electronic mail encryption and digital signatures. S/MIME, along with a version of PGP called Open PGP, were implemented in the original Netscape Communications Corporation web browsers. Unfortunately, the dual electronic mail encryption standards created problems with users.

The Security Architecture and Design domain

one of the more technical areas of study within the CBK, discusses concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and other controls to enforce various levels of confidentiality, integrity, and availability. Understanding the fundamental concepts of security models (confidentiality models, integrity models, and multilevel models) Identifying the components of information systems security evaluation models (such as Common Criteria) Understanding security capabilities of information systems (memory protection, trusted platform modules, and so on) Pinpointing the vulnerabilities of security architectures Recognizing software and system vulnerabilities and threats Understanding countermeasure principles (such as defense in depth)

statutory laws

passed by House of Representatives and Senate is a law written through the act of a legislature declaring, commanding, or prohibiting something. Statutory laws are arranged by subject matter in the order in which they are enacted, thus they are referred to as session laws. Federal and state law codes incorporate statutes into the body of laws, and the judiciary system interprets and enforces them. State statutes govern matters such as wills, probate administration, and corporate law; federal statutes cover matters such as patent, copyright, and trademark laws.

IPSec (Internet Protocol Security)

provides an enhanced level of security on VPN connections by default by providing authentication, encryption, and compression services at the network level of VPN. IPsec is a security architecture framework that supports secure communication over IP.

three overall categories of security policies:

regulatory, advisory, and informative. A regulatory policy is required whenever industry or legal standards are applicable to your organization. This policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance. An advisory policy discusses behaviors and activities that are acceptable and defines consequences of violations. It explains senior management's desires for security and compliance within an organization. Most policies are advisory. An informative policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers. An informative policy provides support, research, or background information relevant to the specific elements of the overall policy.

Federal Information Security Management Act (FISMA)

requires that federal agencies implement an information security program that covers the agency's operations. FISMA also requires that government agencies include the activities of contractors in their security management programs. FISMA repealed and replaced two earlier laws: the Computer Security Act of 1987 and the Government Information Security Reform Act of 2000. The National Institute of Standards and Technology (NIST), responsible for developing the FISMA implementation guidelines

wiring closet

rules of security policy Have adequate locks. Never use the wiring closet as a general storage area. Use a door open sensor to log entries. Perform regular physical inspections of the wiring closet's security and contents. Do not store flammable items in the area. Keep the area tidy.

TCB: Hardware segmentation

specifically relates to the segmentation of memory into protected segments. The kernel allocates the required amount of memory for the process to load its application code, its process data, and its application data. The system prevents user processes from accessing another process's allocated memory. It also prevents user processes from accessing system memory.

Infrastructure as a service(IaaS)

takes the PaaS model yet another step forward and provides not just on-demand operating solutions but complete outsourcing options. This can include utility or metered computing services, administrative task automation, dynamic scaling, virtualization services, policy implementation and management services, and managed/filtered internet connectivity. Ultimately, IaaS allows an enterprise to scale up new software or data-based services/solutions through cloud systems quickly and without having to install massive hardware locally.

information security (InfoSec)

team should be led by a designated chief information security officer (CISO) who must report directly to senior management. Placing the autonomy of the CISO and the CISO's team outside the typical hierarchical structure in an organization can improve security management across the entire organization. It also helps to avoid cross-department and internal political issues.

System resilience refers

to the ability of a system to maintain an acceptable level of service during an adverse event. This could be a hardware fault managed by fault-tolerant components, or it could be an attack managed by other controls such as effective intrusion detection and prevention systems. In some contexts, it refers to the ability of a system to return to a previous state after an adverse event. For example, if a primary server in a failover cluster fails, fault tolerance ensures that the system fails over to another server. System resilience implies that the cluster can fail back to the original server after the original server is repaired

Data Link Layer (layer 2)

transfers units of information to the other end of the physical link. Protocols at this level establish communication links between devices over a physical link(physical devices) or channel, converting data into bit streams for delivery to the lowest layer, the Physical Layer. 802.11 wireless LANs operate at Layer 2 and Layer 1

Presentation Layer (Layer 6)

translates or "presents" data to the Application Layer. Data encryption and decryption occur in this layer along with data translation. Whenever you view a photograph in JPEG format on the Internet, watch a video someone has sent you in MPEG format, or listen to an MP3 file , you are interacting with OSI Presentation Layer protocol services.

Be able to explain nonrepudiation

Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred. It prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

Understand social engineering

A social-engineering attack is an attempt by an attacker to convince someone to provide information (such as a password) or perform an action they wouldn't normally perform (such as clicking on a malicious link), resulting in a security compromise. Social engineers often try to gain access to the IT infrastructure or the physical facility. User education is an effective tool to prevent the success of social-engineering attacks.

Evaluation Assurance Levels

:Evaluation Assurance Level 1: EAL1 applies when some confidence in correct operation is required, but the threats to security are not viewed as serious. Evaluation Assurance Level 2: EAL2 requires a developer's cooperation in terms of the delivery of design information and test results, but it does not demand more effort from the developer than is consistent with good commercial practice; it also should not require a substantially increased investment of money or time. Evaluation Assurance Level 3: EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices. EAL3 applies when developers or users require a moderate level of independently assured security; it requires a thorough investigation of the TOE and its development without substantial reengineering. Evaluation Assurance Level 4: EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices that, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is applicable when developers or users require a moderate to high level of independently assured security in conventional off-the-shelf TOEs. Additional security-specific engineering costs could be involved. Evaluation Assurance Level 5: EAL5 permits a developer to gain maximum assurance from security engineering based on rigorous commercial development practices supported by moderate application of specialist security engineering techniques. EAL5 is applicable when developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs for special security engineering techniques. Evaluation Assurance Level 6: EAL6 permits developers to gain high assurance from applying security engineering techniques to a rigorous development environment, to produce a premium TOE for protecting high-value assets against significant risks. EAL6 is applicable to developing security TOEs in high-risk situations, when the value of the protected assets justifies additional costs. Evaluation Assurance Level 7: EAL7 applies to the development of security TOEs for application in extremely high-risk situations, when the value of such assets justifies the costs for higher assurance levels.

Understand the difference between dedicated and nondedicated lines

A dedicated line is always on and is reserved for a specific customer. Examples of dedicated lines include T1, T3, E1, E3, and cable modems. A nondedicated line requires a connection to be established before data transmission can occur. It can be used to connect with any remote system that uses the same type of nondedicated line. Standard modems, DSL, and ISDN are examples of nondedicated lines.

Understand man-in-the-middle attacks

A man-in-the-middle attack occurs when a malicious user is able to gain a logical position between the two endpoints of a communications link. Although it takes a significant amount of sophistication on the part of an attacker to complete a man-in-the middle attack, the amount of data obtained from the attack can be significant.

difference between identification and authentication

Access controls depend on effective identification and authentication, so it's important to understand the differences between them. Subjects claim an identity, and identification can be as simple as a username for a user. Subjects prove their identity by providing authentication credentials such as the matching password for a username.

Understand the importance of accountability

An organization's security policy can be properly enforced only if accountability is maintained. In other words, security can be maintained only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject's identity and track their activities.

What is the proper range for a Class C IP network? A 1.0.0.0 - 126.0.0.0 B 240.0.0.0 - 255.0.0.0 C 224.0.0.0 - 239.0.0.0 D 192.0.0.0 - 223.255.255.0

Answer D is correct. 192.0.0.0 - 223.255.255.0 is the proper range for a Class C IP network.

designing a PBX security solution

Block or disable any unassigned access codes or accounts. Keep the system current with vendor/service provider updates. Define an acceptable use policy and train users on how to properly use the system. Restrict dial-in and dial-out features to authorized individuals who require such functionality for their work tasks. Log and audit all activities on the PBX and review the audit trails for security and use violations.

Know how brute-force and dictionary attacks work

Brute-force and dictionary attacks are carried out against a stolen password database file or the logon prompt of a system. They are designed to discover passwords. In brute-force attacks, all possible combinations of keyboard characters are used, whereas a predefined list of possible passwords is used in a dictionary attack. Account lockout controls prevent their effectiveness against online attacks.

closed circuit television (CCTV)

CCTV enables you to compare the audit trails and access logs with a visual recording of the events.

Be able to explain the concepts of change control and change management

Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change.

implementation methods of access controls

Controls are implemented as administrative, logical/technical, or physical controls. Administrative (or management) controls include policies or procedures to implement and enforce overall access control. Logical/technical controls include hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Physical controls include physical barriers deployed to prevent direct contact and access with systems or areas within a facility.

Know the fundamental requirements of a hash function.

Good hash functions have five requirements. They must allow input of any length, provide fixed-length output, make it relatively easy to compute the hash function for any input, provide one-way functionality, and be collision free.

Know the various types of WAN technologies.

Know that most WAN technologies require a channel service unit/data service unit (CSU/DSU), sometimes called a WAN switch. There are many types of carrier networks and WAN connection technologies, such as X.25, Frame Relay, ATM, SMDS, SDH, and SONET. Some WAN connection technologies require additional specialized protocols to support various types of specialized systems or devices.

STRIDE threat model

Spoofing: An attack with the goal of gaining access to a target system through the use of a falsified identity. Spoofing can be used against Internet Protocol (IP) addresses, MAC addresses, usernames, system names, wireless network service set identifiers (SSIDs), email addresses, and many other types of logical identification. When an attacker spoofs their identity as a valid or authorized entity, they are often able to bypass filters and blockades against unauthorized access. Once a spoofing attack has successfully granted an attacker access to a target system, subsequent attacks of abuse, data theft, or privilege escalation can be initiated. Tampering: Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. Tampering is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability. Repudiation: The ability of a user or attacker to deny having performed an action or activity. Often attackers engage in repudiation attacks in order to maintain plausible deniability so as not to be held accountable for their actions. Repudiation attacks can also result in innocent third parties being blamed for security violations. Information disclosure: The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. This could include customer identity information, financial information, or proprietary business operation details. Information disclosure can take advantage of system design and implementation mistakes, such as failing to remove debugging code, leaving sample applications and accounts, not sanitizing programming notes from client-visible content (such as comments in Hypertext Markup Language (HTML) documents), using hidden form fields, or allowing overly detailed error messages to be shown to users. Denial of service (DoS): An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding. A DoS attack does not necessarily result in full interruption to a resource; it could instead reduce throughput or introduce latency in order to hamper productive use of a resource. Although most DoS attacks are temporary and last only as long as the attacker maintains the onslaught, there are some permanent DoS attacks. A permanent DoS attack might involve the destruction of a dataset, the replacement of software with malicious alternatives, or forcing a firmware flash operation that could be interrupted or that installs faulty firmware. Any of these DoS attacks would render a permanently damaged system that is not able to be restored to normal operation with a simple reboot or by waiting out the attackers. A full system repair and backup restoration would be required to recover from a permanent DoS attack. Elevation of privilege: An attack where a limited user account is transformed into an account with greater privileges, powers, and access. This might be accomplished through theft or exploitation of the credentials of a higher-level account, such as that of an administrator or root. It also might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account.

formalized security policy structure (difference between policies, guidelines, procedures and standards)

Standards define compulsory requirements for the homogenous use of hardware, software, technology, and security controls. They provide a course of action by which technology and procedures are uniformly implemented throughout an organization. A baseline defines a minimum level of security that every system throughout the organization must meet. All systems not complying with the baseline should be taken out of production until they can be brought up to the baseline. The baseline establishes a common foundational secure state on which all additional and more stringent security measures can be built. A guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. Guidelines are flexible so they can be customized for each unique system or condition and can be used in the creation of new procedures. A procedure or standard operating procedure (SOP) is a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.

Subjects within a trusted system

Subjects (people or other processes) that want to access these objects must be cleared to the same level of classification or higher. Several security models covered later in this lesson have been developed to address confidentiality and integrity

Trusted Computer System Evaluation Criteria (TCSEC)

TCSEC combines the functionality and assurance rating of the confidentiality protection offered by a system into four major categories. These categories are then subdivided into additional subcategories identified with numbers, such as C1 and C2. Furthermore, TCSEC's categories are assigned through the evaluation of a target system. Applicable systems are stand-alone systems that are not networked. TCSEC defines the following major categories: Category A: Verified protection. The highest level of security. Category B: Mandatory protection. Category C: Discretionary protection. Category D: Minimal protection. Reserved for systems that have been evaluated but do not meet requirements to belong to any other category.

Know the Advanced Encryption Standard (AES)

The Advanced Encryption Standard (AES) uses the Rijndael algorithm and is the U.S. government standard for the secure exchange of sensitive but unclassified data. AES uses key lengths of 128, 192, and 256 bits and a fixed block size of 128 bits to achieve a much higher level of security than that provided by the older DES algorithm.

Decrypt the message "F R Q J U D W X O D W L R Q V B R X J R W L W" using the Caesar ROT3 substitution cipher.

