Official (ISC)² SSCP
File Transfer Protocol (FTP
) A protocol used to transfer files from one system to another. Data is transmitted in cleartext using TCP ports 20 and 21. See also Secure File Transfer Protocol (SFTP) and Trivial File Transfer Protocol (TFTP).
SECURITY FUNDAMENTALS: 1. How many years of experience are required to earn the Associate of (ISC)2 designation? A. Zero B. One C. Two D. Five
1. A. You don't need to meet the experience requirement to earn the Associate of (ISC)2 designation, so zero years of experience are required. The SSCP certification requires one year of direct full-time security work experience. If you earn the Associate of (ISC)2 designation, you have two years from the date (ISC)2 notifies you that you have passed the SSCP exam to obtain the required experience and apply to become a fully certified SSCP (which includes submitting the required endorsement form). The CISSP certification requires five years of experience.
10. Which one of the following concepts provides the strongest security? A. Defense in depth B. Nonrepudiation C. Security triad D. AAAs of security
10. A. Defense in depth provides a layered approach to security by implementing several different security practices simultaneously and is the best choice of the available answers to provide the strongest security. The security triad (confidentiality, integrity, and availability) identifies the main goals of security. Nonrepudiation prevents an individual from denying that he or she took an action. The AAAs of security are authentication, authorization, and accounting.
11. Which of the following would a financial institution use to validate an e-commerce transaction? A. Nonrepudiation B. Least privilege C. Authentication D. Signature
11. A. Digital signatures used by some online institutions to validate transactions and provide nonrepudiation. Least privilege ensures that users have only the rights and permissions they need to perform their jobs, and no more. Authentication verifies a user's identity. A written signature is not used in e-commerce.
12. What are the AAAs of information security? A. Authentication, availability, and authorization B. Accounting, authentication, and availability C. Authentication, authorization, and accounting D. Availability, accountability, and authorization
12. C. The AAAs of information security are authentication, authorization, and accounting. Availability is part of the CIA security triad (confidentiality, integrity, and availability), but it is not part of the AAAs of information security.
13. You want to ensure that a system can identify individual users, track their activity, and log their actions. What does this provide? A. Accountability B. Availability C. Authentication D. Authorization
13. A. If a system can identify individual users, track their activity, and log their actions, it provides accountability. Availability ensures the system is operational when needed. Authentication identifies the individual using credentials. Authorization identifies resources that a user can access.
14. Which of the following is required to support accountability? A. Encryption B. Authentication C. Hashing D. Redundant systems
14. B. Users prove their identity with authentication, and strong authentication mechanisms are required to support accountability. Encryption helps provide confidentiality. Hashing helps provide integrity. Redundant systems help provide availability.
15. Which of the following statements accurately describes due care? A. It is the practice of implementing security policies and procedures to protect resources. B. Due care eliminates risk. C. A company is not responsible for exercising due care over PII. D. Organizations cannot be sued if they fail to exercise due care over resources such as customer data.
15. A. Due care is the practice of implementing security policies and procedures to protect resources. You cannot eliminate risk. A company is responsible for exercising due care over PII and can be sued if it fails to exercise due care.
2. What are the three elements of the security triad? A. Authentication, authorization, and accounting B. Confidentiality, integrity, and availability C. Identification, authentication, and authorization D. Confidentiality, integrity, and authorization
2. B. The CIA security triad includes three fundamental principles of security designed to prevent losses in confidentiality, integrity, and availability. Authentication, authorization, and accounting are the AAAs of security, and identification, authentication, and authorization are required for accountability, but these are not part of the CIA security triad.
what is the min distance an alt site should be
20 miles
3. Who is responsible for ensuring that security controls are in place to protect against the loss of confidentiality, integrity, or availability of their systems and data? A. IT administrators B. System and information owners C. CFO D. Everyone
3. B. System and information owners are responsible for ensuring that these security controls are in place. IT administrators or other IT security personnel might implement and maintain them. While it can be argued that the Chief Executive Officer (CEO) is ultimately responsible for all security, the Chief Financial Officer is responsible for finances, not IT security. Assigning responsibility to everyone results in no one taking responsibility.
4. You are sending an e-mail to a business partner that includes proprietary data. You want to ensure that the partner can access the data but that no one else can. What security principle should you apply? A. Authentication B. Availability C. Confidentiality D. Integrity
4. C. Confidentiality helps prevent the unauthorized disclosure of data to unauthorized personnel, and you can enforce it with encryption in this scenario. Authentication allows a user to claim an identity (such as with a username) and prove the identity (such as with a password). Availability ensures that data is available when needed. Integrity ensures that the data hasn't been modified.
5. Your organization wants to ensure that attackers are unable to modify data within a database. What security principle is the organization trying to enforce? A. Accountability B. Availability C. Confidentiality D. Integrity
5. D. Integrity ensures that data is not modified, and this includes data within a database. Accountability ensures that systems identify users, track their actions, and monitor their behavior. Availability ensures that IT systems and data are available when needed. Confidentiality protects against the unauthorized disclosure of data.
6. An organization wants to ensure that authorized employees are able to access resources during normal business hours. What security principle is the organization trying to enforce? A. Accountability B. Availability C. Integrity D. Confidentiality
6. B. Availability ensures that IT systems and data are available when needed, such as during normal business hours. Accountability ensures that users are accurately identified and authenticated, and their actions are tracked with logs. Integrity ensures that data is not modified. Confidentiality protects the unauthorized disclosure of data to unauthorized users.
7. An organization has created a disaster recovery plan. What security principle is the organization trying to enforce? A. Authentication B. Availability C. Integrity D. Confidentiality
7. B. Availability ensures that IT systems and data are available when needed. Disaster recovery plans help an organization ensure availability of critical systems after a disaster. Users prove their identity with authentication. Integrity provides assurances that data and systems have not been modified. Confidentiality protects against the unauthorized disclosure of data.
8. Your organization has implemented a least privilege policy. Which of the following choices describes the most likely result of this policy? A. It adds multiple layers of security. B. No single user has full control over any process. C. Users can only access data they need to perform their jobs. D. It prevents users from denying they took an action.
8. C. The principle of least privilege ensures that users have access to the data they need to perform their jobs, but no more. Defense in depth ensures an organization has multiple layers of security. Separation of duties ensures that no single user has full control over any process. Nonrepudiation prevents users from denying they took an action.
9. Your organization wants to implement policies that will deter fraud by dividing job responsibilities. Which of the following policies should they implement? A. Nonrepudiation B. Least privilege C. Defense in depth D. Separation of duties
9. D. Separation of duties helps prevent fraud by dividing job responsibilities and ensuring that no single person has complete control over an entire process. Nonrepudiation ensures that parties are not able to deny taking an action. The principle of least privilege ensures that users have only the rights and permissions they need to perform their jobs, but no more. Defense in depth provides a layered approach to security.
Media Access Control (MAC) address
A 48bit or 12digit hexadecimal num ber (such as 6c626cba736c) assigned to a network interface card (NIC). The MAC address uniquely identifies the computer in a network. Also called physical address or hardware address.
distributed denial of service (DDoS)
A DoS attack launched against a single system from multiple attackers. Botnets are often used in DDoS attacks.
COTS
A Federal Acquistion Regulation (FAR) term for commercial off-the-shelf (COTS) items, that can be purchased n the commercial marketplace and used under government contract.
ActiveX
A Microsoft technology composed of a set of OOP technologies and tools based on COM and DCOM. It is a framework for defining reusable software components in a programming language-independent manner
Secure Shell (SSH)
A basic encryption protocol used to create a secure session between two computers. SSH is used to encrypt other protocol traffic such as File Trans fer Protocol (FTP) (called Secure FTP [SFTP]) and Secure Copy (SCP) traffic. It is a secure alternative to tools such as Telnet, rlogin, rsh, and rexec. SSH uses port 22.
Telnet
A basic protocol used to interact with a remote system using textbased com mands.Telnetsendsdata(includinglogincredentials)acrossthenetworkincleartext,which attackers can capture and read using a sniffer. Secure Shell (SSH) is a secure alternative.
Lightweight Directory Access Protocol (LDAP)
A client/server-based directory query protocol loosely based on X.500, commonly used to manage user information. LDAP is a front end and not used to manage or synchronize data per se as opposed to DNS.
private cloud
A cloudbased service available only to users within an organization. As an example, a company can set up cloudbased storage for its employees. Compare to public cloud, community cloud, and hybrid cloud.
public cloud
A cloudbased service provided by a thirdparty vendor and available to anyone. As an example, Apple provides cloudbased storage via its iCloud service. Compare to private cloud, community cloud, and hybrid cloud.
community cloud
A cloudbased service shared by two or more organizations. It is similar to a private cloud in that it is not available to the public. Compare to public cloud, private cloud, and hybrid cloud.
hybrid cloud
A cloudbased service that is a combination of any two or more clouds. Compare to public cloud, community cloud, and private cloud.
Attribute
A column in a two-dimensional database.
Tree
A combination of a bus topology and a star topology. Instead of connecting multiple computer nodes in the bus configuration, it connects multiple star networks along a type of a bus network. See also bus, mesh, star, and token ring.
Arithmetic logic unit (ALU)
A component of the computer's processing unit, in which arithmetic and matching operations are performed.
Honeypot
A computer set up to entice wouldbe attackers. It is often configured with weak security so that an attacker can easily hack into it, and usually has fake data that has no use to the company.
CMDB
A configuration management database (CMDB) is a repository that contains a collection of IT assets that are referred to as configuration items.
Transmission Control Protocol (TCP)
A connection oriented protocol that provides guaranteed reliable communication for devices on a network. A three way handshake establishes a TCP connection. TCP uses packet sequencing, and the destination acknowledges every packet that it receives.
virtual private network (VPN)
A connection that provides access to a private network over a public network such as the Internet. VPNs use tunneling protocols (such as Point to Point Tunneling Protocol [PPTP] or Layer 2 Tunneling Protocol [L2TP]) to secure the traffic.
User Datagram Protocol (UDP)
A connectionless protocol that uses a best effort to send data without verification. Instead of checking to see whether a connection exists with another system before sending data, it simply sends it. In comparison, Transport Control Protocol (TCP) is a connection oriented protocol that ensures a connection exists before sending data. As an example, Trivial File Transport Protocol (TFTP) uses UDP, but File Transport Protocol (FTP) uses TCP.
knownplaintext attack
A cryptanalysis attack used when the attacker has sam ples of both plaintext and ciphertext data. For example, if an attacker has plaintext from an encrypted message, the attacker can then use different methods to try to decrypt the ciphertext to the known text. If the known text is decrypted, the same method can decrypt similar data.
ciphertext attack
A cryptanalysis attack. Attackers use this when they only have ciphertext for analysis without any useful information about the plaintext data.
Defense in Depth
A defense that uses multiple types of security devices to protect a network. Also called layered security.
defense diversity
A defenseindepth strategy using dissimilar technologies. Implementing a demilitarized zone (DMZ) with firewalls from two separate vendors is an example of defense diversity.
hardware token
A device held by a user that displays a number or a password that changes frequently, such as every 60 seconds. The number is synchronized with a server and used as a onetime password.
Configuration Management (CM)
A discipline that seeks to manage configuration changes so that they are appropriately approved and documented, so that the integrity of the security state is maintained, and so that disruptions to performance and availability are minimized.
chain of custody
A document that shows exactly where a piece of evidence is from the point it is collected until it is disposed. A chain of custody provides proof that evi dence has been protected. If the chainofcustody document is not present, the validity of the evidence can be questioned and its usefulness negated.
disaster recovery plan (DRP)
A document used to provide an organization with a plan to restore critical operations after a disaster. The overall goal is to provide employ ees with clearcut steps on what to do and the order of these steps.
false positive
A false indication of an attack or a vulnerability. Vulnerability scan ners can give false positives indicating that a vulnerability exists even though it doesn't. Similarly, intrusion detection systems can give an indication that a system is being attacked even when it isn't.
Certificate
A file used for security purposes, such as authentication, encryption, pro tection of email, and code signing. Certificate authorities issue and manage certificates.
digital signature
A file used to provide authentication, integrity, and nonrepudia tion security for email. A digital signature is created by hashing an email message and then encrypting the hash with the sender's private key. It is decrypted with the sender's public key.
Pre-action System
A fire suppression system that contains water in the pipes but will not release the water until detectors in the area have been activated. This can eliminate concerns of water damage due to accidental or false activation.
Dry System
A fire suppression system that does not have water in the pipes until the electric valve is stimulated by excess heat.
Deluge System
A fire suppression system with open sprinker heads, water is held back until a detector in the area is activated.
stateful inspection firewall
A firewall that filters traffic based on the state of existing connections. It identifies active connections as they are created and monitors the status of these connections in a state table within the firewall.
packetfiltering firewall
A firewall that filters traffic by examining the contents of a packet. A packetfiltering firewall can filter traffic based on IP addresses, subnet addresses, ports, some protocols, or any combination of these.
networkbased firewall
A firewall that provides protection for a network. Traffic to and from the network flows through the networkbased firewall. Compare to host based firewall.
hostbased firewall
A firewall that provides protection for a single host. Many operating systems include hostbased firewalls running as additional software. Compare to networkbased firewall.
Multifactor Authentication
A form of authentication where a user must use two or more factors to prove his or her identity.
Virus
A form of malicious software (malware). It is an application or a piece of code that causes unexpected and usually negative events on computers. One of the key characteristics of a virus is that the infected file must be executed for the virus to run.
Common Criteria
A framework used to evaluate systems, formally known as Com mon Criteria for Information Technology Security Evaluation. It provides assurances that the specification, implementation, and evaluation of a system's security has gone through a rigorous and standardized process.
Botnet
A group of computers (called zombies) controlled by an attacker. The term botnet is derived from robot and network. The attacker manages a command control cen ter, and the computers in the botnet do the bidding of the attacker.
Message Digest 5 (MD5)
A hashing algorithm used for integrity. MD5 creates a 128bit hash. The U.S. government considers it cryptographically broken, so it is not recom mended for use in many government applications. SHA3 is a much stronger alternative.
Secure Hashing Algorithm 1 (SHA1)
A hashing algorithm used for integrity. SHA1 creates a 160bit hash. Due to vulnerabilities, it is no longer recommended for use.
Secure Hashing Algorithm 2 (SHA2)
A hashing algorithm used for integrity. SHA2 is a hash of 224, 256, 384, or 512 bits. It is an improvement to SHA1, though many experts believe it will be broken because it functions similarly to SHA1.
Bastion host
A highly exposed device that will most likely be targeted for attacks, and thus should be hardened.
advanced persistent threat (APT)
A highly sophisticated group of attackers who have the capability and intent to carry out successful attacks. Many governments are suspected of sponsoring groups known as APTs.
primary key
A key used in databases that ensures that each row or tuple within a table is unique.
private key
A key used with public key cryptography for asymmetric encryption. A private key is part of a matched pair (matched to a public key). A private key is kept private and not shared with other entities. Compare to public key and session key.
public key
A key used with public key cryptography for asymmetric encryption. A public key is part of a matched pair (matched to a private key). A public key is freely shared and distributed within a certificate. Compare to private key and session key.
Session-key
A key used with symmetric encryption. It is sometimes called a sym metric key. Compare to private key, public key, and asymmetric key.
PasswordBased Key Derivation Function 2 (PBKDF2)
A keystretching algorithm that adds a salt of at least 64 bits and then applies a cryptographic function multiple times. Salting helps thwart rainbow table attacks.
Bcrypt
A keystretching algorithm used to protect passwords on UNIX and Linux distributions stored in the shadow password file. It salts passwords before encrypting them with Blowfish, which helps thwart rainbow table attacks.
baseline
A known starting point. Baselines are an important element of configura tion control and are often implemented with images. If the baseline configuration is known, it's relatively simple to check the system to determine whether the configuration has been modified from the baseline. Anomalybased intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) also use baselines by first documenting normal behavior in the form of a baseline. The system then monitors the activity and constantly compares it to the baseline.
Whitelist
A list of authorized applications. Application whitelisting identifies specific applications that can run on a system and all other applications are blocked. Compare to blacklist.
Blacklist
A list of prohibited applications. Application blacklisting identifies specific applications that cannot run on a system. Compare to whitelist.
access control list (ACL)
A list of rules. ACLs are most commonly associated with routers and firewalls. The rules identify the traffic allowed in or out of a network. On hostbased firewalls, the rules identify the traffic allowed in or out of a system.
Assembly language
A low-level programming language that is the mnemonic representation of machine-level instructions.
Control
A means, method, action, technique, process, procedure, or device that reduces the vulnerability of a system or the possibility of a threat exploiting a vulnerabil ity in a system. Controls are risk management tools. The terms control, countermeasure, and safeguard are often used interchangeably.
Countermeasure
A means, method, action, technique, process, procedure, or device that reduces the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. Controls are risk management tools. The terms control, coun termeasure, and safeguard are often used interchangeably.
Safeguard
A means, method, action, technique, process, procedure, or device that reduces the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. Controls are risk management tools. The terms control, countermeasure, and safeguard are often used interchangeably.
Logical Access Control
A mechanism that limits access to computer systems and network resources.
Physical Access Control
A mechanism that limits access to physical resources, such as buildings or rooms (ex: lock doors, alarm systems, cipher locks, CCTVs, guards)
anomaly based
A method of detection used by intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). The IDS/IPS attempts to document normal behavior in the form of a baseline. It then monitors the activity and constantly compares it to the baseline. If the current activity differs significantly from the baseline, the IDS/ IPS will issue an alert on the activity.
Online Certificate Status Protocol (OCSP)
A method of validating certifi cates with a certificate authority (CA). Clients send the serial number of a certificate to a server known as an OCSP responder. The OCSP responder identifies the health of the certificate with an answer of "good," "revoked," or "unknown."
Signature-based detection
A method of virus detection used to detect known viruses. Viruses have specific characteristics that can be used to identify them uniquely. The signature can be a unique characteristic such as a specific byte pattern within the virus. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) can also use signatures to detect known attack methods.
heuristicsbased detection
A method of virus detection used to detect previ ously unknown viruses. Heuristics attempts to detect a virus based on its behavior.
key stretching
A method that transforms a potentially weak password or encryp tion key into a more secure password or encryption key. PasswordBased Key Derivation Function 2 (PBKDF2) and bcrypt are two keystretching algorithms.
promiscuous mode
A mode used by a sniffer that increases the amount of traf fic that the sniffer can capture. The sniffer can capture all data that reaches the sniffer regardless of the destination IP address. Compare to nonpromiscuous mode.
nonpromiscuous mode
A mode used by a sniffer that limits the traffic that the sniffer can capture. The sniffer only captures data sent directly to or from the IP address of the computer running the sniffer. Compare to promiscuous mode.
TCP/IP Model
A model developed by the Defense Advanced Research Projects Agency (DARPA). Some references list it with four layers (Application, Transport, Inter net, and Link). Other references list it with five layers (Application, Transport, Network, Data Link, and Physical).
token ring
A network configuration where all computing devices are connected in a logical circle. Devices can transmit data onto the network only when they have a logical token that is passed from device to device. See also bus, mesh, star, and tree.
Intranet
A network that is internal to an organization. An intranet has private IP addresses, and clients within the intranet access the Internet with Network Address Translation (NAT), which translates private IP addresses to public and public IP addresses to private.
Mesh
A network topology that provides redundancy with multiple connections. Mesh topologies provide the highest availability of any of the topology methods. See also bus, star, token ring, and tree.
Address resolution protocol (ARP)
A networking protocol used for resolution of network layer IP addresses into link layer MAC addresses.
Backdoor
A nontraditional method of accessing an application or system. It can be code embedded in an application that provides access to the application, the application's code, or data via a covert method. Attackers often try to install a backdoor onto a system after infecting it with malware that grants them remote access.
protocol number
A number embedded in the first octet of TCP and UDP headers that identifies some protocols. For example, ICMP uses protocol number 1 and IGMP uses protocol number 2. This is not a port number, though port numbers also identify some protocols. Compare to port number.
Asynchronous Password Token
A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm.
business impact analysis (BIA)
A part of a BCP. It identifies the impact to the organization if any business functions are lost due to any type of incident. It helps an organization identify what business functions are critical to continued operations by identifying the impact to the business if a business function stops.
Access Control Object
A passive entity that typically receives or contains some form of data.
onetime password
A password used only once. Hardware tokens use synchro nous onetime passwords with a hardware device held by the user showing a onetime password as a number or password. The password changes often and is synchronized with a server.
demilitarized zone (DMZ)
A perimeter network used to host resources on the Internet (such as web servers, email servers, or FTP servers). The DMZ provides a layer of protection for the resources that would not be available if they were placed directly on the Internet.
risk assessment
A pointintime evaluation of potential risks. It looks at the current situation and then attempts to determine what risks exist and how to address them.
Kerberos
A popular network authentication protocol for indirect (third-party) authentication services.
clipping level
A predetermined threshold level. Many automated accounting systems use clipping levels to generate alerts after the system detects a preset number of events. An auditing system ignores events until the number of events reaches the clipping level.
antivirus (AV) software
A primary method used to detect and prevent infections from malware. In addition to being able to detect and prevent infections, most AV soft ware is able to remove the malware, restore the infected file to its original state, or quar antine the file.
Dual Control
A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource, such that no single entity acting alone can access that resource.
symmetric encryption
A process of encrypting and decrypting data using a single key. Symmetric encryption algorithms are constant, while the keys used to encrypt different sets of data are changed to prevent compromise. A popular symmetric encryption is Advanced Encryption Standard (AES).
asymmetric encryption
A process of encrypting and decrypting data using two matched keys known as a public key and a private key. It is also known as public key cryp tography. Anything encrypted with the public key can be decrypted only with the match ing private key. Anything encrypted with the private key can be decrypted only with the matching public key. The private key is always kept private and never shared. The public key is freely shared and publicly available.
Salting
A process that adds random bits to a password. Salting helps thwart rainbow table attacks and is used by bcrypt and PasswordBased Key Derivation Function 2 (PBKDF2).
configuration management
A process that ensures that information about sys tem configuration is available for any system and helps ensure that similar systems are configured similarly.
Certification
A process that evaluates, describes, and tests a system and all of the controls that are in place to mitigate risks to the system. After a system has been certified, a separate accreditation process formally approves the system to operate.
change control
A process that helps prevent unintended outages from changes. A change control process gives experts an opportunity to examine the change for potential problems before the change is implemented. It is also called change management.
authorization
A process that provides access to resources through the assignment of permissions. This process starts with authentication, where users claim an identity and prove their identity with a password or other credentials. Once users have been authenti cated, authorization defines the resources that a user can access and the rights that a user can invoke.
Deduplication
A process that scans the entire collection of information looking for similar chunks of data that can be consolidated.
vulnerability assessment
A process used to discover vulnerabilities. Vulnerabil ity assessments can use technical tools to scan networks and systems for vulnerabilities. They can also include nontechnical means such as social engineering tactics to determine whether employees are susceptible to social engineering attacks.
Safe Harbor
A program that helps U.S. organizations comply with the requirements of the Data Protection Directive. It includes seven principles that organizations agree to follow.
Sniffer
A protocol analyzer or packet sniffer. It is capable of capturing and analyzing packets transmitted over a network. A popular sniffer is Wireshark.
Bootstrap Protocol (BootP)
A protocol that provides an IP address to clients and can be used to retrieve a bootable image for clients. It is similar to Reverse Address Resolution Protocol (RARP), although RARP only retrieves the IP address.
Network Address Translation (NAT)
A protocol that translates private IP addresses to public IP addresses and public IP addresses back to private IP addresses. NAT is often installed on proxy servers or routers that are on the edge of the network (between the Internet and the intranet).
Secure File Transfer Protocol (SFTP)
A protocol that uses Secure Shell (SSH) to encrypt FTP traffic. SFTP functions similarly to FTP, but the encryption prevents sniffing attacks from capturing data in cleartext. Compare to File Transfer Protocol (FTP) and Trivial FTP (TFTP).
Internet Group Message Protocol (IGMP)
A protocol used for IPv4 multi casting, where data is sent from one computer to multiple computers at the same time. IPv6 uses ICMPv6 messaging instead of IGMP.
Dynamic Host Configuration Protocol (DHCP)
A protocol used to assign TCP/IP configuration information to DHCP clients. This includes an IP address, a subnet mask, the address of a DNS server, and much more. DHCP uses UDP ports 67 and 68.
Internet Control Message Protocol (ICMP)
A protocol used to check or verify the health of a network or network device. ICMP is used with many diagnostic protocols such as ping, pathping, and tracert.
Internet Message Access Protocol version 4 (IMAP4)
A protocol used to manage email in folders. IMAP4 servers store email on the server and allow users to organize the email in folders. Compare to Post Office Protocol version 3 (POP3) and Simple Mail Transfer Protocol (SMTP).
Simple Network Management Protocol (SNMP)
A protocol used to manage network devices (such as routers and layer 3 switches) on a network. SNMP agents on the network devices send traps (error or event notifications) and other notification data back to a central server running SNMP management software. SNMP agents receive data on UDP 161 and send traps and notifications on UDP port 162.