This message is decrypted by using the following function: P = (C - 3) mod 26 C: F R Q J U D W X O D W L R Q V B R X J R W L W P: C O N G R A T U L A T I O N S Y O U G O T I T The hidden message is "Congratulations You Got It." Congratulations, you got it!

List the necessary members of the business continuity planning team

he BCP team should contain, at a minimum, representatives from each of the operational and support departments; technical experts from the IT department; physical and IT security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management. Additional team members depend on the structure and nature of the organization.

digital certificate

A digital certificate binds the identity of an individual to a key pair. A digital certificate is an electronic credit card that establishes an individual's credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains the name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. A digital signature is a message digest that is encrypted using the sender's private key.

Mark reads the following lines in the document from his workstation: Access the Aspen Bridge by telnet. Enter into privileged mode. Execute command 6 and press Enter. Load the config file. Hit Run. What type of document is Mark reading? A Security policy B Regulatory policy C Guideline D Procedure

A procedure is a detailed, step-by-step how-to document that specifies the exact actions required to implement a specific security mechanism, control, or solution. A procedure can discuss the complete system deployment operation or focus on a single product or aspect, such as deploying a firewall or updating virus definitions. Procedures are system and software specific in most cases. Answer A is incorrect. A security policy is a document that defines the scope of security required by an organization. Answer B is incorrect. A regulatory policy is used when industry or legal standards are applied to the organization. It contains the regulations that the organization must follow and defines the procedures that support compliance of the same. Answer C is incorrect. A guideline points to a statement in a policy or procedure that helps determine a course of action.

Message Digest

A small representation of a larger message. Message digests are used to ensure the authentication and integrity of information, not the confidentiality. The main disadvantage of message digests is that the timestamp can be modified. During the course of a forensic investigation, the last access time for a file is changed when a message digest is created on the data collected. Message digests are necessary to ensure that the evidence is not tampered with during the course of the investigation. A logging timestamp is changed due to a transaction taking place and overwrites the timestamp of the incident that originally occurred. A message digest is a fixed output created by using a one-way hash function. A message digest is created from a variable set of input, also referred to as a checksum. A message digest is helpful in detecting whether any change is made to the records during the course of the chain of custody. The message digest is expected to be smaller than the original data string. Message digests do not provide a stringent authentication and deal with integrity of information. Message digests do not contribute to either a higher processing time or a slower access time.

Symmetric Encryption

An encryption method in which the same key is used to encrypt and decrypt a message. Also known as private-key encryption. symmetric algorithm generates a secret key that is used for bulk encryption and decryption of data.

What process does a system use to officially permit access to a file or a program? A Authorization B Validation C Authentication D Identification

Answer A is correct. A system can use an authorization process to officially permit access to a file or a program. This process is used for granting permission and specifying access rights to resources. Answer B is incorrect. Validation confirms the data values being entered by a user are valid or not. Answer C is incorrect. Authentication is an act of establishing or confirming something (or someone) as authentic, such as, the claims made by or about the subject are true. Answer D is incorrect. Identification is the process by which a subject professes an identity and accountability is initiated.

What is defined in an acceptable use policy? A how users are allowed to employ company hardware B the method administrators should use to back up network data C the sensitivity of company data D which users require access to certain company data

Answer A is correct. An acceptable use policy defines how users are allowed to employ company hardware. For example, an acceptable use policy, which is sometimes referred to as a use policy, might answer the following questions: Are employees allowed to store personal files on company computers? Are employees allowed to play network games on breaks? Are employees allowed to "surf the Web" after hours? An information policy defines the sensitivity of a company's data. In part, a security policy defines separation of duties, which determines who needs access to certain company information. A backup policy defines the procedure that administrators should use to back up company information.

Management asks you to provide a list of all access controls that will detect when a security issue occurs. Which control is an example of this? A audit log B router C encryption D access control list (ACL)

Answer A is correct. An audit log is an example of a detective technical control because it detects security breaches once they have occurred. An audit log is also considered to be a compensative technical control. Routers, firewalls, and access control lists (ACLs) are examples of preventative technical controls because they prevent security breaches. They are all also compensative technical controls. There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative is developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or purposes: Preventative - A preventative control prevents security breaches and avoids risks. Detective - A detective control detects security breaches as they occur. Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. Deterrent - A deterrent control deters potential violations. Recovery - A recovery control restores resources. Compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. Directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.

As you are designing your security awareness training, you list the different groups that require different training. Which group should receive security training that is part education and part marketing? A executives B employees C developers D administrators

Answer A is correct. Company executives should receive security training that is part education and part marketing. The education component should be designed to give executives an overview of network security risks and requirements. The marketing component should include information that persuades executives of the requirement for strong security measures on a computer network. Without the support of company executives, a company cannot typically mount an effective network security defense. Administrators require frequent security updates so that they can configure a network in a secure manner. Developers require security training to ensure that they program in a manner that maintains or improves network security. Employees require general network security training on issues such as social engineering, creation of network credentials, and company security policy. Social engineering techniques include piggybacking, impersonation, and talking.

Which security principle identifies sensitive data and ensures that unauthorized entities cannot access it? A Confidentiality B Availability C Integrity D Authentication

Answer A is correct. Confidentiality identifies sensitive data and ensures that unauthorized entities cannot access it. Confidentiality is the opposite of disclosure. Availability ensures that data and resources are available to authorized entities in a timely manner. Integrity ensures that data and resources are edited only in an approved manner by authorized entities. Authentication is the process of identifying a subject requesting system access. When considering confidentiality in the private sector, information that is considered highly confidential should be available to anyone whose job requires access to the confidential data. Authorization to access highly confidential data should be required each time the data is accessed.

What are the core security objectives for the protection of information assets? A Confidentiality, integrity, and availability B Asset, liabilities, and risks C Risks, threats, and vulnerabilities D Risks, liabilities, and vulnerabilities

Answer A is correct. Confidentiality, integrity, and availability are the core to protection of information assets of an organization. These three objectives are also referred to as the CIA triad. Availability includes the ability to provide redundancy and fault-tolerance, to operate at the optimum level of performance, the ability to cope with vulnerabilities and threats, such as DoS attacks, and to recover from disruption without compromising security and productivity. Integrity ensures the correctness of data and the reliability of information, the protection of data and the system from unauthorized alteration, and the inability of attacks and user mistakes to affect the integrity of the data and the system. Confidentiality is defined as the minimum level of secrecy maintained to protect the sensitive information from unauthorized disclosure. Confidentiality can be implemented through encryption, access control data classification, and security awareness. Maintaining the confidentiality of information prevents an organization from attacks, such as shoulder surfing and social engineering. These attacks can lead to the disclosure of confidential information and can disrupt business operations. Risks, threats, and vulnerabilities are evaluated during the course of risk analysis conducted by an organization. During a risk analysis, an asset is valued based on its sensitivity and value. The evaluation of risks, threats, and vulnerabilities provides an estimate regarding the controls that should be placed in an organization to achieve the security objectives of an organization. Common information-gathering techniques used in risk analysis include: Distributing a questionnaire Employing automated risk assessment tools Reviewing existing policy documents The rest of the options are invalid in terms of security evaluation and security objectives of an organization.

Which statement is true of downstream liability? A It ensures that organizations working together under a contract are responsible for their information security management. B It pertains to a single organization. C It is a term used to represent contractual liabilities of business operations. D It pertains to the organization's responsibility to maintain the privacy of information of the employees.

Answer A is correct. Downstream liability ensures that organizations working together under a contract are responsible for their information security management and security controls deployed. The companies might sign contracts to work together in an integrated manner. An example of such a contract is the extranet. In this contract, each company should apply the concept of due care and due diligence and implement countermeasures to protect information assets. Downstream liability ensures that each company provides its share of security and is responsible for any negligence caused due to lack of security controls in its infrastructure. Downstream liability pertains to multiple organizations working under a contract and is not limited to a single organization. Downstream liability pertains to legal or business obligations and not contractual obligations of business operations. Downstream liability involves a company and the business partners of the company. Downstream liability pertains to legal obligations of security requirements and does not deal with the privacy of information of employees. Various technologies of the companies bound by the contract should be interoperable to maintain harmony in business operations. Regular auditing should be performed to confirm that the companies are not negligent towards their actions and to their respective security concerns. For example, due to lack of information security management in a company, the network for a channel partner is infected with a worm attack. If the worm attack negatively affects the functionality of the partner company, then the partners may sue the primary company on grounds of negligence. Therefore, downstream liability is applicable in such a situation.

Which of the following is the most important and distinctive concept in relation to layered security? A Series B Parallel C Filter D Multiple

Answer A is correct. Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective. Answers D, B, and C are incorrect. These concepts are not related to layered security.

Which of the following is not considered an example of data hiding? A Preventing an authorized reader of an object from deleting that object B Preventing an application from accessing hardware directly C Restricting a subject at a lower classification level from accessing data at a higher classification level D Keeping a database from being accessed by unauthorized visitors

Answer A is correct. Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.

Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status? A ™ B ® C © D †

Answer A is correct. Richard's product name should be protected under trademark law. Until his registration is granted, he can use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark, and Richard can begin using the ® symbol.

By using which analysis does a group reach an anonymous consensus while all members of that group are in the same room? A Delphi technique B Survey C Storyboarding D Brainstorming

Answer A is correct. The Delphi technique is a group decision method that seeks a consensus while retaining the anonymity of the participants. Answer D is incorrect. Brainstorming is a group creativity technique which tends to find a conclusion for a specific problem by gathering a list of ideas spontaneously contributed by its members. Answer C is incorrect. A storyboard is a graphic organizer in which image illustrations are present for the purpose of pre-visualizing a picture, animation, or motion graphic. Answer B is incorrect. Survey is an examination of someone or something.

Which US law makes it illegal to bypass electronic copy protection? A DMCA B PATRIOT Act C Economic Espionage Act D Federal Sentencing Guidelines

Answer A is correct. The Digital Millennium Copyright Act (DMCA) makes it illegal to bypass electronic copy protection. The first major provision of the DMCA is the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder. This clause was designed to protect copy-prevention mechanisms placed on digital media such as CDs and DVDs. Answer B is incorrect. The PATRIOT Act allows authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant. Answer D is incorrect. The Federal Sentencing Guidelines provides penalty recommendations for breaking federal laws. Answer C is incorrect. The Economic Espionage Act provides penalties for individuals found guilty of the theft of trade secrets.

As a health care provider, your organization must follow the guidelines of HIPAA. Which statement is true of HIPAA? A HIPAA is enforced by Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). B The HIPAA task force performs an inventory of the employees. C HIPAA addresses the issues of security and availability. D HIPAA imposes negligible penalties on offenders.

Answer A is correct. The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) is responsible for the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is also known as Kennedy-Kassebaum Act. The primary emphasis of HIPAA is on administration simplification through improved efficiency in health care delivery. This simplification is achieved by standardizing electronic data interchange and protection of confidentiality and security of health data. After deployment, HIPAA preempts state laws, unless the state law is more stringent. A stringent law implies that the state law is stricter than HIPAA regulations in a certain aspect. In such a scenario, the state law shall be applicable. HIPAA applies to health information that is either created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. HIPAA is not applicable to financial institutions, such as banks. It is applicable to any entity that may store health care information on a regular basis, including hospitals, clinics, universities, schools, billing agencies, and clearinghouses. Title II, Administrative Simplification, of the Health Insurance Portability and Accountability Act addresses transaction standards that include code sets, unique health identifiers, security and electronic signatures, and privacy. Title II covers health care providers who transmit health information electronically in connection with standard transactions, health plans, and health care clearinghouses. It does NOT cover employers. The American National Standards Institute Accredited Standards Committee X12 (ANSI ASC X12) Standard version 4010 applies to the transactions category of HIPAA. The implementation of HIPAA has resulted in changes in health care transactions and administrative information systems. HIPAA imposes heavy civil and criminal penalties for noncompliant offenders. The fines can range from $25K to $250K if there are multiple violations of the same standard. An individual may also be subjected to imprisonment for deliberately misusing the health information. The HIPAA task force keeps an inventory of the following data in a company: Systems Processes Policies Procedures Data The HIPAA task force determines the information that is critical to patient care and to the medical institution. These elements are listed by priority, availability, reliability, access, and usage. The task force responsible for the analysis of the company's information should carefully document the criteria use.

Which of the following laws will affect the organization? A SOX Act B GLBA of 1999 C HIPAA D FISMA of 2002

Answer A is correct. The Sarbanes-Oxley (SOX) Act will affect the organization. SOX Act affects any publicly traded company in the United States. The Gramm-Leach-Bliley Act (GLBA) of 1999 only affects financial institutions. The Health Insurance portability and Accountability Act (HIPAA) affects healthcare organizations. The Federal Information Security Management Act (FISMA) of 2002 affects every federal agency.

You are a member of the team that has been selected to create your organization's business continuity plan. What is the most vital document in this plan? A business impact analysis (BIA) B disaster recovery plan C vulnerability analysis D occupant emergency plan (OEP)

Answer A is correct. The business impact analysis (BIA) is the most vital document to the business continuity plan. The majority of the steps of the business continuity plan rely on the results of the BIA. The goals of the BIA include resource requirements (identifying the resource requirements of the critical business unit processes), criticality prioritization (identifying and prioritizing every critical business unit process), and downtime estimation (estimating the maximum down time the business can tolerate). The disaster recovery plan is created to ensure that your company is able to resume operation in a timely manner. As part of the business continuity plan, it mainly focuses on alternative procedures for processing transactions in the short term. It is carried out when the emergency occurs and immediately following the emergency. While it is an important part of the business continuity plan, it is not the most vital document because no other parts of the business continuity plan rely on it. Business recovery plans should be created for all areas within an organization. A vulnerability analysis identifies your company's vulnerabilities. It is part of the BIA. An occupant emergency plan (OEP) is created to ensure that injury and loss of life are minimized when an outage or disaster occurs. It also focuses on property damage. While it is an important part of the business continuity plan, it is not the most vital because no other parts of the business continuity plan rely on it.

Which statement is true of the chief security officer's (CSO's) role in an organization? A The CSO's role should be self-governing and independent of all the other departments in the organization. B The CSO's role should be limited to the IT department. C The CSO's role should include all the other departments for efficient security management. D The CSO should not be the only authority, and the decision-making process should include staff from other departments.

Answer A is correct. The role of the chief security officer (CSO) should be self-governing and independent of all the other departments in the organization. The CSO should report to the chief information officer (CIO), chief technology officer (CTO), or chief executive officer (CEO) only to gain management approval for security implementation and to provide feedback on the security process compliance. In an organization, an Information Technology security function should be led by a Chief Security Officer.

All but which of the following items requires awareness for all individuals affected? A The backup mechanism used to retain email messages B Restricting personal email C Recording phone conversations D Gathering information about surfing habits

Answer A is correct. Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.

When developing a security management program, which development will be the result of following a life cycle structure? A Written policies are mapped to and supported by security activities. B Individuals responsible for protecting company assets do not communicate. C Progress and return on investment cannot be assessed. D The organization relies on technology for all security solutions.

Answer A is correct. When written policies are mapped to and supported by security activities it is the result of following a life cycle structure. When the life cycle structure for developing a security management program is NOT followed, the following situations occur: Written policies and procedures are NOT mapped to and supported by security activities. Individuals responsible for protecting company assets do NOT communicate and are disconnected from each other. Progress and the return on investment of spending and resource allocation can NOT be assessed. The security program deficiencies are NOT understood, and a standardized way of improving the deficiencies does NOT exist. Compliance to regulations, laws, and policies is NOT assured. The organization relies on technology for all security solutions. Security breaches result in emergency measures in a reactive approach.

Your organization has just expanded its network to include another floor of the building where your offices are located. You have been asked to ensure that the new floor is included in the business continuity plan. What should you do? A Update the business continuity plan to include the new floor and its functions. B Complete a parallel test. C Complete a simulation test. D Complete a structured walk-through test.

Answer A is correct. You should update the business continuity plan to include the new floor and its functions. When new resources, hardware, or software are added, you will only need to modify the business continuity plan to include the new resources, hardware, or software. Most likely, your plan will already cover the resources that exist on the new floor. However, the plan will need to incorporate the fact that the new resources exist. It is not necessary to perform any tests until they are scheduled. Currently, the new floor is not included in the business continuity plan. Therefore, any type of test will not include resources on that floor. A structured walk-through test walks through the different scenarios of the plan to ensure that nothing is left out. A simulation test simulates an actual failure based on a scenario to test the reaction of personnel. The primary purpose for this test is to ensure that nothing is left out. A parallel test ensures that specific systems can perform at an alternate site. Systems are actually brought online at the alternate site and regular usage occurs.

What process does a system use to officially permit access to a file or a program? A Validation B Authorization C Identification D Authentication

Answer B is correct. A system can use an authorization process to officially permit access to a file or a program. This process is used for granting permission and specifying access rights to resources. Answer A is incorrect. Validation confirms the data values being entered by a user are valid or not. Answer D is incorrect. Authentication is an act of establishing or confirming something (or someone) as authentic, such as, the claims made by or about the subject are true. Answer C is incorrect. Identification is the process by which a subject professes an identity and accountability is initiated.

Which of the following security factors does not come under CIA triad? A Confidentiality B Authentication C Integrity D Availability

Answer B is correct. Authentication does not come under CIA triad. CIA triad is the process defined by the CIA to confirm whether the security is properly implemented. Authentication is a process of verifying the identity of a person, network host, or system process. The authentication process compares the provided credentials with the credentials stored in the database of an authentication server. Answers C, D, and A are incorrect. Confidentiality, integrity, and availability are the security factors that come under CIA triad.

All of the following are needed for system accountability except for which one? A Identification B Authorization C Auditing D Authentication

Answer B is correct. Authorization is not needed for accountability. However, users must be identified and authenticated and their actions must be logged using some type of auditing to provide accountability.

Which of the following statements is true of disaster recovery? A It is same as business continuity. B It deals with the actions that are required to take place right after a disaster. C It deals with the actions that are required to take place to keep operations running over a longer period of time. D It is a planning, which is a superset of a larger process known as business continuity planning.

Answer B is correct. Disaster recovery is defined as the process of restoring systems and data if there is partial or complete failure of computers due to technical or other causes. It resumes normal business operations as quickly as possible, after the disaster is over. It deals with the actions that are required to take place right after a disaster. Answer C is incorrect. Business continuity deals with the actions that are required to take place to keep operations running over a longer period of time. Answer D is incorrect. Disaster recovery planning is a subset of a larger process known as business continuity planning. Answer A is incorrect. Disaster recovery is different from business continuity. It deals with the actions that are required to take place right after a disaster. Business continuity deals with the actions that are required to take place to keep operations running over a longer period of time.

Which business continuity plan (BCP) element exists to alleviate the risk of certain threats by providing monetary compensation in the event those threats occur? A business impact analysis (BIA) B insurance C continuity of operations plan (COOP) D reciprocal agreement

Answer B is correct. Insurance exists to alleviate the risk of certain threats by providing monetary compensation in the event those threats occur. Insurance is usually purchased to cover asset loss due to fire or theft. There are specific types of insurance policies that now exist to cover certain catastrophic events. A business impact analysis (BIA) analyzes the threats to an organization to determine how the organization might be affected. A reciprocal agreement is an agreement between two organizations to provide alternate facilities to each other. A continuity of operations plan (COOP) is written to ensure that an organization is able to continue essential functions under a broad range of circumstances.

Which of the following is not specifically or directly related to managing the security function of an organization? A Metrics B Worker job satisfaction C Budget D Information security strategies

Answer B is correct. Managing the security function often includes assessment of budget, metrics, resources, and information security strategies, and assessing the completeness and effectiveness of the security program.

You have developed the information security policy for your organization. Which step should precede the adoption of this policy? A conducting security awareness training B obtaining management approval C implementation of standards D implementation of procedures

Answer B is correct. Obtaining management approval should precede the adoption of an information security policy. The development of the information security policy should be overseen by an organization's business operations manager. A security policy defines the broad security objectives of an organization. It establishes each individual's authority and responsibility. It also establishes procedures to enforce the security policy. An organization's senior management has the primary responsibility for the organization's security. Therefore, they must determine the level of protection needed and endorse the security policy. Departmental managers also contribute to the development of the information security policy. Development of the information security policy is usually tasked to a middle-level manager, such as the business operations manager. The implementation of standards, procedures, and guidelines should occur after the development of an information security policy. The security policy defines the procedure for setting up a security program and its goals. The management assigns the roles and responsibilities and defines the procedure to enforce the security policy. Security awareness training is based on the guidelines and standards defined in the security policy. Therefore, the training is conducted after the creation and adoption of the security policy. Awareness and training help users become more accountable for their actions. Security awareness improves the users' awareness of the need to protect information resources. Security education assists management in developing the in-house expertise to manage security programs. Description of specific technologies for information security is not included in the security policy.

Which of the following is not an element of the risk analysis process? A Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage B Selecting appropriate safeguards and implementing them C Creating a cost/benefit report for safeguards to present to upper management D Analyzing an environment for risks

Answer B is correct. Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.

You are analyzing risks for your organization. You must ensure that senior management provides the risk management components that you needed. All of the following components are provided by senior management, EXCEPT: A monetary allocation B risk mitigation procedures C risk acceptance level D resource allocation

Answer B is correct. Risk mitigation procedures are NOT provided by senior management. The goal of risk mitigation is defining the acceptable level of risk an organization can tolerate and reducing risk to that level. The following risk management components are provided by senior management: established risk acceptance level resource allocation monetary funding allocation Senior management has the final responsibility for safeguarding the organization's information. When it comes to information security, management should define the purpose and scope of the security program, delegate the responsibility for the security program, and support the program as it is implemented. The purpose of risk management is to reduce the risk to a tolerable level.

The business continuity team is interviewing users to gather information about business units and their functions. Which part of the business continuity plan includes this analysis? A disaster recovery plan B business impact analysis (BIA) C occupant emergency plan (OEP) D contingency plan

Answer B is correct. The business impact analysis (BIA) includes interviewing to gather information about business units and their functions. A disaster recovery plan is created to ensure that your company is able to resume operation in a timely manner. Interviewing is not included as part of its development. A contingency plan is created to detail how all business functions will be carried out in the event of an outage or disaster. It should address residual risks. Interviewing is not included as part of its development. An occupant emergency plan (OEP) is created to ensure that injury and loss of life are minimized when an outage or disaster occurs. It also focuses on property damage. Interviewing is not included as part of its development. A BIA is created to identify the vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. It is a methodology commonly used in business continuity planning. Its primary goal is to help the business units understand how an event will impact corporate functions, without the recommendation of an appropriate solution. The purpose of the BIA is to create a document to understand what impact a disruptive event would have on the business. One of the first steps in the BIA is to identify the business units. The information gathering stage of the BIA includes deciding on which techniques to use (surveys or interviews), selecting the individuals you plan to interview, and customizing the technique to gather the appropriate information. The analytical stage of the BIA includes analyzing the gathered information, determining the critical business functions, maximum tolerable downtime (MTD) economic impact of disruption, and prioritizing the restoration of critical business functions. This leads to the establishment of a Recovery Time Objective (RTO) for each unit or item. The documentation stage includes documenting your findings and reporting back to managing. A BIA includes the following steps: Analyzing the threats associated with each functional area Determining the risk associated with each threat Identifying the major functional areas of information

What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended? A Systems located in the United States B Systems used in interstate commerce C Federal interest systems D Government-owned systems

Answer B is correct. The original Computer Fraud and Abuse Act of 1984 covered only systems used by the government and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, including a large portion (but not all) of the computer systems in the United States.

Which business role must ensure that all operations fit within the business goals? A data owner B business/mission owner C system owner D data custodian

Answer B is correct. The person in the business/mission owner role must ensure that all operations fit within the business or mission goals.System and data owners are responsible for ensuring that proper controls are in place to maintain the integrity, confidentiality, and availability of the information. The system owner is responsible for maintaining and protecting one or more data processing systems. The role of a system owner includes the integration of required security features into the applications and the purchase decision of the applications. The system owner also ensures that the remote access control, password management, and operating system configuration provide the necessary security. The data owner is typically part of management. The data owner controls the process of defining IT service levels, provides information during the review of controls, and is responsible for authorizing the enforcement of security controls to protect the information assets of the organization. For example, a business unit manager has the primary responsibility of protecting the information assets by exercising due diligence and due care practices. The data custodian is directly responsible for maintaining and protecting the data. This role is typically delegated to the IT department staff and includes implementing the organization security through the implementation and maintenance of security controls. The data custodian role also includes the following tasks: Maintaining records of activity Verifying the accuracy and reliability of the data Backing up and restoring data on a regular basis

What is the discriminator used by the court to determine whether proper due care and due diligence was performed by an organization? A Session rule B Prudent man rule C Annualized loss expectancy D HITECH breach notification rule

Answer B is correct. The prudent man rule is used to determine whether proper due care and due diligence was performed by an organization. It requires senior official to perform their duties with the care that ordinary, prudent people would exercise under similar circumstances. Answer D is incorrect. The HITECH breach notification rule requires HIPAA (Health Information Technology for Economic and Clinical Health Act) covered entities and their business associates to provide notice following a breach of unsecured protected health information. Answer A is incorrect. Session rules specify the amount of data each segment in a transport layer of the OSI model can contain, verify the integrity of data transmitted, and determine whether data has been lost. They are established through a handshaking process. Answer C is incorrect. The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset.