Post Office Protocol version 3 (POP3)
A protocol used to receive email. POP3 servers send the email to the client when the client connects. Compare to Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol version 4 (IMAP4).
Simple Mail Transfer Protocol (SMTP)
A protocol used to send email. SMTP sends email from email clients to an email server. Email servers use SMTP to send and receive email between other SMTP servers. SMTP uses TCP port 25. Compare to Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4 (IMAP4).
Standard
A proven norm or method. Standards are typically external to an organization but can influence the organization's policies, guidelines, and procedures.
audit trail
A record of events occurring on a system or network, recorded in one or more logs. When you have access to all the logs, you are able to recreate the events that occurred leading up to an event and identify what actually occurred during an event.
recovery point objective (RPO)
A recovery term associated with backups and databases that identifies the amount of data (in terms of time such as hours or days) that is acceptable to lose if a failure occurs. The RPO dictates the amount of resources needed to protect data to prevent loss in the case of a failure.
Object
A resource accessed by a subject. For example, if a user accesses a file, the user is the subject and the file is the object.
quantitative analysis
A risk assessment method that uses numerical-based data such as monetary figures to identify the actual cost associated with a risk. Compare with qualitative analysis.
qualitative analysis
A risk assessment method that uses subjective opinions from experts to identify the impact of a risk. It often categorizes a risk using words such as "low," "medium," and "high." Compare with quantitative analysis.
Tuple
A row storing data within a database table. Some database vendors call tuples rows, while other vendors call them tuples. Similarly, some vendors refer to database table columns as attributes.
Mantrap
A security control designed to protect against piggybacking. It prevents more than one person from passing through a controlled entry at a time and ensures that each person uses credentials to gain entry.
Mandatory vacation
A security policy designed to reduce fraud within an organization. A mandatory vacation policy requires employees to take a vacation outside of the workplace for a specified period, such as at least five consecutive workdays. The goal is to require someone else to perform the employee's job functions, which increases the possibility of exposing any suspicious activities.
Least Privilege
A security principle in which any user/process is given only the necessary, minimum level of access rights (privileges) explicitly, for the minimum amount of time, in order for it to complete its operation.
separation of duties
A security principle that ensures that no single person has complete control over a process. When properly implemented, it can significantly reduce the risk of fraud within an organization.
Secure Realtime Transport Protocol (SRTP)
A security protocol that pro vides confidentiality, message authentication, and replay protection for audio and video traffic, including Voice over Internet Protocol (VoIP).
Internet Protocol security (IPsec)
A security protocol used to provide security for IP traffic traveling over a network. IPsec includes Authentication Header (AH) and Encapsulating Security Protocol (ESP). AH provides authentication between the systems and verifies the integrity of the packets. ESP encrypts the data and provides the same authentication services provided by AH.
virtual local area network (VLAN)
A segmented LAN created on a switch. A VLAN allows an organization to segment traffic with a lot more flexibility when compared to segmenting traffic with a router.
Trust Path
A series of trust relationships that authentication requests must follow between domains
proxy server
A server used as an intermediary, or proxy, for internal clients access ing Internet resources. The proxy server retrieves the web page on the client's behalf and returns it to the client.
Non-repudiation
A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified by a third party as having originated from a specific entity in possession of the private key of the claimed signatory.
Rootkit
A set of programs that can run on a system largely undetected. It has root level access to the system, similar to how a rootlevel administrator has full and complete control over a system.
Entitlement
A set of rules, defined by the resource owner, for managing access to a resource (asset, service, or entity) and for what purpose.
federated access
A single signon (SSO) technology that allows users in different networks to access multiple systems after logging on once. The systems can be using dif ferent operating systems owned and managed by different organizations.
Piggybacking
A social engineering tactic. Piggybacking occurs when someone passes through a controlled entry without providing credentials by following closely behind someone who has provided credentials.
Release Management
A software engineering discipline that controls the release of applications, updates, and patches to the production environment.
defense in depth
A strategy that provides a layered approach to security. Instead of using one or two security controls, multiple controls are used. If one control fails, other controls continue to provide protection.
Trivial FTP (TFTP)
A stripped down version of FTP that provides very basic capabilities. It doesn't support authentication and doesn't use TCP to establish a session. However, it is very useful when transferring configuration files to and from network devices. TFTP uses UDP port 69.
Advanced Encryption Standard (AES)
A strong, efficient symmetric encryp tion algorithm. The National Institute of Standards and Technology (NIST) selected it in 2002 as a replacement for Data Encryption Standard (DES) as the standard used by the U.S. government. AES has since been adopted in both the public and private sectors and is widely used today in many applications. AES uses key sizes of 129, 192, and 256 bits and sometimes is listed based on the key size (such as AES256).
Definitions: 3DES
A symmetric encryption standard. It improves Data Encryption Standard (DES) by encrypting data in three passes with three separate keys. It was one of the standards evaluated by the National Institute of Standards and Technology (NIST) with Advanced Encryption Standard (AES), but was not selected. It is a slower and processor intensive block cipher, but is still strong and used in some applications. It is also called triple DES and three DES.
RC4
A symmetric encryption standard. This standard is sometimes called Ron's Code or Rivest's Cipher after its inventor, Ron Rivest. Many experts have speculated that RC4 has been cracked, and it is no longer recommended for use.
intrusion detection system (IDS)
A system designed to provide continuous monitoring of networks and hosts to help protect them from attacks. The goal is to detect an attack as it is occurring. Some IDSs are passive and will provide a notification of a potential attack, and other IDSs are active and will thwart the attack in progress.
radiofrequency identification (RFID)
A system used for identification, track ing, asset management, and inventory control. Products are "tagged" with an RFID tag, which is a small electronic device that marks the product. RFID readers can then read the tag to get information about the product.
Rainbow-table
A table of passwords using a predefined character set and the hash for each of the passwords. Attackers use rainbow tables to perform rainbow table lookups and identify passwords from the hash.
Access control matrix
A table of subjects and objects indicating what actions individual subjects can take upon individual objects.
Degaussing
A technique of erasing data on disk or tape (including video tapes) that, when performed properly, ensures that there is insufficient magnetic remanence to reconstruct data.
Synchronous Dynamic Password Token
A timer is used to rotate through various combinations produced by a cryptographic algorithm.
Layer 2 Tunneling Protocol (L2TP)
A tunneling protocol used with some vir tual private networks (VPNs). It combines the strengths of Layer 2 Forwarding (L2F) and PointtoPoint Tunneling Protocol (PPTP) and is documented in RFC 2661. L2TP VPN traffic is commonly encrypted with IPsec (as L2TP/IPsec).
Point-to-Point Tunneling Protocol (PPTP)
A tunneling protocol used with some virtual private networks (VPNs). RFC 2637 defines it, and Microsoft uses its own version.
False Rejection Rate (FRR)
A type 1 biometric error. It refers to the percentage of times a biometric system falsely rejects a known user and instead indicates that the user is unknown. Compare to False Acceptance Rate (FAR) and Crossover Error Rate (CER).
False Acceptance Rate (FAR)
A type 2 biometric error. It refers to the percentage of times a biometric system falsely identifies an unknown user as a known user. Compare to False Rejection Rate (FRR) and Crossover Error Rate (CER).
Dropper
A type of Trojan horse that attempts to drop malware onto a computer. It might be from an infected file delivered via email or delivered via a driveby download.
Ransomware
A type of Trojan malware that takes control of a user's computer and then demands a ransom from the user to get control back.
differential backup
A type of backup used in full/differential backup strategies. Differential backups only back up data that has changed since the last full backup, with out regard to any other differential backups. Compare to incremental backup.
incremental backup
A type of backup used in full/incremental backup strategies. Incremental backups back up only data that has changed since the last full or incremental backup. Compare to differential backup.
PlatformasaService (PaaS)
A type of cloud computing that provides custom ers with a preconfigured computing platform. Users have access to an operating system and one or more applications hosted on hardware that they can use over the Internet. Users don't have to purchase the hardware and software, and the cloud provider main tains it. Compare to Infrastructure as a Service (IaaS) and SoftwareasaService (SaaS).
InfrastructureasaService (IaaS)
A type of cloud computing that provides customers with hardware (such as servers) and infrastructure (such as routers or switches). Customers maintain all software on the hardware, but the provider owns and maintains the hardware. Also known as HardwareasaService. Compare to SoftwareasaService (SaaS) and PlatformasaService (PaaS).
Software-as-a-Service (SaaS)
A type of cloud computing that provides one or more applications to users. Users access the applications with a web browser over the Internet. Web-based email is an example of SaaS used by many people. Compare to Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).
Authenticode
A type of code signing, which is the process of digitally signing software components and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was digitally signed. Authenticode is Microsoft's implementation of code signing.
foreign key
A type of key used in databases. A foreign key in one table points to a unique primary key in another table to create a relationship between the two tables.
Nonrepudiation
A user cannot deny any particular act that he or she did on the IT system
Berkeley Internet Name Domain (BIND)
A version of DNS software that runs on UNIX systems. It is freely available and runs on many DNS servers on the Internet.
database view
A virtual table that provides access to specific columns in one or more tables. A view doesn't hold any data but presents the data in the underlying table or tables. A database administrator can grant access to a view without granting access to a table to limit what a user can see and manipulate.
polymorphic virus
A virus that has the ability to morph or mutate each time it replicates to another machine or even each time it is run. When the virus mutates, it's more difficult for antivirus (AV) software to detect it unless additional virus signatures are created to recognize the mutated version.
armored virus
A virus that uses code to make it difficult for AV researchers to reverseengineer the code. Encryption is often combined with other methods to prevent reverseengineering.
Vulnerability
A weakness. It can be a weakness in a system, a configuration, a pro cess, hardware, software, or any other aspect of a system. If a threat can exploit a vulner ability, an organization can suffer losses.
business continuity plan (BCP)
A written document that includes the processes and procedures to prevent missioncritical services from being interrupted or disrupted. A BCP includes disaster recovery elements used to restore the organization to fully func tioning operations as quickly and efficiently as possible.
security policy
A written document that provides the organization with a high level view of its security goals. A security policy is authoritative in nature and provides direction for the creation of guidelines and procedures.
3. Which of the following choices identify valid threat sources? (Choose all that apply.) A. Employee B. Earthquake C. State-sponsored attacker D. Administrator
A, B, C, D. All of the answers are valid threat sources. Employees can be adversarial threat sources if they intentionally cause damage or accidental threat sources if they accidentally cause damage. An earthquake is an environmental threat source. A state-sponsored attacker is an adversarial threat source.
6. Which of the following choices are effective methods of ensuring that employees know the relevant contents of an organization's security policy? (Choose all that apply.) A. Providing training B. Using warning banners C. Using posters D. Storing the policy in the company vault
A, B, and C. Providing training, using warning banners, and using posters are all effective methods of ensuring that employees know the relevant contents of a security policy. If the security policy is stored in the company vault, it won't be accessible to employees.
Select three ways to deal with risk. A. Acceptance B. Avoid / Eliminate C. Transfer D. Mitigate E. Deny
A. Acceptance C. Transfer D. Mitigate
The Crossover Error Rate (CER) is a good measure of performance for: A. Biometrics B. Tokens C. Kerberos D. A fingerprint scan E. Discretionary access control
A. Biometrics
There are 5 classes of IP addresses available, but only 3 classes are in common use today, identify the three: (Choose three) A. Class A: 1-126 B. Class B: 128-191 C. Class C: 192-223 D. Class D: 224-255 E. Class E: 0.0.0.0 - 127.0.0.1
A. Class A: 1-126 B. Class B: 128-191 C. Class C: 192-223
Government categories of data classification include which of the following? (Choose all that apply) A. Confidentiality B. Secret C. Top Secret D. Confidential E. Need to Know F. Availability
A. Confidentiality B. Secret C. Top Secret D. Confidential
What are the three performance measurements used in biometrics? (Choose three) A. Crossover error rate B. False rejection rate C. Positive error rate D. False acceptance rate E. Negative error rate
A. Crossover error rate B. False rejection rate D. False acceptance rate
Integrity = ______________ A. Data being delivered from the source to the intended receiver without being altered B. Protection of data from unauthorized users C. Data being kept correct and current D. Ability to access data when requested E. All answers are correct
A. Data being delivered from the source to the intended receiver without being altered
EDI (Electronic Data Interchange) differs from e-Commerce in that ___________________. A. EDI involves only computer to computer transactions B. E-Commerce involves only computer to computer transactions C. EDI allows companies to take credit cards directly to consumers via the web D. None of the items listed accurately reflect the differences between EDI and e-Commerce
A. EDI involves only computer to computer transactions
The following actions have been noted as providing motivation to virus writers? (Choose all that apply)
A. Fame C. Boredom
Decentralized access control allows ______________________. A. File owners to determine access rights B. Help Desk personnel to determine access rights C. IT personnel to determine access rights D. Security Officers to determine access rights E. Security Officers to delegate authority to other users
A. File owners to determine access rights
The difference between fraud and embezzlement is ________________-. A. Fraud = money or goods; embezzlement = money only B. Fraud = removing hardware / software; embezzlement = removing data only C. Fraud = misdemeanor; embezzlement = felony D. There is no difference, fraud and embezzlement are the same E. Embezzlement is about publicity; fraud is about personal gain
A. Fraud = money or goods; embezzlement = money only
_____ is the authoritative entity which lists port assignments A. IANA B. ISSA C. Network Solutions D. Register.com E. InterNIC
A. IANA
Which of these virus incidents did not occur in 1999? (Choose all that apply) A. ILoveYou B. Chernobyl C. Melissa D. Michelangelo E. Anna Kournikova F. None of the above - they all happened in 1999
A. ILoveYou E. Anna Kournikova
The most common source of attack against companies comes from: A. Insiders B. Hackers C. Crackers D. Script kiddies E. Spies
A. Insiders
Name three SSO types? (Choose three) A. KryptoKnight B. Kerberos C. Clipper D. SESAME E. DES
A. KryptoKnight B. Kerberos D. SESAME
Which of the following is NOT an administrative control? A. Locks, CCTV, alarm systems B. Security Awareness Program C. Information Security Policy D. Disabling a user account upon termination
A. Locks, CCTV, alarm systems
Which of the following are NT Audit events? (Choose all that apply) A. Logon and Logoff B. Use of User Rights C. Security Policy Change D. Registry Tracking E. All of choices are correct
A. Logon and Logoff B. Use of User Rights C. Security Policy Change
____________ is used in mission critical systems and applications to lock down information based on sensitivity levels (Confidential, Top Secret, etC.. A. MAC - Mandatory Access Control B. DAC - Discretionary Access Control C. SAC - Strategic Access Control D. LAC - Limited Access Control
A. MAC - Mandatory Access Control
Which of the following are valid modes of operation? (Choose all that apply) A. Multilevel mode B. Restricted mode C. Dedicated mode D. Allowed mode E. Access Mode
A. Multilevel mode C. Dedicated mode
MD5 is a ___________ algorithm A. One way hash B. 3DES C. 192 bit D. PK
A. One way hash
Name three types of firewalls __________, _______________, and _________________ (Choose three) A. Packet Filtering B. Application Proxy C. Stateful Inspection D. Microsoft Proxy E. SonicWall F. Raptor Firewall
A. Packet Filtering B. Application Proxy C. Stateful Inspection
Which layer of the OSI model handles encryption? A. Presentation Layer - L6 B. Application Layer - L7 C. Session Layer - L5 D. Data Link Layer - L2
A. Presentation Layer - L6
Countermeasures have three main objectives, what are they? (Choose all that apply) A. Prevent B. Recover C. Detect D. Trace E. Retaliate
A. Prevent B. Recover C. Detect
What are some of the major differences of Qualitative vs. Quantitative methods of performing risk analysis? (Choose all that apply) A. Quantitative analysis uses numeric values B. Qualitative analysis uses numeric values C. Quantitative analysis is more time consuming D. Qualitative analysis is more time consuming E. Quantitative analysis is based on Annualized Loss Expectancy (ALE) formulas F. Qualitative analysis is based on Annualized Loss Expectancy (ALE) formulas
A. Quantitative analysis uses numeric values C. Quantitative analysis is more time consuming E. Quantitative analysis is based on Annualized Loss Expectancy (ALE) formulas
Some Unix systems use a very simple cipher called _________. A. ROT13 B. SOT14 C. DES D. Block E. Stream
A. ROT13
A boot sector virus goes to work when what event takes place? A. Reboot or system startup B. File is deleted C. File is saved D. March 16th
A. Reboot or system startup
Why are clipping levels used? A. Reduce the amount of data to be evaluated B. Limit the number of alphanumeric characters in a password C. Limit errors in RADIUS systems D. To only set thresholds for file and object access
A. Reduce the amount of data to be evaluated
Which of the following is an example of One-Time Password technology? (Choose all that apply) A. S/Key B. OPIE C. LC3 D. MD5
A. S/Key B. OPIE
Authentication is based on which of the following: (Choose three) A. Something you are B. Something you input C. Something you know D. Something you compute E. Something you have
A. Something you are C. Something you know E. Something you have
What is the main difference between a logic bomb and a stealth virus? (Choose all that apply) A. Stealth viruses supply AV engines with false information to avoid detection B. Stealth viruses live in memory while logic bombs are written to disk C. Stealth viruses "wake up" at a pre-specified time in the code, then execute payload D. Logic Bombs supply AV engines with false information to avoid detection
A. Stealth viruses supply AV engines with false information to avoid detection B. Stealth viruses live in memory while logic bombs are written to disk
A true network security audit does include an audit for modems? A. True B. False
A. True
Although they are accused of being one in the same, hackers and crackers are two distinctly different groups with different goals pertaining to computers. A. True B. False
A. True
Companies can now be sued for privacy violations just as easily as they can be sued for security compromises. A. True B. False
A. True
In the past, many companies had been hesitant to report computer crimes. A. True B. False
A. True
It is difficult to prosecute a computer criminal if warning banners are not deployed? A. True B. False
A. True
One method that can reduce exposure to malicious code is to run applications as generic accounts with little or no privileges. A. True B. False
A. True
So far, no one has been able to crack the IDEA algorithm with Brute Force.
A. True
Spoofing is a sophisticated technique of authenticating one computer to another by forging IP packets from a trusted source address(True / False) A. True B. False
A. True
The NT password cracking program L0pht is capable of pulling passwords from the registry? A. True B. False
A. True
Today, privacy violations are almost as serious as security violations? A. True B. Fals
A. True
Wiretapping is an example of a passive network attack? A. True B. False
A. True
Threat assessment has four major components, name them. (Choose four) A. Type B. Mechanism C. Impact D. Probability E. ALE - Annual Loss Expectancy
A. Type B. Mechanism C. Impact D. Probability
When a security violation occurs, what important information should be logged? (Choose all that apply) A. User ID B. Timestamp C. User's first and last name D. Computer / Terminal ID E. All of the items listed
A. User ID B. Timestamp D. Computer / Terminal ID
Which of the concepts best describes Availability in relation to computer resources? A. Users can gain access to any resource upon request (assuming they have proper permissions) B. Users can make authorized changes to data C. Users can be assured that the data content has not been altered D. None of the concepts describes Availability properly
A. Users can gain access to any resource upon request (assuming they have proper permissions)
When compiling a risk assessment report, which of the following items should be included? (Choose all that apply) A. Vulnerability levels B. Method of attack used C. Names of frequent security violators D. Data sensitivity levels E. ALE calculations
A. Vulnerability levels D. Data sensitivity levels E. ALE calculations
Information Security policies should be __________________? (Choose all that apply) A. Written down B. Clearly Communicated to all system users C. Audited and revised periodically D. None of the choices listed are correct
A. Written down B. Clearly Communicated to all system users C. Audited and revised periodically
What type of access control is identity based? A. Discretionary B. Non-discretionary C. ABAC D. Biba
A. A Discretionary Access Control (DAC) model assigns permissions to identities, making it an identity-based model.
3. Which of the following choices identifies a major drawback associated with a host-based IDS (HIDS)? A. It is very processor intensive and can affect the computer's performance. B. The signatures must be updated frequently. C. It does not support anomaly-based detection. D. It stores the logs on remote systems.
A. A HIDS is very processor intensive and can negatively affect the computer's performance. All IDSs using signature-based detection need to have their signatures updated frequently. A HIDS will typically support both signature- based detection and anomaly-based detection. Another drawback of a HIDS is that it stores the logs on the local computer, and an attacker might be able to delete the logs.
3. Of the following choices, what is a common DoS attack? A. TCP flood B. Tailgating C. Smishing the following choices, what is a common DoS attack? D. Whaling
A. A TCP flood attack (also known as a SYN flood, TCP SYN, or TCP half- open attack) is a common DoS attack that withholds the third packet of the TCP three-way handshake. The other answers are not DoS attacks. Tailgating is a social engineering tactic. Smishing is a form of phishing using SMS messages. Whaling is a form of phishing against a single person, such as an executive.
18. Of the following choices, what is a primary method used for configuration control? A. Baseline B. Change management requests C. Security logs D. Password audits
A. A baseline is a primary method used for configuration control and it ensures that systems start in a known state. Automated or manual processes periodically examine the systems to verify the system still has the same configuration settings from the baseline. An organization doesn't approve and implement all change management requests, so examining the requests does not give an accurate representation of the server configuration. Security logs and password audits aren't typically used for configuration control.
8. How does a behavior-based IDS detect attacks? A. It compares current activity against a baseline. B. It compares current activity against a database of known attack methods. C. It compares current activity with antivirus signatures. D. It monitors activity on firewalls.
A. A behavior-based IDS detects attacks by comparing current activity against a baseline. A signature-based IDS detects attacks by comparing network activity with a database of known attack methods. An IDS does not use antivirus signatures. While an IDS monitors activity on firewalls, this doesn't identify how it detects attacks.
3. A system ignores potential security violations until it detects a specific number of events. It then raises an alert. What does this describe? A. Clipping level B. Acceptance level C. Audit level D. Baseline level
A. A clipping level uses a predetermined number of events as a threshold. An auditing system ignores the events until it detects the number of events has exceeded the threshold level. Acceptance level and audit level are not valid terms. The question doesn't describe a baseline level.
20. An organization is sharing resources with another organization using cloud-based computing. Which of the following cloud operation models does this describe? A. Community B. Hybrid C. Private D. Public
A. A community cloud is a private cloud that is shared by two or more organizations. A hybrid cloud is a combination of any two or more clouds. A private cloud is only available to users within an organization. Public cloud- based services are provided by third-party vendors and are available to anyone.
12. Of the following choices, what is a primary purpose of a honeypot? A. To give administrators an opportunity to observe new exploits B. To give administrators an opportunity to observe new controls C. To give administrators an opportunity to perform vulnerability tests D. To give administrators an opportunity to perform penetration tests
A. A honeypot entices would-be attackers, luring them away from the live network, and gives administrators an opportunity to observe the attacker. The honeypot is a security control, but it doesn't provide an opportunity to observe new controls. It does not perform vulnerability or penetration tests.
2. You want to monitor a server for potential attacks. Of the following choices, what is the best choice? A. HIDS B. NIDS C. Anomaly-based IDS D. Signature-based IDS
A. A host-based IDS (HIDS) can monitor a single computer (such as a server) for possible attacks and intrusions. A network-based IDS (NIDS) monitors network activity. Both HIDS and NIDS can use either anomaly-based detection or signature-based detection.
7. An employee configured malicious code to execute at midnight on February 2. What does this describe? A. Logic bomb B. Groundhog Day virus C. Worm D. Ransomware
A. A logic bomb is malware that executes in response to an event such as a specific date and time. While February 2 is Groundhog Day, the scenario doesn't describe a Groundhog Day virus. Worms infect computers over a network, not on a specific day. Ransomware takes control of a user's computer or data and demands a ransom from the user.
3. Which of the following controls attempts to avoid security incidents? A. Preventive B. Compensating C. Corrective D. Detective
A. A preventive control attempts to avoid security incidents by preventing them. A compensating control provides an alternative when a primary control fails or is unavailable. A corrective control attempts to reverse the effects of an incident and can restore a failed or disabled control. A detective control attempts to detect incidents either as they are occurring or after they've occurred.
5. Of the following choices, what represents the primary benefits provided by a proxy server? A. Caching and filtering B. Authentication and caching C. Authentication, authorization, and accounting D. Stateful inspection
A. A proxy server can cache web pages that are retrieved from the Internet. It can also block users from accessing restricted websites by filtering the web page requests. A proxy server does not provide authentication directly, although some proxy servers can be tied into an authentication system. A proxy server does not normally perform firewall functions.
10. Of the following choices, what is the best example of a log used as a deterrent for internal employees? A. Proxy server log B. Network firewall log C. Security audit D. Change management log
A. A proxy server log can serve as a deterrent for internal employees. If employees know that the server is monitoring and logging their activity, they may be less likely to engage in activity that violates the security policy. A network firewall log can capture activity for traffic to and from the Internet, but does not provide much of a deterrent for internal employees. A security audit is not a log. A change management log documents changes for a system.