How is the value of a safeguard to a company calculated? A Total risk - controls gap B ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard C ALE before safeguard * ARO of safeguard D ALE after implementing safeguard + annual cost of safeguard - controls gap

Answer B is correct. The value of a safeguard to an organization is calculated by ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard [(ALE1 - ALE2) - ACS].

Which of the following focuses on verifying compliance with stated security objectives, requirements, regulations, and contractual obligations? A Data classification B Third-party governance C Procedure D Ownership

Answer B is correct. Third-party governance is the system of oversight that may be authorized by law, regulation, industry standards, or licensing requirements. Although the actual method of governance may change, it generally involves an outside investigator or auditor. A governing body or consultants hired by the target organization may designate these auditors. Third-party governance focuses on verifying compliance with stated security objectives, requirements, regulations, and contractual obligations. Answer C is incorrect. A procedure is a detailed, step-by-step how-to document that specifies the exact actions required to implement a specific security mechanism, control, or solution. Answer D is incorrect. Ownership is the formal assignment of responsibility to an individual or group. It can be made clear and distinct within an operating system. Generally, an owner has full capabilities and privileges over the object they own. Answer A is incorrect. Data classification is the means used to protect data depending on its need for secrecy, sensitivity, or confidentiality. When designing and implementing a security system, all data should not be treated in the same way as some data items require more security than others.

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the annualized loss expectancy? A $3,000,000 B $135,000 C $270,000 D $2,700,000

Answer B is correct. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). The SLE is the product of the AV and the EF. You know that the AV is $3,000,000 and the EF is 90 percent, based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000. Now, ALE is $2,700,000 * 0.05. This yields an ALE of $135,000.

When a new version of the BCP is developed, what is done with all of the previous versions of the BCP distributed across an organization? A They are all stored in an archival library. B They are collected and destroyed. C They are retained by each person. D They are sold on the Internet.

Answer B is correct. When a new version of the BCP (business continuity planning) is developed, all the previous versions of the BCP are collected and destroyed so that only a single copy of the plan is in distribution and no confusion exists as to the correct implementation of the BCP.

What is NOT an example of an operational control? A a backup control B an audit trail C a business continuity plan D configuration management

Answer C is correct. A business continuity plan refers to the procedures undertaken for dealing with long-term unavailability of business processes and resources. Business continuity planning differs from disaster recovery. Disaster recovery aims at minimizing the impact of a disaster. Business continuity planning includes the following steps: Moving critical systems to another environment during the repair of the original facility Performing operations in a constrained mode with lesser resources till the conditions of the primary facility return to normal. Dealing with customers, partners, and shareholders through various channels until the original channel is restored. Operational controls ensure the confidentiality, integrity, and availability of business operations by implementing security as a continuous process. Audit trails are operational controls and detective controls. Audit trails identify and detect not only unauthorized users but also authorized users who are involved in unauthorized activities and transactions. Audit trails achieve the security objectives defined by the security policy of an organization, and ensure the accountability of users in the organization. They provide detailed information regarding the computer, the resource usage, and the activities of users. In the event of an intrusion, audit trails can help identify frauds and unauthorized user activity. Backup controls, software testing, and anti-virus management are other examples of operational software controls. Configuration management is an operational control. Configuration management identifies both controls and audit changes made to the trusted computing base (TCB). The audit changes include changes made to the hardware, software, and firmware configurations throughout the operational life cycle of infrastructural assets. Configuration management ensures that changes to the infrastructure take place in a controlled manner and follow a procedural approach. Configuration management also ensures that future changes to the infrastructure do not violate the organization's security policy and security objectives. Maintenance accounts are considered a threat to operational controls. This is because maintenance accounts are commonly used by hackers to access network devices.

Your organization has asked the security team to add terrorist attacks to the organization's business continuity plan. Which type of threat does this represent? A supply system threat B manmade threat C politically motivated threat D natural environmental threat

Answer C is correct. A terrorist attack is a politically motivated threat. A terrorist attack is usually an attack against a particular country view from a group that opposes that the political views of that country. Often, a particular group takes credit for a terrorist attack. Politically motivated threats include strikes, riots, civil disobedience, and terrorist attacks. Natural environmental threats include floods, earthquakes, tornadoes, hurricanes, and extreme temperatures. Supply system threats include power outages, communications interruptions, and water and gas interruption. Manmade threats include unauthorized access, explosions, disgruntled employee incidents, employee errors, accidents, vandalism, fraud, and theft. While terrorist attacks are caused by man and could therefore be considered a manmade attack, they are more often classified as politically motivated attacks because they are planned and carried out by terrorist organizations. Most manmade attacks are more limited in scope when considering the perpetuator.

What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures? A Common law B Criminal law C Administrative law D Civil law

Answer C is correct. Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Congress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch.

Which control provides continuous management of hardware, software, and information assets? A a physical control B a system control C an operational control D an environmental control

Answer C is correct. An operational control includes control over hardware, software, and information assets to provide a certain level of security. Operational controls include administrative management, accountability, management of security operations, change management, and adherence to the product evaluation criteria and standards. Examples of operational controls include control over access to all program libraries, version control and testing, and documentation and approval of hardware and software before they are deployed in a production environment. System controls restrict the execution of certain types of instructions that can only be executed when an operating system is running in the supervisor mode. System controls are built into the operating system architecture and are executed in the form of operating system instructions. Physical controls monitor the physical security aspects of a facility infrastructure and include perimeter security, fencing, guards, gates, locks, lighting, alarms, closed-circuit televisions (CCTVs), and intrusion detection systems. Physical security controls work in conjunction with operation security to achieve the security objectives of an organization. Environmental controls include countermeasures against physical security threats, fire, flood, static electricity, humidity, and man-made disasters.

Which of the following involves reading the exchanged materials and verifying them against standards and expectations? A Security policy B Regulatory policy C Documentation review D Procedure

Answer C is correct. Documentation review involves reading the exchanged materials and verifying them against standards and expectations. It is typically carried out before any on-site inspection takes place. An on-site review can focus on compliance with the stated documentation if the exchanged documentation is sufficient and meets expectations (or at least requirements). However, the on-site review is postponed until the documentation can be updated and corrected if the documentation is incomplete, inaccurate, or otherwise insufficient. Answer D is incorrect. A procedure is a detailed, step-by-step how-to document that specifies the exact actions required to implement a specific security mechanism, control, or solution. A procedure can discuss the complete system deployment operation or focus on a single product or aspect, such as deploying a firewall or updating virus definitions. Procedures are system and software specific in most cases. Answer A is incorrect. A security policy is a document that defines the scope of security required by an organization. Answer B is incorrect. A regulatory policy is used when industry or legal standards are applied to the organization. The policy contains the regulations that the organization must follow and defines the procedures that support compliance of the same.

How is single loss expectancy (SLE) calculated? A Annualized rate of occurrence * asset value * exposure factor B Annualized rate of occurrence * vulnerability C Asset value ($) * exposure factor D Threat + vulnerability

Answer C is correct. SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).

Which of the following defines the expected behavior from a security mechanism? A Encapsulation B Provisioning C Security function D Instant messaging

Answer C is correct. Security function defines the expected behavior from a security mechanism. Answer B is incorrect. Provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. Answer A is incorrect. Encapsulation refers to the process where headers and trailers are added around some data. A TCP/IP host sends data by performing a process in which four layers encapsulate data (adds headers and trailers) before physically transmitting it. Answer D is incorrect. Instant messaging (IM) is a form of real-time direct text-based communication between two or more people using personal computers or other devices, along with shared software clients. The user's text is conveyed over a network, such as the Internet.

You are working with management and the human resources department to put a security policy and several personnel controls into place. To which access control category do the controls belong? A physical B technical C administrative D logical

Answer C is correct. Security policy and personnel controls belong to the administrative category of access control. Included in this category are policies and procedures, personnel controls, supervisory structure, security awareness training, and testing. Often, personnel controls are also thought of as operational controls. Logical access controls are the same as technical controls. Logical access controls include encryption, network architecture, and an access control matrix. The physical category of access control includes network segregation, perimeter security, computer controls, work area separation, data backups, and cabling. The technical category of access control includes system access, network architecture, network access, encryption and protocols, and auditing. Encryption and access control are considered preventative technical controls. There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access to systems, network architectures, control zones, auditing, and encryption and protocols. An administrative control is a control that dictates how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or purposes: Preventative - A preventative control prevents security breaches and avoids risks. Detective - A detective control detects security breaches as they occur. Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. Deterrent - A deterrent control deters potentials violations. Recovery - A recovery control restores resources. Compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. Directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that perform many functions. For example, a fence is both a deterrent physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.

Which statement is true of physical access controls? A The CCTVs in physical access control do not need a recording capability. B Only combination locks are part of the physical access control systems. C Surveillance devices offer more protection than fences in the facility. D Passwords provide the best form of physical access control in a facility.

Answer C is correct. Surveillance devices offer more protection than fences in the facility because they actually record activity for traffic areas. This provides a mechanism whereby tapes can be replayed to investigate security breaches. Passwords do NOT provide the best form of physical access facility control. Closed-circuit televisions (CCTVs) should always have a recording capability. All types of locks are part of the physical access control systems. The physical access controls can include the following as security measures: guards to protect the perimeter of the facility fences around the facility to prevent unauthorized access by the intruders badges for the employees for easy identification locks (combination, cipher, mechanical and others) within the facility to deter intruders surveillance devices, such as CCTVs, to continuously monitor the facility for suspicious activity and record each activity for future use It is important to note that though passwords are a commonly used way of protecting data and information systems; they are not a part of the physical access controls in a facility. Passwords are a part of user authentication mechanism.

Which statement is true of the 1991 U.S. Federal Sentencing Guidelines? A The guidelines deal with individuals acting as plaintiffs in civil lawsuits. B The guidelines deal with individuals acting as defendants in criminal lawsuits. C The guidelines deal with white-collar crimes that take place within the organization. D The guidelines deal with individuals working outside the organization.

Answer C is correct. The 1991 U.S. Federal Sentencing Guidelines apply to the following white-collar crimes that take place within an organization: Antitrust Federal securities Mail and wire fraud Bribery Contracts Money laundering The principles underlined in the 1991 U.S. Federal Sentencing Guidelines provide a course of action to the law enforcement agencies dealing with white-collar corporate criminals. According to the guidelines, if a company's senior management is found guilty of corporate misconduct, criminal penalties can be imposed on them. A fine of up to $290 million dollars can be imposed on the senior officials of the company for noncompliance. The 1991 U.S. Federal Sentencing Guidelines are meant for the senior management of the company and not for individuals working outside the organization. The 1991 U.S. Federal Sentencing Guidelines do not deal with criminal lawsuits. Criminal lawsuits are dealt with by the criminal law. The 1991 U.S. Federal Sentencing Guidelines do not deal with civil lawsuits against individuals. Civil lawsuits are handled by a civil law referred to as tort.

What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities? A Gramm-Leach-Bliley Act B Second Amendment C Fourth Amendment D Privacy Act

Answer C is correct. The Fourth Amendment to the U.S. Constitution sets the "probable cause" standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property.

hat is the primary goal of change management? A Keeping users informed of changes B Maintaining documentation C Preventing security compromises D Allowing rollback of failed changes

Answer C is correct. The prevention of security compromises is the primary goal of change management.

Which of the following represents accidental or intentional exploitations of vulnerabilities? A Threat agents B Risks C Threat events D Breaches

Answer C is correct. Threat events are accidental or intentional exploitations of vulnerabilities.

When designing the security awareness training, what should be the primary basis for developing different levels of training? A risks covered B controls implemented C audience D cost

Answer C is correct. When designing the security awareness training, the primary basis for developing different levels of training should be on the audience. High-level management should receive training that provides understanding of risks and threats and the effect they have on organization's reputation and finances. Middle management should receive training that covers policies, standards, baselines, guidelines, and procedures to understand how they help to protect security. Technical staff should receive technical training on security controls and industry security certifications. Regular staff should receive training to help them understand their responsibilities while performing their day-to-day tasks. The cost, risks covered, or controls implemented are not the basis for developing different levels of training.

Management has expressed an interest in implementing deterrents to discourage security violations. Which control is an example of this strategy? A a smart card B an audit log C a router D a fence

Answer D is correct. A fence is an example of a deterrent physical control because it attempts to deter or discourage security breaches. A fence is also considered a compensative control. Routers and smart cards are examples of preventative technical controls because they are used to prevent security breaches. They are also examples of compensative technical controls. Audit logs are detective technical controls and compensative technical controls.

Which policy discusses activities and behaviors that are acceptable and defines consequences of violations, within an organization? A Regulatory B Acceptable use C Informative D Advisory

Answer D is correct. An advisory policy discusses activities and behaviors that are acceptable and defines consequences of violations, in an organization. It describes senior management's aspirations for security and compliance within an organization. Answer A is incorrect. The regulated policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance. It is required whenever industry or legal standards are applicable within an organization. Answer C is incorrect. An informative policy provides knowledge about a specific subject, such as mission statements, company goals, or how the organization interacts with partners and customers. Answer B is incorrect. An acceptable use policy is a document that exists as a part of the overall security documentation infrastructure. It assigns security roles within an organization and ensures the associated responsibilities.