8. Which of the following helps ensure that an organization focuses risk management resources only on the most serious risks? A. Risk assessment B. Residual risk C. Countermeasures D. Qualitative analysis
A. A risk assessment helps an organization prioritize risks so that it can focus risk management resources on the most serious risks. Residual risk is the risk that remains after implementing risk mitigation steps. Countermeasures are risk management resources that reduce risks. Risk assessments can use either a quantitative analysis or a qualitative analysis, but neither is superior to the other one in all circumstances.
13. Of the following choices, which one most accurately reflects differences between risk management and a risk assessment? A. A risk assessment is a point-in-time event, while risk management is an ongoing process. B. Risk management is a point-in-time event, while a risk assessment is an ongoing process. C. Risk assessments are broad in scope, while risk management is focused on a specific system. D. Risk management is one part of an overall risk assessment strategy for an organization.
A. A risk assessment is a point-in-time event, while risk management is an ongoing process. Risk assessment is one element of a risk management strategy, and risk assessments are generally focused on specific systems with a limited scope, while risk management is much broader.
8. An attacker has written a program to shave off a penny from each transaction and divert the penny to the attacker's bank account. What best describes this attack? A. Salami attack B. Sniffing attack C. Replay attack D. Covert channel
A. A salami attack uses multiple small, usually unnoticeable actions, such as shaving a penny off a transaction. A sniffing attack uses a sniffer (protocol analyzer) to capture and analyze traffic. A replay attack captures data and then later resends it to impersonate one of the parties. A covert channel uses an uncommon communications path to exchange information surreptitiously.
2. Which of the following choices best describes an organization's security policy? A. An authoritative written document that identifies an organization's overall security goals B. A non-authoritative written document that identifies an organization's overall security goals C. A technical control that mitigates risks D. A baseline used to ensure that systems are secure when deployed
A. A security policy is an authoritative (not non-authoritative) written document that identifies an organization's overall security goals. It is a management (or administrative) control, not a technical control or a baseline however, technical controls and baselines are created based on the direction from the security policy.
4. Which of the following can cause a negative impact on an organization's assets? A. A threat B. A risk C. A weakness D. A control
A. A threat source can cause a negative impact by exploiting a vulnerability. Risk is the likelihood that a threat will exploit a vulnerability and cause a loss, the risk doesn't cause the negative impact. A weakness is a vulnerability. Attackers can exploit a vulnerability, but the vulnerability doesn't cause the loss. Controls attempt to reduce risk by reducing vulnerabilities or reducing the impact of a risk.
10. Which of the following is a virtual table and allows a user access to a limited amount of data within a table? A. View B. Tuple C. Row D. Foreign key
A. A view is a virtual table that provides access to specific columns in one or more tables, allowing a user to access a limited amount of data. A tuple is the same as a row and it contains a single record, but it is not a virtual table. Tables are linked together with foreign keys.
2. Which of the following is the best choice to segment traffic on a network? A. VLAN B. EAP C. SSL D. TLS
A. A virtual local area network (VLAN) segments traffic on a network using a switch. Extensible Authentication Protocol (EAP) is used for authentication, not segmentation. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are transport encryption protocols and do not segment traffic.
ATTACKS: 1. What is an APT? A. A group, often sponsored by a government, that has the capability and intent to launch persistent attacks against an organization B. Software that alerts a user that their system is infected with malware, but won't remove the malware unless the user pays a fee C. An attack that redirects users to a bogus website D. A scan to detect open ports
A. An advanced persistent threat (APT) is a group of people (often sponsored by a government) that has the capability and intent to launch persistent attacks against organizations. Scareware is software that alerts a user their system is infected with malware, but won't remove the malware unless the user pays. Pharming is an attack that redirects users to a bogus website. A port scan is a scan that detects open ports.
Malicious Code and Activity: 1. What type of virus attempts to protect itself from reverse engineering and prevent antivirus researchers from analyzing the malware? A. Armored virus B. Polymorphic virus C. Metamorphic virus D. Multipartite virus
A. An armored virus attempts to prevent an AV researcher from reverse engineering it to determine what it is doing and how it is doing it. Although polymorphism and metamorphism can make it harder to reverse engineer a virus, they aren't the best answer, because these techniques primarily make it harder for AV software to detect the virus. A multipartite virus uses multiple methods of attack
12. What should users do to ensure that antivirus software can detect recently released viruses? A. Update signatures B. Update the operating system C. Update the AV software D. Regularly purchase new AV software
A. Antivirus software uses signature definition files to detect viruses, and these signatures must be regularly updated. It's not necessary to update the operating system, update the AV software, or purchase new AV software to detect recently released viruses.
18. You have completed a risk assessment and determined that you can purchase a control to mitigate a risk for only $10,000. The SLE is $2,000 and the ARO is 20. Is this cost justified? A. Yes. The control is less than the ALE. B. No. The control exceeds the ALE. C. Yes. The control exceeds the ARO. D. No. The control is less than the ARO.
A. Because the cost of the control is less than the annual loss expectancy (ALE), the cost is justified. The cost of the control is $10,000 and the ALE is $40,000. The annual rate of occurrence (ARO) is how many times the loss occurred (20 in the example), but it is only useful when you multiply it with the single loss expectancy (SLE) to identify the ALE.
Which of the following models helps enforce the principle of separation of duties? A. Chinese Wall and Clark-Wilson B. Chinese Wall and Biba C. Clark-Wilson and Bell-LaPadula D. Biba and Bell-LaPadula
A. Both the Clark-Wilson model and the Chinese Wall model enforce the principle of separation of duties. The Clark-Wilson model also enforces integrity, and the Chinese Wall model also helps prevent conflicts of interest. Biba enforces integrity. Bell-LaPadula enforces confidentiality.
Basic Networking and Communications: Which layer of the OSI Model defines cable standards? A. Physical layer B. Data Link layer C. Network layer D. Transport layer
A. Cable standards are defined at the Physical layer, layer 1. They are not defined at the Data Link layer (layer 2), the Network layer (layer 3), or the Transport layer (layer 4).
2. What are the primary objectives of security controls? A. Prevent, detect, and correct B. Prevent, detect, and block C. Detect, correct, and block D. Detect, correct, and remove
A. Controls attempt to prevent, detect, and/or correct losses to confidentiality, availability, or integrity. Some preventive controls attempt to block threats, and some corrective controls attempt to remove vulnerabilities, but neither blocking nor removing is referred to as a primary objective of security controls.
12. An employee makes unauthorized changes to data as he is entering it. What is this? A. Data diddling B. Data entry C. Data inference D. Data deduplication
A. Data diddling is the unauthorized changing of data before entering it into a system or while entering it into a system. While the employee is involved with data entry, data entry by itself doesn't indicate the employee is making unauthorized changes. Data inference occurs when someone is able to put together unclassified pieces of information to predict or guess an outcome. Data deduplication stores a file only once on a system, even if users attempt to store copies in multiple locations.
16. You are purchasing a product from a website. Which of the following protocols will your system most likely use to provide confidentiality for this transaction? A. SSL B. SSH C. IPsec D. HTTP
A. E-commerce transactions use HyperText Transfer Protocol Secure (HTTPS) for confidentiality, and Secure Sockets Layer (SSL) is one of the protocols used to encrypt HTTPS. While not one of the choices, Transport Layer Security (TLS) isalso commonly used to encrypt HTTPS. While Secure Shell (SSH) and Internet Protocol security (IPsec) both provide confidentiality with encryption, HTTPS doesn,t use SSH or IPsec. HTTP sends data in cleartext, so it doesn,t provide confidentiality.
10. Which of the following definitions best describes system hardening? A. Making a system more secure than the default configuration B. Increasing physical security to make it harder to access the system C. Increasing the length of the administrator password to make it harder to access the system D. Reducing the attack surface
A. Hardening a system is the practice of making it more secure than the default configuration. The other answers provide steps that can increase security on a system, but they don't provide an overall description of system hardening.
11. A virus is detected on a system based on the virus's behavior. What detected the virus? A. Heuristics B. A virus fingerprint C. A virus filter D. A signature
A. Heuristics can detect malware based on the behavior of the malware and are designed to detect previously unknown viruses. There's no such thing as a virus filter or a virus fingerprint, although a virus signature does uniquely identify known malware similar to how a fingerprint can identify a person.
Access controls protect assets such as files by preventing unauthorized access. What must occur before a system can implement access controls to restrict access to these types of assets? A. Identification and authentication B. Identification and accountability C. Authentication and accounting D. Accountability and availability
A. Identification and authentication must occur before a system can implement access controls. Identification is the act of a user professing an identity, and authentication occurs when an authentication system verifies the user's credentials (such as a username and password).
Which of the following biometric methods has the lowest CER? A. Iris scan B. Handwriting analysis C. Keystroke dynamics D. Thumbprint scan
A. Iris scans are the most accurate of the items listed and have the lowest Crossover Error Rate (CER). A. Single sign-on (SSO) requires users to log on once, and it uses the same credentials for any other resources accessed during the session.
19. An organization is using a system development life cycle for the design of a system. When should personnel first address security issues? A. During the initiation phase B. During the development/acquisition phase C. During the operations/maintenance phase D. During the disposal phase
A. It's important to address security during each phase of the system development life cycle, starting with the initiation phase. If you start addressing security later, it's very possible that it will be more difficult and more expensive to add security controls.
What type of service does Kerberos provide? A. Authentication B. Accounting C. Availability D. Accountability
A. Kerberos provides authentication. Accounting and accountability are possible if a system can identify users and track their activities,
10. What logs are most valuable after an attack? A. Logs on a remote system B. Logs on local systems that have been attacked C. Logs for local firewalls D. Logs for antivirus events
A. Logs held on remote systems are the most valuable because an attacker is less likely to have modified them. Attackers can modify logs on a local system (including local firewall logs) during an attack. Although AV logs may be useful in attacks involving malware, they aren't very useful if attackers didn't use malware during the attack.
11. You suspect that many internal systems may be part of a botnet. What log would you review to verify your suspicions? A. Network-based firewall logs B. Host-based firewall logs C. Operating system logs D. System security logs
A. Network-based firewall logs record traffic on the network, and because many systems are involved, network-based firewalls is the best choice. Each of the other logs are local logs on individual systems. This would require checking logs on multiple systems, rather than checking logs on a single network-based firewall.
8. Which of the following is the most important element of business continuity planning? A. Support from senior management B. Availability of a warm site C. The backup plan D. Cost
A. Of the available answers, the most important element is support from senior management. While an organization might decide it needs a warm site, not all BCPs require warm sites. A security policy may mandate the creation of backup plans, but this is separate from the BCP. The cost is a concern, but the requirements drive the cost, and without support from senior management, business continuity planning may not receive any funding.
17. An organization regularly collects information on customers for marketing purposes. It uses this information to personally identify the customers. Who is responsible for protecting this data? A. The organization. B. It depends on whether the customers gave permission to collect the data. C. It depends on whether a data breach occurred. D. Customers.
A. Organizations are responsible for protecting personally identifiable information (PII), which is information that can identify individuals. This is true even if the customers give permission to the organization to collect the data, and even if a data breach has not occurred. Customers are not required to protect the information that they give to an organization.
6. A packet-filtering firewall can block ICMP traffic, such as ping requests. How does a packet-filtering firewall identify ICMP traffic? A. Based on the protocol ID having a value of 1 B. Based on the protocol ID having a value of 2 C. Based on the port of 50 D. Based on the port of 51
A. Packet-filtering firewalls can filter traffic based on IP addresses, ports, and protocol IDs, and a protocol ID of 1 identifies Internet Control Message Protocol (ICMP) traffic. Internet Group Message Protocol (IGMP) uses a protocol ID of 2. Internet Protocol security (IPsec) is not identified by ports. IPsec Encapsulating Security Protocol (ESP) has a protocol ID of 50, and IPsec Authentication Header (AH) has a protocol ID of 51.
8. Which of the following choices best describes an operational control? A. A control implemented by people (rather than systems) B. A control implemented using hardware, software, or firmware C. A control that focuses on the management of risk and the management of IT security D. A control that focuses on preventing losses due to risks
A. People, rather than systems, implement an operational control. A technical control is implemented with hardware, software, or firmware. A management control focuses on the management of risk and the management of IT security. A preventive control focuses on preventing losses due to risks.
13. Information that can be used to distinguish or trace an individual's identity is also known as what? A. PII B. Tuple C. Data inference D. PHI
A. Personally identifiable information (PII) is any information that can be used to distinguish or trace an individual's identity and includes items such as their name, Social Security number, birthdate, birthplace, and more. A tuple is a row in a database table. Data inference occurs when someone is able to piece together unclassified information to predict or guess an outcome. Protected health information (PHI) is information referring to an individual's health and is protected by HIPAA.