During a meeting, you present management with a list of the access controls used on your network. You explain that these controls include preventative, detective, and corrective controls. Which control is an example of a corrective control? A router B intrusion detection system (IDS) C audit log D antivirus software

Answer D is correct. Antivirus software is an example of a corrective technical control because it attempts to correct any damage that was inflicted during a security breach. Antivirus software can also be considered a compensative technical control. Routers are examples of preventative technical controls because they prevent security breaches. Routers are a compensatory technical control. IDSs are a detective technical control and a compensative technical control. Audit logs are examples of detective technical controls because they detect security breaches. Audit logs are also a compensative technical control.

Which of the following was developed to meet information resource management requirements for the federal government? A the Gramm-Leach-Bliley Act (GLBA) of 1999 B the Health Insurance Portability and Accountability Act (HIPAA) C the Sarbanes-Oxley (SOX) Act D OMB Circular A-130

Answer D is correct. OMB Circular A-130 was developed to meet information resource management requirements for the federal government. According to this circular, independent audit should be performed every three years. The Sarbanes-Oxley Act (SOX) was developed to ensure that financial information on publicly traded companies is accurate. The Health Insurance Portability and Accountability Act (HIPAA) was developed to establish national standards for the storage, use, and transmission of health care data. The Gramm-Leach-Bliley Act (GLBA) of 1999 was developed to ensure that financial institutions protect customer information and provide customers with a privacy notice.

Which one of the following types of licensing agreements does not require that the user acknowledge that they have read the agreement prior to executing it? A Click-wrap agreement B Contractual license agreement C Standard license agreement D Shrink-wrap agreement

Answer D is correct. Shrink-wrap license agreements become effective when the user opens a software package. Click-wrap agreements require the user to click a button during the installation process to accept the terms of the license agreement. Standard license agreements require that the user sign a written agreement prior to using the software. Contractual license agreements use a written contract between the software vendor and the customer, outlining the responsibilities of each.

You are the security analyst for a United States financial institution that is publicly traded. All of the following laws affect your organization, EXCEPT: A SOX B Basel II C GLBA D HIPAA

Answer D is correct. The Health Insurance Portability and Accountability Act (HIPAA) does not affect a financial institution that is publicly traded. All of the other laws will affect the financial institution. The Sarbanes-Oxley (SOX) Act of 2002 was written to prevent companies from committing fraud by knowingly providing inaccurate financial reports to shareholders and the public. It is mainly concerned with corporate accounting practices. Section 404 of this act specifically addresses information technology. The Basel II Accord is built on three main pillars: minimum capital requirements, supervision, and market discipline. These pillars apply to financial institutions. The Gramm-Leach-Bliley Act (GLBA) of 1999 was written to ensure that financial institutions develop privacy notices and allow their customers to prevent the financial institutions from sharing information with third parties. The Health Insurance Portability and Accountability Act (HIPAA) was written to prevent medical organizations (including health insurance companies, hospitals, and doctors' offices) from sharing patient health care information without consent. It is primarily concerned with the security, integrity, and privacy of patient information.

What compliance obligation relates to the processing of credit card information? A FERPA B SOX C HIPAA D PCI DSS

Answer D is correct. The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in storing, transmitting, and processing credit card information.

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches? A 270,000 B 135,000 C 3,000,000 D 2,700,000

Answer D is correct. The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on the fact that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

What is the designation of an employee who is responsible for maintaining and protecting information? A Data owner B System owner C Information user D Data custodian

Answer D is correct. The data custodian is directly responsible for maintaining and protecting the data, and is a role typically delegated to the IT department staff. Responsibilities include implementing and maintaining security controls. The data custodian's role includes the following tasks: Maintaining activity records Verifying data accuracy and reliability Backing up and restoring data regularly The data owner controls the process of defining IT service levels, providing information during the review of controls, and authorizing the enforcement of security controls to protect the information assets of the organization. A data owner is typically a part of management. For example, a business unit manager has the primary responsibility of protecting the information assets by exercising due diligence and due care practices. A system owner is responsible for maintaining and protecting one or more data processing systems. The role primarily includes the integration of the required security features into the applications and involves a purchase decision of the applications. The system owner also ensures that the remote access, password management, and operating system configurations provide the necessary security. An information user is an individual who uses the data regularly to fulfil the job responsibilities. Users should be able to access the information based on the concept of least privilege and only on a need-to-know basis to achieve the security objectives of the organization.

What is the term used for the percentage of loss an organization would experience in the event of violation of a specific threat by a realized risk? A Annualized loss expectancy B Annualized rate of occurrence C Single loss expectancy D Exposure factor

Answer D is correct. The exposure factor (EF) refers to the percentage of loss an organization would experience in the event of violation of a specific threat by a realized risk. It is also known as loss potential and is expressed as a percentage. Answer A is incorrect. The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset. Answer B is incorrect. The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat will occur within a year. Answer C is incorrect. The single loss expectancy (SLE) is the cost related to a single realized risk against a specific asset. It specifies the exact amount of loss an organization would experience if an asset were harmed by a specific threat.

Which of the following is utilized when redundant communications links are installed? A Parameter check B Penetration test C Port scan D Alternative system

Answer D is correct. This is an example of an alternative system. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable. Answer A is incorrect. Parameter check is used to prevent the possibility of buffer overflow attacks. Answer B is incorrect. Penetration test is the attempt to bypass security controls to test overall system security. Answer C is incorrect. Port scan reveals the ports associated with services running on a machine and available to the public.

Which of the following is considered an activity that has the potential to cause harm to information systems or networks? A Vulnerability B Safeguard C Asset D Threat

Answer D is correct. Threat is considered an activity that has the potential to cause harm to information systems or networks. Answer A is incorrect. Vulnerability refers to a software, hardware, or procedural weakness that may provide an open door to an attacker. Answer C is incorrect. Asset can be anything within the environment that is required to be protected. It can be a computer file, a network service, a system resource, a process, a program, and so on. Answer B is incorrect. Safeguard eliminates vulnerability or protects the system against particular threats.

Which of the following should you deploy to meet management's requirements for the digital content? A an issue-specific policy B group policy C copyright D DRM

Answer D is correct. You should deploy digital rights management (DRM) to meet management's requirements for the digital content. DRM will control the opening, editing, printing, and copying of digital content. A copyright ensures that a copyrighted work is protected from any form of reproduction or use without consent from the copyright holder. A group policy can be used to implement certain restrictions on a server or network. However, it is not used to limit access to digital content. An issue-specific policy can be used to provide guidance on protecting the digital content. However, the policy itself will not prevent the opening, editing, printing, and copying of digital content.

When configuring a new network, you decide to use routers and encryption to improve security. Of which type of technical control is this an example? A recovery B detective C deterrent D directive E corrective F compensative G preventative

Answer G is correct. Routers and encryption are examples of preventative technical controls. A technical control is a control that restricts access. A preventative control prevents security breaches. Routers and encryption are also compensative technical controls. Preventative technical controls are most often configured using access control lists (ACLs) built into the operating system. They protect the operating system from unauthorized access, modification, and manipulation. They protect system integrity and availability by limiting the number of users and processes that are allowed to access the system or network. A recovery technical control can restore system capabilities. Data backups are included in this category. A detective technical control can detect when a security breach occurs. Audit logs and intrusion detection systems (IDSs) are included in this category. A deterrent technical control is one that discourages security breaches. A firewall is the best example of this type of control. A corrective technical control is one that corrects any issues that arise because of security breaches. Antivirus software and server images are included in this category as well. A compensative technical control is one that is considered as an alternative to other controls. There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative control is developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling. The three access control categories provide seven different functionalities or purposes: Preventative - A preventative control prevents security breaches and avoids risks. Detective - A detective control detects security breaches as they occur. Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a security breach. Deterrent - A deterrent control deters potentials violations. Recovery - A recovery control restores resources. Compensative - A compensative control provides an alternative control if another control may be too expensive. All controls are generally considered compensative. Directive - A directive control provides mandatory controls based on regulations or environmental requirements. Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.

A security policy is defined as the document that describes the scope of an organization's security requirements. Which of the following statements are true of a security policy? A It provides security solutions to provide necessary protection against security threats. B It facilitates slave DNS servers to transfer records from the master server to a slave server. C It uses public key cryptography to digitally sign records for a DNS lookup. D It includes assets that are to be protected.

Answers A and D are correct. A security policy is defined as the document that describes the scope of an organization's security requirements. Information security policies are usually documented in one or more information security policy documents. The policy includes the assets that are to be protected. It also provides security solutions to provide necessary protection against the security threats. Answer B is incorrect. Zone transfers facilitate slave DNS servers to transfer records from the master server to a slave server. Answer C is incorrect. Domain Name System Security Extensions (DNSSEC) use public key cryptography to digitally sign records for a DNS lookup.

What are the important aspects of an exit interview? Each correct answer represents a complete solution. Choose all that apply. A Requesting the return of all access badges, keys, and company equipment B Allowing IT staff to disable system access C Revoking a parking pass D Disabling a network account E Returning personal property

Answers A, B, C, and D are correct. The following are the important aspects of an exit interview: Allowing IT staff to disable system access Requesting the return of all access badges, keys, and company equipment Distributing a company reorganization chart Disabling a network account Blocking a person's PIN or smartcard for building entrance Positioning a new employee in the cubicle Revoking a parking pass Answer E is incorrect. Returning personal property is not an aspect of an exit interview.

Which of the following are the cost functions that are related to quantitative risk analysis? Each correct answer represents a complete solution. Choose all that apply. A Annualized loss expectancy B Annualized rate of occurrence C Double profit gain D Single loss expectancy

Answers A, B, and D are correct. The following cost functions are related to quantitative risk analysis: Exposure factor (EF): It is defined as the percentage of loss experienced by an organization when a particular asset is violated by a realized risk. Single loss expectancy (SLE): It is defined as the cost related to a single realized risk against a particular asset. The following formula is used to calculate the SLE:SLE = asset value (AV) * exposure factor (EF) Annualized rate of occurrence (ARO): It is defined as the expected frequency of occurrence of a particular threat or risk in a single year. Annualized loss expectancy (ALE): It is defined as the yearly cost of all instances of a particular threat against a particular asset. The following formula is used to calculate the ALE:ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO) Answer C is incorrect. This is an invalid answer.

Which of the following approaches should you consider while preparing and conducting a risk assessment? A Identify a consistent risk assessment methodology. B Create a regulatory policy. C Create a business continuity plan. D Perform the risk and vulnerability assessment as per the defined standard.

Answers A, C, and D are correct. While preparing and conducting a risk assessment, consider the following approaches: Create a risk assessment policy. Define risk assessment goals and objectives in line with the organizational business drivers. Create a business continuity plan to ensure that critical processes and activities can continue in case of a disaster or emergency. Identify a consistent risk assessment methodology and approach for an organization. Conduct an asset valuation or asset criticality valuation as per a standard definition for the organization. Perform the risk and vulnerability assessment as per the defined standard. Answer B is incorrect because a regulatory policy discusses the regulations that must be followed and outlines procedures that should be used to elicit compliance.

Which of the following information does a business case include? A Testing strategies B Recommendations C Methods and assumptions D Risks and contingencies

Answers B, C, and D are correct. A business case is a formal document written to convince a decision maker for approving an action. A business case includes: Introduction: Provides business objectives address Methods and assumptions: Specifies the boundaries of the business case Business impacts: Provides financial and non-financial business case results Risks and contingencies: Represents the systematic attempt for evaluating the sensitivity of outcomes to change in specific assumptions Recommendations: Specifies specific actions

Which of the following concepts represent the three fundamental principles of information security? Each correct answer represents a complete solution. Choose all that apply. A Privacy B Integrity C Confidentiality D Availability

Answers B, C, and D are correct. The following concepts represent the three fundamental principles of information security: Confidentiality Integrity Availability Answer A is incorrect. Privacy, authentication, accountability, authorization, and identification are also concepts related to information security, but they do not represent the fundamental principles of information security.

Which of the following statements are true of quantitative risk analysis? Each correct answer represents a complete solution. Choose all that apply. A A quantitative risk analysis requires less time and effort. B A quantitative analysis requires subjective input from the user. C A purely quantitative risk analysis cannot be performed since qualitative aspects cannot be quantified. D A qualitative analysis assigns real dollar figures to the loss of an asset.

Answers C and D are correct. A purely quantitative risk analysis cannot be performed since qualitative, subjective, or intangible aspects cannot be quantified. It assigns real dollar figures to the loss of an asset. It involves asset valuation and threat identification and then estimates the potential and frequency of each risk resulting in a cost/benefit analysis of safeguards. Answers A and B are incorrect. A quantitative analysis requires objective input from user and significant time and effort.