7. Of the following choices, what is NOT a phase of a computer forensic investigation? A. Prosecution based on evidence B. Authenticating evidence C. Analyzing evidence D. Acquiring evidence
A. Prosecution is not a part of a computer forensic investigation, but may occur based on the results of an investigation. A computer forensic investigation typically includes the three phases of acquiring, authenticating, and analyzing evidence.
9. What type of cryptography does public cryptography use? A. Asymmetric encryption B. Symmetric encryption C. Steganography D. One-way functions
A. Public key cryptography uses asymmetric encryption with two matched keys (a public key and a private key) to encrypt and decrypt information. Symmetric encryption uses a single key (often called a session key) to encrypt and decrypt data. Steganography hides data within data. Hashes are also known as one-way functions and they provide integrity.
17. How are public keys shared with other entities? A. Published in a certificate B. Encrypted by a private key C. Encrypted by a session key D. Public keys are not shared
A. Public keys are published in certificates. They are never encrypted. They are shared so that other entities can use them for asymmetric encryption.
7. A security professional is reviewing existing security controls. What type of security control is this? A. Management B. Technical C. Physical D. Compensating
A. Reviewing security controls is a management control. This is part of risk management, and reviewing existing security controls is part of a risk assessment. Technical controls use technical means, not an individual such as a security professional. Physical controls refer to the controls you can touch. Compensating controls are controls used as an alternative if the primary controls cannot be used. It's also worth mentioning that the other three answers all refer to classes of controls, while compensating controls refer to a control goal (similar to how preventive, detective, and corrective controls are control goals).
13. What is the purpose of reviewing logs? A. Detecting potential security events B. Preventing potential security events C. Correcting potential security events D. Deterring potential security events
A. Security professionals and auditors can detect potential security events by reviewing logs after the event has occurred. Reviewing the logs doesn't prevent an incident that has already occurred, and reviewing the logs does not enable security professionals and auditors to correct the effects of an incident. While logging some activity, such as proxy servers, can deter events, reviewing the logs doesn't deter the activity.
What is SSO? A. A system that requires user credentials once and uses the same credentials for the entire session B. An authentication system that requires users to use different credentials for each resource they access C. A secure system used for operations D. Any network that employs secure access controls
A. Single sign-on (SSO) requires users to log on once, and it uses the same credentials for any other resources accessed during the session.
17. An attacker uses nontechnical means to learn the e-mail address of a manager within a company. Which of the following best describes this attack? A. Social engineering B. Shoulder surfing C. Smishing D. Covert cramming
A. Social engineering uses nontechnical (or low-technical) means to gain information, such as the names of people, e-mail addresses, and user credentials. Shoulder surfing is just looking over someone's shoulder, and although it may allow an attacker to see an e-mail address of a manager, it isn't the best answer. Smishing is a variant of phishing using SMS messages. There's no such thing as covert cramming.
4. Which of the following uses a single key to encrypt and decrypt data? A. Symmetric B. Asymmetric C. Public key cryptography D. SHA-1
A. Symmetric encryption uses a single key to encrypt and decrypt data. Asymmetric encryption uses two keys (a public key and a private key) to encrypt and decrypt information and is often referred to as public key cryptography. Secure Hashing Algorithm 1 (SHA-1) is a hashing algorithm and it doesn't use a key.
10. What protocol would a system use to determine a systems physical address? A. ARP B. RARP C. BootP D. DNS
A. Systems use the Address Resolution Protocol (ARP) to identify the assigned physical (or MAC) address matching an assigned IP address. Reverse ARP (RARP) allows a system with a MAC address to get an IP address. The Bootstrap Protocol (BootP) allows a diskless system to get an IP address and then download the image of an operating system. Domain Name System (DNS) resolves host names to IP addresses but not physical addresses.
19. What law requires an organization to get a parent's consent prior to collecting information on children under 13? A. COPPA B. OPPA C. Data Protection Directive D. E-Privacy Directive
A. The Children's Online Privacy Protection Act (COPPA) requires organizations to get a parent's consent prior to collecting information on children under 13. The California Online Privacy Protection Act of 2003 (OPPA) requires operators of commercial websites to post a privacy policy on the website if the website collects personally identifiable information (PII). The Data Protection Directive (Directive 95/46/EC) restricts data transfers of privacy data to countries outside of the European Union. The E-Privacy Directive (European Directive 95/46/EC) focuses on the protection of digital data and regulates the use of cookies.
19. Of the following choices, what is used to determine whether a certificate has been revoked? A. OCSP B. Digital signature C. CARL D. Trust chain
A. The Online Certificate Status Protocol (OCSP) is used to verify the health of a certificate. An OCSP responder will indicate whether a certificate has been revoked when queried with the certificate's serial number. A digital signature uses certificates but doesn't determine whether a certificate is revoked. CAs issue a certificate revocation list (CRL), but CARL isn't a valid acronym in the context of checking certificates. A trust chain determines if the CA that issued the certificate is trusted, but doesn't indicate if a certificate is revoked.
15. An organization handles credit card data from customers on a regular basis. What provides the security objectives and requirements that the organization must follow? A. PCI DSS B. HIPAA C. FIPS Pub 200 D. NIST SP 800-53
A. The Payment Card Industry Data Security Standard (PCI DSS) provides 6 control objectives and 12 supporting requirements that organizations must follow if they process credit card payments from customers. The Health Insurance Portability and Accountability Act (HIPAA) covers organizations handling health- and medical-related data. Federal Information Processing Standard Publication 200 (FIPS Pub 200) identifies standards required by federal agencies. NIST SP 800-53 provides information on recommended security controls.
6. Which layer of the OSI Model includes TCP and UDP? A. Transport layer B. Network layer C. Data Link layer D. Application
A. The Transport layer includes the TCP and UDP protocols. These protocols are not implemented on the Network layer, the Data Link layer, or the Application layer.
17. You are completing a risk assessment and using historical data. You've identified that a system has failed five times in each of the past two years, and each outage resulted in losses of about $5,000. What is the ARO? A. Five B. $5,000 C. $25,000 D. Impossible to determine with the information provided
A. The annual rate of occurrence (ARO) is five because it happened five times each in the past two years. The single loss expectancy (SLE) is $5,000 and the annual loss expectancy (ALE) is $25,000.
13. Of the following choices, how is malware most often delivered today? A. Over the Internet B. Via an intranet C. Via USB drives D. Through company policies
A. The common way attackers deliver malware is over the Internet. While some attacks can come from internal intranet sources, they do not compete with the volume of attacks from the Internet. Unsuspecting users transmit viruses with USB drives, but this isn't as common as virus delivery over the Internet. Company policies would not deliver viruses.
12. Which of the following best describes maximum tolerable downtime? A. The maximum amount of downtime before a business loses viability B. The point in time in which a failed database should be restored C. The maximum amount of time that can be taken to restore a system or process D. The minimum amount of time that can be taken to restore a system or process
A. The maximum allowable outage (MAO), sometimes called maximum tolerable downtime (MTD), indicates the maximum amount of downtime a business can tolerate and still maintain viability as a business. Recovery point objective (RPO) indicates the point in time to which a failed database should be restored. Recovery time objective (RTO) represents the maximum amount of time that can be taken to restore a system or process after an outage. MTD is not related to minimum timeframes.
7. A system has a protocol analyzer installed. What mode must the system operate in to capture all packets that reach it, including those that are not directly addressed to or from the system? A. Promiscuous B. Nonpromiscuous C. DoS D. DDoS
A. The network interface card of the system running the protocol analyzer (or sniffer) must be in promiscuous mode. If it is in nonpromiscuous mode, the sniffer will only capture packets addressed directly to or from the sniffer. DoS and DDoS are not modes for a sniffer.
11. In general, what elements need to come together for a crime? A. Means, motive, and opportunity B. Criminal, software, and hardware C. Discovery, theft, and benefit D. Attacker, attackee, and method
A. The three commonly quoted elements for a crime are means (the ability to commit the crime), motive (such as money or revenge), and opportunity (the chance to commit the crime). Crimes can be committed without software or hardware. Criminals can commit crimes (such as vandalism or destruction) without theft. Similarly, criminals can commit crimes (such as theft) without an attack.
13. How would users typically access a TLS VPN? A. With a web browser B. With a dedicated application C. With broadband access but never DSL access D. With an IMAP application
A. Users typically access a Transport Layer Security (TLS) virtual private network (VPN) using a web browser instead of a dedicated application. A TLS VPN is not dependent on a specific type of Internet connection (such as broadband or DSL). Internet Message Access Protocol (IMAP) is used with e-mail, not VPNs.
what is the current encrytption standard for long term storage
AES
Accepted ways for handling risk
Accept, transfer, mitigate, avoid.
Non-Discretionary Access Control (Non-DAC)
Access rules are closely managed by the security administrator. Offers stronger security than DAC because it does not rely only on users compliance
Subject
Accesses a resource (ex: users, computers, applications, networks)
Avalanche effect
Algorithm design requirement so that slight changes to the input result in drastic changes to the output.
public key infrastructure (PKI)
All the components necessary to create, man age, distribute, validate, and revoke certificates. A PKI is based on the X.509 protocol. The X.509 standard identifies many of the components and formats used by the PKI, certificate authorities (CAs), and certificates.
Behavior blocking
Allowing the suspicious code to execute within the operating system and watches its interactions with the operating system, looking for suspicious activities.
Network File System (NFS)
Allows computers running different operating sys tems to access and share files over the network. It allows users running UNIX (and UNIX derivatives) to access files on Microsoft systems, and allows users running Microsoft sys tems to access files on UNIXbased systems. Sun Microsystems created NFS.
Offline Authentication
Allows users who have logged in to the system at one time to still log in even when they are disconnected from a network. In a Windows environment, the system uses cached credentials. (A user will not be able to access network resources while using cached credentials. The user can only access resources on the local system using these offline credentials)
public IP address
An IP address that is used on the public Internet. Compare to private IP address.
private IP address
An IP address used within an organization's private network. RFC 1918 formally defines private IP addresses. Compare to public IP address.
Discretionary Access Control (DAC) model
An access control model com monly used to control access for file systems, such as New Technology File System (NTFS) or Network File System (NFS). Objects (such as files and folders) are owned by users. Users have full control over the objects and can grant others access. DAC provides the most granular level of control. Other access control models are Mandatory Access Control (MAC), Rolebased Access Control (RoleBAC), Rulebased Access Control (RuleBAC), and Attributebased Access Control (ABAC).
Access control model
An access control model is a framework that dictates how subjects access objects.
Mandatory Access Control (MAC) model
An access control model that pro vides the highest level of security. It is used by the U.S. military. Subjects and objects are assigned labels- subjects (such as users) are able to access objects (such as files) only when the labels match. Other access control models are Discretionary Access Control (DAC), Rolebased Access Control (RoleBAC), Rulebased Access Control (RuleBAC), and Attributebased Access Control (ABAC). Examples of models that support Mandatory Access Control include BellLaPadula and Biba.
Attributebased Access Control (ABAC)
An access control model that uses attributes to determine access. It evaluates subject and object attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. Other access control models are Mandatory Access Control (MAC), Discretionary Access Control (DAC), Rolebased Access Control (RoleBAC), and Rulebased Access Control (RuleBAC).
Rolebased Access Control (RoleBAC) model
An access control model that uses roles to determine access. Subjects (such as users) are placed into roles, and access to objects (such as files) is granted to the roles. Other access control models are Mandatory Access Control (MAC), Discretionary Access Control (DAC), Rulebased Access Con trol (RuleBAC), and Attributebased Access Control (ABAC).
Rulebased Access Control (RBAC) model
An access control model that uses rules to determine access. As an example, routers use rules within an access control list (ACL) to define traffic allowed in or out of a network. Other access control models are Mandatory Access Control (MAC), Discretionary Access Control (DAC), Rolebased Access Control (RoleBAC), and Attributebased Access Control (ABAC).
BellLaPadula model
An access control model used to ensure confidentiality. It uses two primary rules: no read up and no write down. Compare to Biba model.
ClarkWilson model
An access control model used to ensure integrity the model has stricter rules than the Biba model. These integrity rules enforce the principle of separation of duties.
Biba model
An access control model used to ensure integrity. It uses two primary rules: no read down and no write up. Compare to BellLaPadula model.
Chinese Wall model
An access control model used to help prevent a conflict of inter est. Data is classified based on conflictofinterest classes. Users who have access to one class are denied access to data in conflicting classes. Also known as the BrewerNash model.
Access Control Subject
An active entity and can be any user, program, or process that requests permission to cause data to flow from an access control object to the access control subject or between access control objects.