Understand the public key infrastructure (PKI)

In the public key infrastructure, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients verify a certificate using the CA's public key.

Be familiar with the major hashing algorithms.

The successors to the Secure Hash Algorithm (SHA), SHA-1 and SHA-2, make up the government standard message digest function. SHA-1 produces a 160-bit message digest whereas SHA-2 supports variable lengths, ranging up to 512 bits. SHA-3 improves upon the security of SHA-2 and supports the same hash lengths.

Understand the security concerns of a wiring closet

A wiring closet is where the networking cables for a whole building or just a floor are connected to other essential equipment, such as patch panels, switches, routers, LAN extenders, and backbone channels. Most of the security for a wiring closet focuses on preventing physical unauthorized access. If an unauthorized intruder gains access to the area, they may be able to steal equipment, pull or cut cables, or even plant a listening device.

Understand zero-day exploits

A zero-day exploit is an attack that uses a vulnerability that is either unknown to anyone but the attacker or known only to a limited group of people. On the surface, it sounds like you can't protect against an unknown vulnerability, but basic security practices go a long way toward preventing zero-day exploits. Removing or disabling unneeded protocols and services reduces the attack surface, enabling firewalls blocks many access points, and using intrusion detection and prevention systems helps detect and block potential attacks. Additionally, using tools such as honeypots and padded cells helps protect live networks.

You have implemented a computer system that is protected by MAC. Which activity(ies) are considered illegal on this system? read-down read-up write-down write-up A option a B option b C option c D option d E all of the options F options a and d only G options b and c only

Answer G is correct. Read-up and write-down activities are considered illegal on a computer system that is protected by mandatory access control (MAC). MAC is a type of nondiscretionary access control that uses security levels and categories to restrict access to information. MAC assumes that users are careless and that programs cannot be trusted to carry out the needs of users. On a MAC computer, security levels, such as confidential, secret, and top secret are similar to those used by the U.S. military. Read-up is the ability of users in a lower security category to read information that is in a higher category. Write-down is the ability of someone in a higher security category to write files that users in lower security categories can view. Read-down and write-up activities are allowed on a MAC computer or network.

A new security policy implemented by your organization states that all official e-mail messages must be signed with digital signatures. Which elements are provided when these are used? integrity availability encryption authenticatione non-repudiation A option a B option b C option c D option d E option e F options a, b, and c G options c, d, and e H options a, d, and e

Answer H is correct. A digital signature is a hash value that is encrypted with the sender's private key. The message is digitally signed. Therefore, it provides authentication, non-repudiation, and integrity in electronic mail. In a digitally signed message transmission using a hash function, the message digest is encrypted in the sender's private key. Digital signatures do not provide encryption and cannot ensure availability. Digital Signature Standard (DSS) defines digital signatures. It provides integrity and authentication. It is not a symmetric key algorithm. A digital signature cannot be spoofed. Therefore, attacks, such as man-in-the-middle attacks, cannot harm the integrity of the message. Microsoft uses digital signing to ensure the integrity of driver files. A form of digital signature where the signer is not privy to the content of the message is called a blind signature.

Which statements are NOT valid regarding SQL commands? An ADD statement is used to add new rows to a table.A DELETE statement is used to delete rows from a table.A REPLACE statement is used to replace rows to a table.A SELECT statement is used to retrieve rows from a table.A GRANT statement is used to grant permissions to a user. A point a B point b C point c D point d E point e F points b, d, and e only G all of the points H points a and c only

Answer H is correct. The statements regarding an ADD statement and a REPLACE statement are NOT valid regarding SQL commands. The REPLACE and ADD statements are not valid SQL statements. The UPDATE statement is used to either replace or update rows to a table. An INSERT statement is used to add rows to a table. The SELECT, DELETE, and GRANT are valid SQL commands. The SELECT statement is used to retrieve rows from a table, the DELETE statement is used to delete rows from a table, and the GRANT statement is used to grant permissions to a user.

Understand the need to apply risk-based management concepts to the supply chain

Applying risk-based management concepts to the supply chain is a means to ensure a more robust and successful security strategy in organizations of all sizes. When purchases and acquisitions are made without security considerations, the risks inherent in those products remain throughout their deployment life span.

Which of the following encryption algorithms are based on block ciphers? Each correct answer represents a complete solution. Choose all that apply. A RC5 B Twofish C Rijndael D RC4

Answers A, B, and C are correct. The following encryption algorithms are based on block ciphers: RC5 Rijndael Twofish In cryptography, a block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed as 'blocks', with an unvarying transformation. When encrypting, a block cipher might take (for example) a 128-bit block of plain text as input, and output a corresponding 128-bit block of cipher text. Answer D is incorrect. Rivest Cipher 4 (RC4) is a stream-based cipher. Stream ciphers treat the data as a stream of bits.

Copyright and the Digital Millennium Copyright Act

Copyright law guarantees the creators of "original works of authorship" protection against the unauthorized duplication of their work. Eight broad categories of works qualify for copyright protection. Literary works Musical works Dramatic works Pantomimes and choreographic works Pictorial, graphical, and sculptural works Motion pictures and other audiovisual works Sound recordings Architectural works

Understand the importance of key security.

Cryptographic keys provide the necessary element of secrecy to a cryptosystem. Modern cryptosystems utilize keys that are at least 128 bits long to provide adequate security. It's generally agreed that the 56-bit key of the Data Encryption Standard (DES) is no longer sufficiently long to provide security.

Identity Theft and Assumption Deterrence Act

In 1998, the president signed the Identity Theft and Assumption Deterrence Act into law. In the past, the only legal victims of identity theft were the creditors who were defrauded. This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.

Policy Support Documents

Regulations: Laws passed by regulators and lawmakers Standards and baselines: Topic-specific (standards) and system-specific (baselines) documents that describe overall requirements for security Guidelines: Documentation that aids in compliance with standard considerations, hints, tips, and best practices in implementation Procedures: Step-by-step instructions on how to perform a specific security activity (configure a firewall, install an operating system, and others)

Understand secure provisioning concepts.

Secure provisioning of resources includes ensuring that resources are deployed in a secure manner and are maintained in a secure manner throughout their lifecycles. As an example, desktop personal computers (PCs) can be deployed using a secure image.

Understand that auditing is an aspect of due care

Security audits and effectiveness reviews are key elements in displaying due care. Senior management must enforce compliance with regular periodic security reviews, or they will likely be held accountable and liable for any asset losses that occur.

information security Common Body of Knowledge

The information security Common Body of Knowledge is a compilation and distillation of all security information collected internationally of relevance to information security professionals.

the possible contamination and damage caused by a fire and suppression

The destructive elements of a fire include smoke and heat but also the suppression medium, such as water or soda acid. Smoke is damaging to most storage devices. Heat can damage any electronic or computer component. Suppression mediums can cause short circuits, initiate corrosion, or otherwise render equipment useless. All of these issues must be addressed when designing a fire response system.

Be familiar with the basic terminology of cryptography

When a sender wants to transmit a private message to a recipient, the sender takes the plaintext (unencrypted) message and encrypts it using an algorithm and a key. This produces a ciphertext message that is transmitted to the recipient. The recipient then uses a similar algorithm and key to decrypt the ciphertext and re-create the original plaintext message for viewing.

Secure Hash Algorithm (SHA)

creates a fixed-length message digest from a variable-length input message. The input to a hash function is called the message, and the output is called the message digest or hash value. The digest often serves as a condensed representation of the message.

issue-specific security policy

focuses on a specific network service, department, function, or other aspect that is distinct from the organization as a whole.

Security management

planning ensures proper creation, implementation, and enforcement of a security policy. Security management planning aligns the security functions to the strategy, goals, mission, and objectives of the organization. This includes designing and implementing security based on business cases, budget restrictions, or scarcity of resources. One of the most effective ways to tackle security management planning is to use a top-down approach. The best security plan is useless without one key factor: approval by senior management.

Cryptography

provides confidentiality, integrity, authentication, and nonrepudiation for sensitive information while it is stored (at rest), traveling across a network (in transit), and existing in memory (in use).

cryptographic attacks

A cryptographic attack is a method for circumventing the security of a cryptographic system by exploiting a weakness in the code, the cryptographic protocol, or the key management scheme. Here are the types of a cryptographic attack: Birthday: Depends on the higher likelihood of collisions Weak key: Exploits flaws in the password-encryption algorithm Mathematical: Employs mathematical methods to break an algorithm and decrypt messages

Understand honeypots, padded cells, and pseudo flaws

A honeypot is a system that often has pseudo flaws and fake data to lure intruders. Administrators can observe the activity of attackers while they are in the honeypot, and as long as attackers are in the honeypot, they are not in the live network. Some IDSs have the ability to transfer attackers into a padded cell after detection. Although a honeypot and padded cell are similar, note that a honeypot lures the attacker but the attacker is transferred into the padded cell.

Identify the differences between a salt and a pepper (used when hashing a password).

A salt is different for every password in a database. A pepper is the same for every password in a database. Salts for passwords are stored in the same database as the hashed passwords. A pepper is stored somewhere external to the database such as in application code or as a configuration setting for a server.

Explain the concept of security boundaries

A security boundary can be the division between one secured area and another secured area. It can also be the division between a secured area and an unsecured area. Both must be addressed in a security policy.

security boundary

A security boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs. A security boundary exists between a high-security area and a low-security one, such as between a LAN and the Internet.

Which type of security plan is designed to be a forwarding looking document pointing out goals to achieve in a five-year time frame? A Operational B Tactical C Strategic

A strategic plan focuses on five-year goals, missions, and objectives. It is a fairly stable, long-term plan that defines an organization's security purpose. Answer A is incorrect. An operational plan is a highly-detailed, short-term plan based on the strategic and tactical plans. It is updated monthly or quarterly to retain compliance with tactical plans. Answer B is incorrect. The tactical plan is a midterm plan that provides details on accomplishing the goals defined in the strategic plan. It is useful for about a year.

Be familiar with the various types of application attacks attackers use to exploit poorly written software

Application attacks are one of the greatest threats to modern computing. Attackers exploit buffer overflows, back doors, time-of-check-to-time-of-use vulnerabilities, and rootkits to gain illegitimate access to a system. Security professionals must have a clear understanding of each of these attacks and associated countermeasures

Keys in relational databases

Candidate key: At least one in a table, keeps unique records and is not null Primary key: Only one in a table and uniquely identifies records in a table Foreign key: Defines relationships between two tables, also known as referential integrity

Recognize security issues with cloud-based assets

Cloud-based assets include any resources accessed via the cloud. Storing data in the cloud increases the risk so additional steps may be necessary to protect the data, depending on its value. When leasing cloud-based services, you must understand who is responsible for maintenance and security. The cloud service provider provides the least amount of maintenance and security in the IaaS model.

Know the definition of computer crime

Computer crime is a crime (or violation of a law or regulation) that is directed against, or directly involves, a computer.

The Three Security Goals Are

Confidentiality, Integrity, and Availability

ITSEC Assurance Classes

E0 - Inadequate assurance; fails to meet E1 requirements E1 - Security target document that provides an informal description of the TOE's architectural design and functional testing that the TOE satisfies target requirements E2 - E1 requirements, plus an informal description of detailed designs, testing evidence, configuration control requirements, and approved distribution procedures E3 - E2 requirements, plus source code and drawings that are evaluated and testing evidence of security mechanisms that are evaluated E4 - E3 requirements, plus a formal model of security policy, semiformal specification of security enforcing functions, architectural design documents, and detailed design documents E5 - E4 requirements, plus evidence of close correspondence between detailed design and source code (traceability of design into implementation) E6 - E5 requirements, plus a formal specification of security-enforcing functions and architectural design, along with consistency with the formal security policy model

Understand the need for encryption

Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients. It can take many forms and be applied to every type of electronic communication, including text, audio, and video files, as well as programs themselves. Encryption is an important element in security controls, especially in regard to the transmission of data between systems.

Embezzlement:

In the movie Office Space, three disgruntled employees modify computer software to collect round-off amounts (fractions of a penny) from a company's accounting program. This is an old crime in new garb. Now criminals steal money by manipulating software or databases.

Gramm-Leach-Bliley Act of 1999

Until the Gramm-Leach-Bliley Act (GLBA) became law in 1999, there were strict governmental barriers between financial institutions. Banks, insurance companies, and credit providers were severely limited in the services they could provide and the information they could share with each other. GLBA somewhat relaxed the regulations concerning the services each organization could provide. When Congress passed this law, it realized that this increased latitude could have far-reaching privacy implications. Because of this concern, it included a number of limitations on the types of information that could be exchanged even among subsidiaries of the same corporation and required financial institutions to provide written privacy policies to all their customers by July 1, 2001.