RSA
An algorithm used for encryption and decryption in public key cryptography. RSA uses large prime numbers to create secure, matching public and private keys. Its strength lies in the fact that it's computationally infeasible to factor the composite number created from these prime numbers as long as the prime numbers are suffi ciently large.
cold site
An alternative location used in business continuity planning. A cold site is a building with a roof, running water, and electricity. It doesn't include the necessary hardware, software, or personnel. In the event of an emergency, personnel move all of the resources to the cold site location, hook them up, and configure them for operation. Compare to hot site, warm site, and mobile site.
hot site
An alternative location used in business continuity planning. A hot site includes all of the necessary resources to take over the operations of another location in a very short period of time, sometimes within minutes. It includes hardware such as servers and the network infrastructure, uptodate data, and personnel to manage the functions of the alternative location. Compare to cold site, warm site, and mobile site.
mobile site
An alternative location used in business continuity planning. A mobile site can easily be moved and is useful when an organization doesn't want to designate a specific alternative location. For example, it's possible to set up the inside of a storage container as an alternative location. These are the same storage containers that 18wheeler tractor trailers use to haul goods, and they are as easy to move as any other loads hauled over the highways.
warm site
An alternative location used in business continuity planning. A warm site is a compromise between a cold site and a hot site. The organization makes compromises with costs and time. Compare to hot site, cold site, and mobile site.
Terminal Access Controller Access Control System + (TACACS+)
An alternative to RADIUS to provide centralized authentication, authorization, and accounting (AAA) services for remote clients. TACACS+ provides improvements over TACACS, and both TACACS and TACACS+ use port 49. TACACS+ uses, Transmission Control Protocol (TCP). TACACS uses User Datagram Protocol (UDP).
corporateowned, personally enabled (COPE)
An alternative to bring your own device (BYOD) policies. An organization purchases and issues devices (such as smartphones and tablets) to users instead of allowing them to connect their personally owned devices to the network. Compare to bring your own device (BYOD) policies.
file integrity checker
An application that can verify that files have not been modi fied. In doing so, the application guards against a loss of integrity. File integrity checkers use hashing algorithms to capture hashes of files in a known good state. Later, they create hashes on the same file and compare the two hashes. If the file is unchanged, the hashes are the same, but if the file has been modified, the hashes are different.
Extranet
An area of an organization's network used to host resources via the Internet but is available only to trusted entities. An extranet is available via the Internet, but only to a specific target audience.
penetration test
An assessment that starts with a vulnerability assessment. Instead of stopping after discovering vulnerabilities, a penetration test attempts to exploit the discovered vulnerabilities.
buffer overflow attack
An attack on a system that has a buffer overflow vulner ability. Buffer overflow vulnerabilities can be reduced with input validation techniques and by keeping systems up to date.
crosssite scripting (XSS)
An attack that attempts to inject HTML or JavaScript into a web page. After the attack, the code executes on a user's system when the user visits the attacked website. Successful attacks sometimes allow attackers to read cookies and use this data to launch sessionhijacking attacks.
command injection
An attack that attempts to inject commands into an applica tion. In some cases, a command injection attack can inject operating system commands that would normally be executed at the command line. In other cases, it injects code such as JavaScript or SQL statements. Input validation techniques help mitigate command injection attacks.
denial of service (DoS)
An attack that attempts to prevent a system from answer ing legitimate requests from users, directly affecting the availability portion of the CIA triad. The attack is launched by a single system.
SQL injection
An attack that injects SQL code to read and manipulate databases. SQL injection attacks are mitigated with input validation techniques and stored procedures.
Pharming
An attack that redirects users to bogus websites. It manipulates one of the host name resolution methods so that the host name resolves to a different website.
crosssite request forgery (CSRF or XSRF)
An attack that results in websites executing unauthorized commands as if a user requested them. Attackers create specially crafted links and encourage users to click the links. For example, attackers can send the links in phishing emails.
zero day exploit
An attack that takes advantage of unpublished vulnerabilities. In some cases, the vendor knows about the exploit but has not released a patch yet.
port scan attack
An attempt to detect what ports are open on a system as part of an overall fingerprinting attack. Open ports indicate which services are running on the system.
Phishing
An emailbased attack. Attackers send emails with the goal of tricking victims into clicking a link or providing sensitive information. The email claims to be from a legitimate company and encourages the user to take an unsafe action.
HyperText Transfer Protocol Secure (HTTPS)
An encrypted form of HTTP. Transport Layer Security (TLS) replaced Secure Sockets Layer (SSL) in most implemen tations of HTTPS. HTTPS uses TCP port 443.
Subject
An entity that can access a resource referred to as an object. For example, if a user accesses a file, the user is the subject and the file is the object.
certificate authority (CA)
An entity that issues and manages certificates through their lifetimes. CAs can be public (such as VeriSign) or private within an organization. Public CAs sell and validate certificates and provide assurances to users that certificates are valid. A CA is sometimes referred to as a certification authority.
buffer overflow
An error that can occur when a system receives more data than it expects and is unable to handle it gracefully. Attackers attempt to exploit buffer overflow errors to install malware on systems.
Fiber Distributed Data Interface (FDDI)
An extension of token ring networks that uses fiberoptic connections instead of copper. FDDI uses dual rings, and the second ring provides redundancy. FDDI token rings support speeds up to 100 Mbps over distances as far away as 120 miles.
least privilege
An important security principle that ensures that users are given only the rights and privileges that they need to perform their job, and no more.
hostbased IDS (HIDS)
An intrusion detection system (IDS) installed on an indi vidual system, such as a server or workstation. It can only monitor activity on the host. Compare to a networkbased IDS (NIDS), which monitors overall network activity.
networkbased IDS (NIDS)
An intrusion detection system (IDS) that monitors the network traffic for any type of attack. A NIDS typically has several nodes or agents stationed around the network connected to routers and possibly switches. Each of these nodes monitors the traffic and reports its findings to a NIDS management server.
Secure Sockets Layer (SSL)
An older encryption protocol used to encrypt different types of traffic. SSL is susceptible to a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. Most organizations have stopped using SSL in favor of the designated replacement, Transport Layer Security (TLS). SSL commonly uses TCP port 443.
Data Encryption Standard (DES)
An older symmetric encryption standard using 56bit keys. It has been broken and is rarely used anymore.
Separation of Duties
An operational security mechanism for preventing fraud and unauthorized use that requires two or more individuals to complete a task or perform a specific function.
bring your own device (BYOD)
An organizational policy that allows users to bring their personally owned devices (such as smartphones and tablets) to work and con nect them to the organization's network. Compare to corporateowned, personally enabled (COPE) policies.
Annualized loss expectancy (ALE)
Annual expected loss if a specific vulnerability is exploited and how it affects a single asset. SLE × ARO = ALE.
Threat
Any activity that can be a possible danger. When a threat exploits a vulner ability, an organization can suffer losses.
data in motion
Any data being transmitted over a network (sometimes called data in transit). It includes data transmitted over an internal network using wired or wireless methods, as well as data transmitted over the Internet. Compare to data at rest.
data at rest
Any data that is in computer storage, such as on system hard drives, portable USB drives, flash drives, storage area networks, and backup tapes. Compare to data in motion.
volatile RAM
Any memory that requires power to hold the data. When a system is powered down, any data (including potential forensic evidence) within volatile RAM is lost.
Cloud Computing
Any type of computing services provided over the Internet
Incident
Any violation of policies or security practices that has the potential to result in an adverse event or that has resulted in an adverse event. Risk management practices attempt to prevent any incidents, detect incidents when they occur, and correct problems that occur from incidents. Also called a security incident.
Access controls
Are security features that control how users and systems communicate and interact with other systems and resources.
Information Rights Management (IRM)
Assigns specific properties to an object such as how long the object may exist, what users or systems may access it, and if any notifications need to occur when the file is opened, modified, or printed.
Authenticity
Assurance that data is coming from a known source and is valid or reliable. Validation processes, such as many encryption and hashing protocols, provide authenticity. Additionally, some processes, such as digital signatures, have authenticity as a key goal.
Integrity
Assurance that data or a system configuration has not been modified. Hashing and audit logs are two methods used to ensure integrity. Integrity is one of the three main goals of information security known as the CIA security triad. The other two goals are confidentiality and availability.
Active attack
Attack where the attacker does interact with processing or communication activities.
AS/NZS 4360
Australia and New Zealand business risk management assessment approach.
Single Sign-on Authentication
Authenticate once to access multiple resources
multifactor authentication
Authentication using more than one factor. There are three factors of authentication: something you know (such as a password), something you have (such as a smart card), and something you are (using biometrics).
AAAs of security
Authentication, authorization, and accounting. Authentication ensures that entities can prove their identity. Authorization grants access to individuals based on their proven identity. Accounting tracks and records their activity in logs.
Which range defines "well known ports?" A. 0-1024 B. 0-1023 C. 1-1024 D. 1024-49151
B. 0-1023
There are ______ available service ports A. 65535 B. 65536 C. 1024 D. 1-1024 E. Unlimited
B. 65536
The SubSeven Trojan has been known to exploit which service ports? A. 137, 139 B. 6711, 6712, 6776, 27374 C. 31337, 31338 D. 65000, 65001, 65002
B. 6711, 6712, 6776, 27374
Sandra has used Ethereal, a packet sniffer, to listen in on network transmissions. She has captured several passwords. What type of attack has been performed on her network? A. An active attack B. A man-the-middle attack C. A session hijacking D. A privilege escalation attack E. An illicit server attack
B. A man-the-middle attack
The ___________ protocol converts IP addresses (logical) to MAC Addresses (physical) A. IPSEC B. ARP C. DARP D. DNS E. None of the above
B. ARP
BIND should be disabled on the which of the following? A. All DNS servers to avoid recursive lookups B. All non DNS servers C. Firewalls D. Routers
B. All non DNS servers
Is the person who is attempting to log on really who they say they are? What form of access control does this questions stem from? A. Authorization B. Authentication C. Kerberos D. Mandatory Access Control
B. Authentication
A program that intentionally leaves a security hole or covert method of access is referred to as a ___________. A. Logic bomb B. Back door C. Trojan horse D. Honey p
B. Back door
Which method of password cracking takes the most time and effort? A. Guessing B. Brute Force C. Hybrid D. Shoulder Surfing E. Dictionary attack
B. Brute Force
__________ attacks capitalize on programming errors and can allow the originator to gain additional privileges on a machine. A. SYN Flood B. Buffer Overflow C. Denial of Service D. Coordinated E. Distributed Denial of Service
B. Buffer Overflow
A Security Reference Monitor relates to which DoD security standard? A. LC3 B. C2 C. D1 D. L2TP E. None of the items listed
B. C2
What are the main goals of an information security program? (Choose all that apply) A. Complete Security B. Confidentiality C. Availability D. Integrity of data E. Ease of Use
B. Confidentiality C. Availability D. Integrity of data
Which auditing practice relates to the controlling of hardware, software, firmware, and documentation to insure it has not been improperly modified? A. System Control B. Configuration Control C. Consequence Assessment D. Certification / Accreditation
B. Configuration Control
___________, generally considered "need to know" access is given based on permissions granted to the user. A. MAC - Mandatory Access Control B. DAC - Discretionary Access Control C. SAC - Strategic Access Control D. LAC - Limited Access Control
B. DAC - Discretionary Access Control
Diffie Hellman, RSA, and ___________ are all examples of Public Key cryptography? A. SSL - Secure Sockets Layer B. DSS - Digital Signature Standard C. Blowfish D. AES - Advanced Encryption Standard
B. DSS - Digital Signature Standard
Unclassified, Private, Confidential, Secret, Top Secret, and Internal Use Only are levels of ________________ A. Security Classification B. Data Classification C. Object Classification D. Change Control Classification
B. Data Classification
Overloading or congesting a system's resources so that it is unable to provide required services is referred to as: A. Swamping B. Denial of Service C. Bandwidth displacement D. A passive attack E. ICMP redirect
B. Denial of Service
S/MIME was developed for the protection of what communication mechanism(s)? A. Telephones B. Email C. Wireless devices D. Firewalls
B. Email
A security policy is a rigid set of rules that must be followed explicitly in order to be effective. A. True B. False
B. False
Accreditation grants permission to operate a system freely since all risk has been eliminated. A. True B. False
B. False
BIA - Business Impact Analysis deals strictly with financial assessment of a loss in relation to business operations? A. True B. False
B. False
Cable modems are less secure than DSL connections because cable modems are shared with other subscribers? A. True B. False
B. False
Corporate networks are safer if an end user connects through a VPN connection? A. True B. False
B. False
DES - Data Encryption standard has a 128 bit key and is very difficult to break. A. True B. False
B. False
Heuristic scanning in antivirus software is designed to catch 100% of all known and unknownvirus technologies. A. True B. False
B. False
Kerberos uses asymmetric encryption.(True / False) A. True B. False
B. False
L2TP is considered to be a less secure protocol than PPTP. A. True B. False
B. False
Macintosh computers are not at risk for receiving viruses. A. True B. False
B. False
Only key members of the staff need to be educated in disaster recovery procedures. A. True B. False
B. False
Only law enforcement personnel are qualified to do computer forensic investigations. A. True B. False
B. False
Risk assessment deals with constant monitoring? A. True B. False
B. False
Words appearing in the English dictionary are not considered to be good passwords, but words appearing in the French, Spanish, Italian, and Japanese dictionaries are not considered a risk. A. True B. False
B. False
The ability to adjust access control to the exact amount of permission necessary is called ______________. A. Detection B. Granularity C. Separation of Duties D. Concept of Least Privilege
B. Granularity
TCPWrappers is an example of which type of security tool? A. Network Based IDS B. Host Based IDS C. Personal Firewall D. All of the above E. None of the above
B. Host Based IDS
What are the two most critical aspects of risk analysis? (Choose two) A. Identifying vulnerabilities B. Identifying threats C. Identifying resources D. Identifying assets
B. Identifying threats D. Identifying assets
Of the following, which is NOT a risk assessment system? A. Aggregated Countermeasures Effectiveness (ACE) Model B. Information Security Protection Assessment Model (ISPAM) C. Dollar-based OPSEC Risk Analysis (DORA) D. Analysis of Networked Systems Security Risks (ANSSR)
B. Information Security Protection Assessment Model (ISPAM)
What is the main difference between computer abuse and computer crime? A. Amount of damage B. Intentions of the perpetrator C. Method of compromise D. Abuse = company insider; crime = company outsider
B. Intentions of the perpetrator
Your ATM card is a form of two-factor authentication for what reason? A. It combines something you are with something you know B. It combines something you have with something you know C. It combines something you control with something you know D. It combines something you are with something you have
B. It combines something you have with something you know
Layer 4 of the OSI model corresponds to which layer of the DoD model? A. Layer 4 - Application B. Layer 3 - Host to Host C. Layer 2 - Internet D. Layer 1 - Network E. Layer 6 - Presentation
B. Layer 3 - Host to Host
IPSEC resides at which layer of the OSI model? A. Layer 6 - Presentation B. Layer 3 - Network C. Layer 4 - Transport D. Layer 5 - Session E. Layer 2 - Data Link F. Layer 1 - Physical
B. Layer 3 - Network
________, _________, and __________ are required to successfully complete a crime. (Choose three) A. Root kit B. Motive C. Buffer Overflow D. Means E. Opportunity F. Advantage Means, motive, and opportunity are the three items needed to commit a crime.