Trusted Computer System Evaluation Criteria (TCSEC):Verified Protection (Category A1):

Verified protection systems are similar to B3 systems in the structure and controls they employ. The difference is in the development cycle. Each phase of the development cycle is controlled using formal methods. Each phase of the design is documented, evaluated, and verified before the next step is taken. This forces extreme security consciousness during all steps of development and deployment and is the only way to formally guarantee strong system security. Class A1: Verified DesignSystems in Class A1 are functionally equivalent to those in Class B3, with no additional architectural features or policy requirements added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented.

Understand voice communications security

Voice communications are vulnerable to many attacks, especially as voice communications become an important part of network services. You can obtain confidentiality by using encrypted communications. Countermeasures must be deployed to protect against interception, eavesdropping, tapping, and other types of exploitation. Be familiar with voice communication topics, such as POTS, PSTN, PBX, and VoIP.

Access Control

Who may access the system, and what can they do after they are signed on? That is the focus of this CBK domain. Specific topics include Understanding identification, authentication, authorization, and logging and monitoring techniques and technologies Understanding access control attacks Assessing effectiveness of access controls Understanding the identity and access provisioning life cycle

security information and event management (SIEM)

also collects data from many other sources within the network. It provides real-time monitoring of traffic and analysis and notification of potential attacks. Additionally, it provides long-term storage of data, allowing security professionals to analyze the data.

Layering

also known as defense in depth, is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass.

Standards Taxonomy

are formal written documents that describe several security concepts that are fundamental to all successful programs. The highest level includes the following: Asset and data classification Separation of duties Pre-employment hiring practices Risk analysis and management Education, awareness, and training

Process controls

are implemented to ensure that different people can perform the same operations exactly in the same way each time. Processes are documented as procedures on how to carry out an activity related to security.

Intrusion detection systems (IDSs)

are systems—automated or manual—designed to detect an attempted intrusion, breach, or attack; the use of an unauthorized entry/point; or the occurrence of some specific event at an unauthorized or abnormal time.

Security Policies

are the most crucial element in a corporate information security infrastructure and must be considered long before security technology is acquired and deployed. Policies are high-level statements that provide managements beliefs, goals and objectives. first step in establishing an information security program: Management needs a program-level policy to help establish a security program, assign program-management responsibilities, state an organization-wide computer security purpose and objectives, and establish a basis for policy compliance. An effective information security policy should not have which of the following characteristics, Program-level policies are long term and are not frequently changed.

protection mechanisms or protection controls

common characteristics of security controls. Not all security controls must have them, but many controls offer their protection for confidentiality, integrity, and availability through the use of these mechanisms.

electromagnetic interference (EMI)

common mode: is generated by a difference in power between the hot and ground wires of a power source or operating electrical equipment. traverse mode: is generated by a difference in power between the hot and neutral wires of a power source or operating electrical equipment.

Network layer (layer 3)

decides how small bundles, or packets, of data route between destination systems on the same network or interconnected networks. Routers and bridge routers (brouters) are among the network hardware devices that function at layer 3 Network (Internet) Layer protocols: Internet Protocol: The protocol of protocols, IP addresses are assigned by the Internet Assigned Numbers Authority to each host computer on the network. This serves as a logical ID. The IP address assists with the routing of information across the Internet. Outgoing data packets have the originator's IP address and the IP address of the recipient. Address Resolution Protocol (ARP): ARP matches an IP address to an Ethernet address, which is a physical device (network adapter) that has a unique media access control (MAC) address assigned by the manufacturer of the device. MAC addresses are much longer numbers than IP addresses, and humans tend to work better with IP addresses than with MAC addresses. Thus, ARP and RARP (covered next) exist to help with network addressing tasks. Reverse Address Resolution Protocol (RARP): If ARP translates an IP address to a MAC address, then RARP translates hardware interface (MAC) addresses to IP protocol addresses. Internet Control Message Protocol (ICMP): The ICMP is tightly integrated with the IP protocol. Some of its functions include announcing network errors and congestion, troubleshooting, and reporting timeouts. ICMP is the management protocol for TCP/IP and is often the source of security issues; network hackers use it to select targets and determine network level information about these targets. For example, the common ping command, used to determine whether an IP or host name is online, is an ICMP command.

business continuity plan (BCP)

describes the critical processes, procedures, and personnel that must be protected in the event of an emergency. The formal implementation of the BCP requires a close examination of business practices and services that constitute the boundaries and define the scope of the plan. The steps of the BCP are identify the scope of the BCP, create the BIA, write the BCP, and obtain signoff of the tested BCP. The BCP reduces the risk to the business in case of a disruption in the continuity of business. Three categories of assets must be protected through BCP provisions and processes: people, buildings/facilities, and infrastructure.

Nonrepudiation

ensures that the subject of an activity or who caused an event cannot deny that the event occurred. Nonrepudiation prevents a subject from claiming not to have sent a message, not to have performed an action, or not to have been the cause of an event.

RAID configurations

fault tolerance and system resilience RAID-0: This is also called striping. It uses two or more disks and improves the disk subsystem performance, but it does not provide fault tolerance. RAID-1: This is also called mirroring. It uses two disks, which both hold the same data. If one disk fails, the other disk includes the data so a system can continue to operate after a single disk fails. Depending on the hardware used and which drive fails, the system may be able to continue to operate without intervention, or the system may need to be manually configured to use the drive that didn't fail. RAID-5: This is also called striping with parity. It uses three or more disks with the equivalent of one disk holding parity information. If any single disk fails, the RAID array will continue to operate, though it will be slower. RAID-10: This is also known as RAID 1 + 0 or a stripe of mirrors, and is configured as two or more mirrors (RAID-1) configured in a striped (RAID-0) configuration. It uses at least four disks but can support more as long as an even number of disks are added. It will continue to operate even if multiple disks fail, as long as at least one drive in each mirror continues to function. For example, if it had three mirrored sets (called M1, M2, and M3 for this example) it would have a total of six disks. If one drive in M1, one in M2, and one in M3 all failed, the array would continue to operate. However, if two drives in any of the mirrors failed, such as both drives in M1, the entire array would fail. Both software and hardware-based RAID solutions are available. Software-based systems require the operating system to manage the disks in the array and can reduce overall system performance. They are relatively inexpensive since they don't require any additional hardware other than the additional disk(s). Hardware RAID systems are generally more efficient and reliable. While a hardware RAID is more expensive, the benefits outweigh the costs when used to increase availability of a critical component.

Business continuity planning (BCP)

focuses on maintaining business operations with reduced or restricted infrastructure capabilities or resources. As long as the continuity of the organization's ability to perform its mission-critical work tasks is maintained, BCP can be used to manage and restore the environment. The BCP process has four main steps: Project scope and planning Business impact assessment Continuity planning Approval and implementation

Family Educational Rights and Privacy Act

he Family Educational Rights and Privacy Act (FERPA) is another specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government (the vast majority of schools). It grants certain privacy rights to students older than 18 and the parents of minor students.

ISC2 Code of Ethics

helps certificate holders resolve dilemmas related to their practice, provides guidance on encouraging good behavior and discouraging poor behavior. is expected of all IS specialists, helps define a high moral code of professional behavior, and speaks to the credibility of the individual. ISC2 Code of Ethics includes Provide thorough and competent service to your customers and peers, Judge not, lest you be judged, Strive to protect society and its components.

Technical physical security controls

include access controls; intrusion detection; alarms; closed-circuit television (CCTV); monitoring; heating, ventilation, and air conditioning (HVAC) power supplies; and fire detection and suppression.

Physical controls for physical security

include fencing, lighting, locks, construction materials, mantraps, dogs, and guards.

Information Technology Security Evaluation Criteria (ITSEC)

is a European-developed criterion that fills a role roughly equivalent to the TCSEC for use throughout the European Community. Although the ITSEC and TCSEC have many similar requirements, they also have some important distinctions. The ITSEC places increased emphasis on integrity and availability and attempts to provide a uniform approach to the evaluation of both products and systems. ITSEC introduces the concept of the target of evaluation (TOE), which refers to the product or system under evaluation. It adds to the TCB security-relevant functions in addition to security-enforcing functions (such as TCSEC). ITSEC provides for functionality classes, assurance classes, and profiles for systems. It also introduces the security target (ST), a written document that contains these components: A system security policy Required security-enforcing functions Required security mechanisms Claimed ratings of minimum strength Target evaluation levels, expressed as both functional and evaluation (F-xx and E-yy)

Security as a service (SECaaS)

is a cloud provider concept in which security is provided to an organization through or by an online entity. The purpose of SECaaS solutions are to reduce the cost and overhead of implementing and managing security locally. SECaaS often implements software-only security components that do not need dedicated on-premises hardware. SECaaS security components can include a wide range of security products, including authentication, authorization, auditing/accounting, anti-malware, intrusion detection, compliance and vulnerability scanning, penetration testing, and security event management.

Configuration management

is used to keep track of an organization's hardware, software, documentation, and related information. It tracks and, if needed, approves changes to the system.

network-based IDS (NIDS)

monitors a network by observing network traffic patterns.

TCB: Multiprocessing

provides for simultaneous execution of two or more programs by a processor (CPU). This can alternatively be done through parallel processing of a single program by two or more processors in a multiprocessor system that all have common access to main storage.

Encapsulating Security Protocol (ESP)

provides one or more of these security services: Confidentiality (in IPSec tunnel mode) Connectionless data integrity Data origin authentication Protection against replay attacks Unlike AH, ESP operates under the principle of encapsulation; encrypted data is sandwiched between an ESP header and an ESP trailer. Again, IPSec does not mandate the use of any specific cryptosystem for confidentiality or sender authentication, but it supports a number of cryptographic algorithms

Performing Reduction Analysis

reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements. In the decomposition process, you must identify five key concepts: Trust Boundaries: Any location where the level of trust or security changes Data Flow Paths: The movement of data between locations Input Points: Locations where external input is received Privileged Operations: Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security Details about Security Stance and Approach: The declaration of the security policy, security foundations, and security assumptions

zero-day exploit

refers to an attack on a system exploiting a vulnerability that is unknown to others. However, security professionals use the term in different contexts and it has some minor differences based on the context.

TCB: Information storage

refers to the parts of a computer system that retain a physical state (information) for some interval of time, possibly even after electrical power to the computer is removed.

there are three overall categories of security policies:

regulatory, advisory, and informative. A regulatory policy is required whenever industry or legal standards are applicable to your organization. This policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance. An advisory policy discusses behaviors and activities that are acceptable and defines consequences of violations. It explains senior management's desires for security and compliance within an organization. Most policies are advisory. An informative policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers. An informative policy provides support, research, or background information relevant to the specific elements of the overall policy.

ISO Security Services

six security services to protect networks from attack Authentication: Access to documents can be restricted in one of two ways: by asking for a username and password or by using the hostname of the browser. The former, referred to as user authentication, requires creating a file of user IDs and passwords (an access control list—see Lesson 5, "Security Architecture and Design") and defining critical resources (such as files and documents) to the server. Access control: Unlike authentication, which is security based on the user's identity, restricting access based on something other than identity is called access control. "Allow and deny" directives allow or deny access to network services based on hostname or address (see Lesson 5). Data confidentiality: This service protects data against unauthorized disclosure and has two components: content confidentiality and message flow confidentiality. The former protects the plain-text message from unauthorized disclosure; the latter allows the originating network to conceal the path or route that the message followed on its way to the recipient. Message flow confidentiality is useful in preventing an attacker from obtaining information from observing the message. Data integrity: The goal is to protect data from accidental or malicious modification, whether during data transfer, during data storage, or from an operation performed on it, and to preserve it for its intended use. Nonrepudiation: This service guarantees that the sender of a message cannot deny having sent the message and the receiver cannot deny having received the message. Logging and monitoring: These services allow IS specialists to observe system activity during and after the fact by using monitoring and logging tools. These include operating system logs, server records, application log errors, warnings, and observation of network switch and router traffic between network segments.

object within a trusted system

that people want to access or use (such as a program). Objects are labeled with a sensitivity level

annualized rate of occurrence (ARO)

that reflects the number of times a business expects to experience a given disaster each year.

Smoke-actuated systems

use photoelectric or radioactive ionization sensors as triggers.

asymmetric encryption

use public-private key pairs(two keys) for communication between parties but operate much more slowly than symmetric algorithms.

Warm Sites

the warm-site facility is a compromise between the services offered by hot- and cold-site vendors. A warm-site facility provides the building and environmental services previously mentioned, with the addition of the hardware and communication links already established. However, the customer's applications are not installed, nor are workstations provided.

CIA Triad

these goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security programs. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data. Confidentiality focuses security measures on ensuring that no one other than the intended recipient of a message receives it or is able to read it Integrity is the concept of protecting the reliability and correctness of data. Integrity protection prevents unauthorized alterations of data. It ensures that data remains correct, unaltered, and preserved. Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). Availability means authorized subjects are granted timely and uninterrupted access to objects. Often, availability protection controls support sufficient bandwidth and timeliness of processing as deemed necessary by the organization or situation. If a security mechanism offers availability, it offers a high level of assurance that the data, objects, and resources are accessible to authorized subjects. Availability includes efficient uninterrupted access to objects and prevention of denial-of-service (DoS) attacks. Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. Availability depends on both integrity and confidentiality. Without integrity and confidentiality, availability cannot be maintained.

Physical layer (layer 1)

transmit bit streams on a physical medium. They manage the interfaces of physical devices with physical transmission media, such as coax cable. This layer has the fewest tasks to perform. It sends bit streams across the network to another device and receives a bit stream response in return. The High Speed Serial Interface (HSSI) is one example of a standard interface working at the Physical Layer level.

business impact analysis (BIA)

valuates risks to the organization and prioritizes the systems in use for purposes of recovery. Mission-critical systems—systems that are essential for the ongoing operation of the business—are at the top of the list, followed by less critical systems and then "nice to have" systems that are nonessential for the business to remain in business.

NAT (Network Address Translation)

was developed to allow private networks to use any IP address set without causing collisions or conflicts with public Internet hosts with the same IP addresses. In effect, NAT translates the IP addresses of your internal clients to leased addresses outside your environment.

Functional requirements describe

what a system should do.

Security consultants

work with project-development teams to perform risk analysis of new systems by balancing the needs of business with the threats that stem from opening up access to data or managing new information that could compromise the business if it fell into the wrong hands. Security consultants are usually internal personnel who are assigned to project-development teams and remain with the project from inception to implementation.

What are the seven major steps or phases in the implementation of a classification scheme?

(1) Identify the custodian and define their responsibilities. (2) Specify the evaluation criteria of how the information will be classified and labeled. (3) Classify and label each resource. Although the owner conducts this step, a supervisor should review it. (4) Document any exceptions to the classification policy that are discovered and integrate them into the evaluation criteria. (5) Select the security controls that will be applied to each classification level to provide the necessary level of protection. (6) Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity. (7) Create an enterprise-wide awareness program to instruct all personnel about the classification system.

four main types of water suppression systems

A wet pipe system (also known as a closed head system) is always full of water. Water discharges immediately when suppression is triggered. A dry pipe system contains compressed air. Once suppression is triggered, the air escapes, opening a water valve that in turn causes the pipes to fill and discharge water into the environment. A deluge system is another form of dry pipe system that uses larger pipes and therefore delivers a significantly larger volume of water. Deluge systems are inappropriate for environments that contain electronics and computers. A preaction system is a combination dry pipe/wet pipe system. The system exists as a dry pipe until the initial stages of a fire (smoke, heat, and so on) are detected, and then the pipes are filled with water. The water is released only after the sprinkler head activation triggers are melted by sufficient heat. If the fire is quenched before sprinklers are triggered, pipes can be manually emptied and reset. This also allows manual intervention to stop the release of water before sprinkler triggering occurs.

List three elements to identify when attempting to identify and prevent access control attacks.

Assets, threats, and vulnerabilities should be identified through asset valuation, threat modeling, and vulnerability analysis

Know how to implement security awareness training

Before actual training can take place, awareness of security as a recognized entity must be created for users. Once this is accomplished, training, or teaching employees to perform their work tasks and to comply with the security policy, can begin. All new employees require some level of training so they will be able to comply with all standards, guidelines, and procedures mandated by the security policy. Education is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion.

best represents the three objectives of information security

Confidentiality, integrity, and availability

Know the various types of storage

Explain the differences between primary memory and virtual memory, secondary storage and virtual storage, random access storage and sequential access storage, and volatile storage and nonvolatile storage.

Describe software development maturity models

Know that maturity models help software organizations improve the maturity and quality of their software processes by implementing an evolutionary path from ad hoc, chaotic processes to mature, disciplined software processes. Be able to describe the SW-CMM and IDEAL models.

Understand the models of systems development

Know that the waterfall model describes a sequential development process that results in the development of a finished product. Developers may step back only one phase in the process if errors are discovered. The spiral model uses several iterations of the waterfall model to produce a number of fully specified and tested prototypes. Agile development models place an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.

Understand methods to block malicious code

Malicious code is thwarted with a combination of tools. The obvious tool is anti-malware software with up-to-date definitions installed on each system, at the boundary of the network, and on email servers. However, policies that enforce basic security principles, such as the principle of least privilege, prevent regular users from installing potentially malicious software. Additionally, educating users about the risks and the methods attackers commonly use to spread viruses helps users understand and avoid dangerous behaviors.

object-oriented programming terms

Message: A communication to or input of an object Method: Internal code that defines the actions an object performs in response to a message Behavior: The results or output exhibited by an object Inheritance: Methods from a class are inherited by another subclass Polymorphism: Characteristic of an object that allows it to respond with different behaviors to the same message Coupling: Level of interaction between objects

Describe the purpose of monitoring the assignment and usage of special privileges.

Monitoring the assignment of special privileges detects when individuals are granted higher privileges such as when they are added to an administrator account. It can detect when unauthorized entities are granted higher privileges. Monitoring the usage of special privileges detects when entities are using higher privileges, such as creating unauthorized accounts, accessing or deleting logs, and creating automated tasks. This monitoring can detect potential malicious insiders and remote attackers.

Understand the eDiscovery process.

Organizations that believe they will be the target of a lawsuit have a duty to preserve digital evidence in a process known as electronic discovery, or eDiscovery. The eDiscovery process includes information governance, identification, preservation, collection, processing, review, analysis, production, and presentation activities.

Recognize what a phreaker is

Phreaking is a specific type of attack in which various types of technology are used to circumvent the telephone system to make free long-distance calls, to alter the function of telephone service, to steal specialized services, or even to cause service disruptions. Common tools of phreakers include black, red, blue, and white boxes.

name the physical controls for physical security

Physical controls for physical security are fencing, lighting, locks, construction materials, mantraps, dogs, and guards.

Implementations of RSA Public-Private Key (PPK)

Public-private key cryptography has found its way into numerous implementations intended to better secure Internet communications and prove identities, including these systems: Secure Sockets Layer (SSL) Transport Layer Security (TLS) Pretty Good Privacy (PGP) Secure Multipurpose Internet Mail Extensions (S/MIME) Secure Electronic Transactions (SET)

Understand common characteristics of security controls.

Security controls should be transparent to users. Hash totals and CRC checks can be used to verify message integrity. Record sequences are used to ensure sequence integrity of a transmission. Transmission logging helps detect communication abuses.

Organizational Roles and Responsibilities

Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. The senior manager must sign off on all policy issues. In fact, all activities must be approved by and signed off on by the senior manager before they can be carried out. There is no effective security policy if the senior manager does not authorize and support it. The senior manager's endorsement of the security policy indicates the accepted ownership of the implemented security within the organization. The senior manager is the person who will be held liable for the overall success or failure of a security solution and is responsible for exercising due care and due diligence in establishing security for an organization. Even though senior managers are ultimately responsible for security, they rarely implement security solutions. In most cases, that responsibility is delegated to security professionals within the organization. Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. The security professional has the functional responsibility for security, including writing the security policy and implementing it. The role of security professional can be labeled as an IS/IT function role. The security professional role is often filled by a team that is responsible for designing and implementing security solutions based on the approved security policy. Security professionals are not decision makers; they are implementers. All decisions must be left to the senior manager. Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. The data owner is typically a high-level manager who is ultimately responsible for data protection. However, the data owner usually delegates the responsibility of the actual data management tasks to a data custodian. Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. The data custodian performs all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification. User: The user (end user or operator) role is assigned to any person who has access to the secured system. A user's access is tied to their work tasks and is limited so they have only enough access to perform the tasks necessary for their job position (the principle of least privilege). Users are responsible for understanding and upholding the security policy of an organization by following prescribed operational procedures and operating within defined security parameters. Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. The auditor role may be assigned to a security professional or a trained user. The auditor produces compliance and effectiveness reports that are reviewed by the senior manager. Issues discovered through these reports are transformed into new directives assigned by the senior manager to security professionals or data custodians. However, the auditor is listed as the final role because the auditor needs a source of activity (that is, users or operators working in an environment) to audit or monitor.

Understand split knowledge.

Split knowledge means that the information or privilege required to perform an operation is divided among multiple users. This ensures that no single person has sufficient privileges to compromise the security of the environment. M of N Control is an example of split knowledge.

Understand spoofing attacks.

Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks. Attackers often try to obtain the credentials of users so that they can spoof the user's identity. Spoofing attacks include email spoofing, phone number spoofing, and IP spoofing. Many phishing attacks use spoofing methods.

Trusted Computer System Evaluation Criteria (TCSEC):Division D: Minimal Protection

TCSEC reserves Division D for systems that have been formally evaluated but fail to meet the requirements for a higher evaluation class. This classification is also used for unrated or untested systems. TCSEC does not contain specific requirements for Division D evaluations, but some of the TCSEC interpretation documents (including other Rainbow Series documents) do permit specifying Division D levels of evaluation.

Trademark Office (PTO)

The PTO was geared to the world of processes, manufactured articles, and machinery, and it did not recognize original claims to scientific truth or mathematical expressions as in software.

Privacy Act of 1974

The Privacy Act mandates that agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government. It provides a formal procedure for individuals to gain access to records the government maintains about them and to request that incorrect records be amended.

key elements in making a site selection and designing a facility for construction.

The key elements in making a site selection are visibility, composition of the surrounding area, area accessibility, and the effects of natural disasters. A key element in designing a facility for construction is understanding the level of security needed by your organization and planning for it before construction begins.

Know the basics of threat modeling.

Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. Key concepts include assets/attackers/software, STRIDE, PASTA, Trike, VAST, diagramming, reduction/decomposing, and DREAD.

OSI Model

Application, Presentation, Session, Transport, Network, Data Link, Physical

Understand the process of authentication

Authentication is the process of verifying or testing that a claimed identity is valid. Authentication requires information from the subject that must exactly correspond to the identity indicated.

Name at least three types of attacks used to discover passwords.

Brute-force attacks, dictionary attacks, sniffer attacks, rainbow table attacks, and social-engineering attacks are all known methods used to discover passwords.

static electricity

Even on nonstatic carpeting, if the environment has low humidity it is still possible to generate 20,000-volt static discharges. Even minimal levels of static discharge can destroy electronic equipment.

Understand the differences between HIDSs and NIDSs

Host-based IDSs (HIDSs) can monitor activity on a single system only. A drawback is that attackers can discover and disable them. A network-based IDS (NIDS) can monitor activity on a network, and a NIDS isn't as visible to attackers.

control the environment

In addition to power considerations, maintaining the environment involves control over the HVAC mechanisms. Rooms containing primarily computers should be kept at 60 to 75 degrees Fahrenheit (15 to 23 degrees Celsius). Humidity in a computer room should be maintained between 40 and 60 percent. Too much humidity can cause corrosion. Too little humidity causes static electricity.

personnel privacy and safety

In all circumstances and under all conditions, the most important aspect of security is protecting people. Thus, preventing harm to people is the most important goal for all security solutions.

Discuss and describe the CIA Triad.

The CIA Triad is the combination of confidentiality, integrity, and availability. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, information, or resources. Integrity is the concept of protecting the reliability and correctness of data. Availability is the concept that authorized subjects are granted timely and uninterrupted access to objects. The term CIA Triad is used to indicate the three key components of a security solution

Software piracy:

The attacker copies or downloads software and uses it without permission.

Emanation eavesdropping:

The attacker intercepts radio frequency (RF) signals emanated by wireless computers to extract sensitive or classified information. This U.S. government's TEMPEST program addresses this problem by requiring shields on computers transmitting such data. Operated by the U.S. Department of Defense (DOD), the TEMPEST program has created a cottage industry of companies that create protective equipment to prevent foreign spies from collecting stray computer signals issued from DOD labs or U.S. embassies.

What are the requirements to hold a person accountable for the actions of their user account?

The requirements of accountability are identification, authentication, authorization, and auditing. Each of these components needs to be legally supportable to truly hold someone accountable for their actions

Cryptography relies on two basic methods:

transposition and substitution. With transposition, ciphertext is created by scrambling a message based on a shared secret key. In substitution, letters are exchanged with other letters based on a substitution pattern known to both sender and receiver.

Asymmetric encryption

two keys are used; one key encodes the message, and the other key decodes the message Asymmetric algorithms are slow, complex, intensive, and require added system resources and extra time to encrypt and decrypt the data. Therefore, asymmetric algorithms are used to generate public and private keys that protect encryption keys, such as session keys and secret keys, and are responsible for automated key distribution


Set pelajaran terkait

development part 1 practice questions

View Set

Network Security/ 5.9 Network Device Vulnerabilities

View Set

Short-term and long-term financing

View Set

intro to crim final exam study guide

View Set