B. Motive D. Means E. Opportunity
The __________ is the most dangerous part of a virus program. A. Code B. Payload C. Strain D. Trojan E. None of the above
B. Payload
Sending an ICMP packet greater than 64Kb is an example of what type of attack? A. Buffer Overflow B. Ping of Death C. Syn Flooding D. TearDrop E. Land Attack
B. Ping of Death
Echo, chargen, finger, and bootp are all examples of? A. Security weaknesses B. Possibly unnecessary services C. Service ports D. Router commands E. Hacker tools
B. Possibly unnecessary service
The ultimate goal of a computer forensics specialist is to ___________________. A. Testify in court as an expert witness B. Preserve electronic evidence and protect it from any alteration C. Protect the company's reputation D. Investigate the computer crime
B. Preserve electronic evidence and protect it from any alteration
Each of the following is a valid step in handling incidents except ____________ A. Contain B. Prosecute C. Recover D. Review E. Identify F. Prepare
B. Prosecute
What does RADIUS stand for? A. Remote Access Dialup User Systems B. Remote Access Dial-in User Service C. Revoke Access Deny User Service D. Roaming Access Dial-in User System
B. Remote Access Dial-in User Service
The main difference between MD5 and SHA is what? A. Security - MD5 can be forged and SHA cannot B. SHA has 160 bit signature and MD5 has a 128 bit signature C. MD5 has 160 bit signature and SHA has a 128 bit signature D. Security - SHA can be forged and MD5 cannot
B. SHA has 160 bit signature and MD5 has a 128 bit signature
What system allows a user to provide one ID and password per work session and then is automatically logged-on to all the required applications? A. Tickets B. SSO C. Challenge Response D. Token-based authentication E. Biometrics
B. SSO
What security principle is based on the division of job responsibilities - designed to prevent fraud? A. Mandatory Access Control B. Separation of Duties C. Information Systems Auditing D. Concept of Least Privilege
B. Separation of Duties
Which of the following DoS attacks use ICMP? (Choose two) A. SYN attack B. Smurf attack C. Ping of death D. UDP flood E. NMAP
B. Smurf attack C. Ping of death
Select the major difference(s) between block and stream ciphers. (Choose all that apply) A. Block = bit by bit = encrypted in equal sections B. Streams = bit by bit; block = encrypted in equal sections C. Block = hardware driven; stream = software driven D. Stream = hardware driven; block = software driven E. Block = slower encryption; stream = fast encryption
B. Streams = bit by bit; block = encrypted in equal sections D. Stream = hardware driven; block = software driven E. Block = slower encryption; stream = fast encryption
What is the main goal of a risk management program? A. To develop a disaster recovery plan B. To help managers find the correct cost balance between risks and countermeasures C. To evaluate appropriate risk mitigation scenarios D. To calculate ALE formulas E. None of the above
B. To help managers find the correct cost balance between risks and countermeasures
In a Public Key Infrastructure (PKI), what is the role of a directory server? A. To issue certificates to users B. To make user certificates available to others C. Authorizes CA servers to issue certificates to users D. Is the root authority for the PKI
B. To make user certificates available to others
A ___________ is a program that poses as a useful or legitimate program, but turns out to be malicious code. A. Worm B. Trojan Horse C. Logic Bomb D. Polymorphic Virus
B. Trojan Horse
What is the following paragraph an example of? <> A. Audit Trail Banner B. Warning Banner C. Welcome Banner D. Access Control Banner
B. Warning Banner
A virus is considered to be "in the ______ " if it has been reported as replicating and causing harm to computers. A. Zoo B. Wild C. Cage D. Jungle E. Fire
B. Wild
A one way hash converts a string of random length into a _______________ encrypted string. A. 192 bit B. fixed length C. random length D. 56 bit E. SHA F. MD5
B. fixed length
10. Which of the following helps to prove that collected evidence has been controlled since it was collected? A. COFEE application B. Chain of custody C. DECAF application D. Audit logs
B. A chain-of-custody document provides proof that collected evidence has been controlled since it was collected by identifying exactly who has control of it and where it was located since it was collected. Microsoft developed the Computer Online Forensic Evidence Extractor (COFEE) to help law enforcement forensic experts, and hackers developed Detect and Eliminate Computer Assisted Forensics (DECAF) as an antiforensics tool. Neither COFEE nor DECAF provides proof that the evidence was controlled after collection. Audit logs can be used in a forensic investigation but they don't validate evidence.
20. Of the following choices, what can help ensure that system modifications do NOT cause unintended outages? A. Security audit B. Change management C. Configuration control D. Audit trail
B. A change management program allows stakeholders to request changes and helps reduce unintended outages from unauthorized changes. A security audit examines an organization's policies and procedures to determine whether those who work in the organization follow these policies and procedures. Configuration control helps ensure that systems are configured in a secure manner and similarly to each other. An audit trail is one or more logs that can re-create events leading up to and occurring during an incident.
5. Which of the following security controls can restore a failed or disabled control? A. Preventive B. Corrective C. Detective D. Deterrent
B. A corrective control can restore a failed or disabled control. A preventive control attempts to prevent incidents, and a detective control attempts to detect incidents. A deterrent control attempts to dissuade or deter personnel from trying to circumvent security policies or otherwise cause an incident.
13. What is used to create a digital signature used with e-mail? A. The public key of the sender B. The private key of the sender C. The public key of the recipient D. The private key of the recipient
B. A digital signature is created by hashing a message and encrypting the hash with the sender's private key. The recipient can then decrypt the hash with the sender's public key. The recipient's keys are not used for a digital signature, but they are used to encrypt and decrypt e-mail.
13. An external organization is performing a vulnerability test for a company. Officials from the company give this group some information on the company's network prior to the test. What type of test is this? A. White box test B. Gray box test C. Black box test D. Internal test
B. A gray box test (also called a partial knowledge test) is performed with some internal knowledge and can be performed either internally or externally. A white box test (also called a full knowledge test) is performed with full access to internal documentation. A black box test (also called a zero knowledge test) is performed without any inside knowledge of the organization. It is not an internal test because an external organization is performing it.
18. Of the following choices, what is the best method to prevent tailgating? A. Education B. Mantrap C. Antivirus software D. Access controls on the phone system
B. A mantrap is the best method to prevent tailgating, which is the practice of one person following another into a secure area while only the first person provides credentials. Although education of employees can go a long way, ingrained courtesy sometimes overcomes security practices, and a person may actually open the door for a social engineer. Antivirus software, access controls, and the phone system aren't related to the social engineering practice of tailgating.
2. Which of the following malware types alters its own code to avoid detection by antivirus software? A. Armored virus B. Metamorphic virus C. Polymorphic virus D. Ransomware
B. A metamorphic virus changes or mutates its code as it replicates itself to prevent detection. An armored virus uses techniques such as encryption to make it more difficult for AV researchers to decompile the virus. A polymorphic virus changes the file, but not the code. Ransomware takes over a user's computer and demands a monetary ransom to return control back to the user.
5. What type of control is a NIDS? A. Corrective B. Detective C. Deterrent D. Preventive
B. A network-based IDS (NIDS) is a detective control, as it detects potential attacks as they are occurring. An active IDS is a corrective control because it can take action to reverse the effects of an attack by changing the environment, but all IDSs are not active. A deterrent control attempts to deter would-be attackers from attempting an attack, but attackers don't know if a network has an IDS. An intrusion prevention system (IPS) is a preventive control because it can prevent an attack from reaching a network, but an IDS does not prevent the attack.
Which of the following choices does NOT ensure that a password is strong? A. Ensuring that the password is of a sufficient length B. Ensuring that the password is changed frequently C. Ensuring that the password has a mixture of different character types D. Ensuring that the password does not include any part of the user's name
B. A password should be changed regularly, but doing so doesn't ensure the password is strong. For example, if a user changes a password from "1234" to "4321," it is not strong. The other options all contribute to the strength of a password.
19. What's the primary difference between a penetration test and a vulnerability assessment? A. A vulnerability assessment includes a penetration test, but a penetration test does not include a vulnerability assessment. B. A penetration test is intrusive and can cause damage, while a vulnerability assessment is passive. C. A vulnerability assessment is intrusive and can cause damage, while a penetration test is passive. D. They are basically the same, but with different names.
B. A penetration test is intrusive it includes a vulnerability assessment, attempts to exploit discovered vulnerabilities, and can cause damage. Vulnerability assessments are not intrusive and do not cause damage.
13. Of the following choices, which one is authoritative in nature? A. Procedure B. Policy C. Action steps D. Tasks
B. A policy is authoritative in nature and provides high-level guidance to employees. Procedures include action steps to accomplish tasks.
20. What is a primary goal of security-related user awareness training? A. Increase use of e-mail B. Change behavior C. Implement technical solutions D. Show how to use applications
B. A primary goal of security awareness training is to change user behavior from unsafe practices to safe practices. It isn't related to applications such as e-mail, and end users aren't expected to implement technical solutions.
5. What's a primary method used to reduce risk? A. Reducing threats B. Reducing vulnerabilities C. Increasing threats D. Increasing vulnerabilities
B. A primary method of risk mitigation is reducing vulnerabilities. Threats often can't be reduced, and adding more threats won't reduce risk. You reduce vulnerabilities by implementing controls.
15. You are completing a risk assessment using historical data. You've identified that a system has failed three times in the past year, and each of these outages resulted in approximately $10,000 in losses. What type of analysis does this allow you to perform? A. Qualitative B. Quantitative C. Informative D. Subjective
B. A quantitative analysis uses numerical figures to identify the actual costs associated with a risk. A qualitative analysis uses subjective terms such as low, medium, and high to analyze a risk. There is no such thing as an informative analysis.
6. Which of the following identifies a system that requires a database to detect attacks? A. Anomaly-based IDS B. Signature-based IDS C. HIPS D. NIPS
B. A signature-based IDS compares activity against a signature file (or database of signatures) to identify attacks. An anomaly-based IDS requires a baseline. Both a host-based IPS (HIPS) and a network-based IPS (NIPS) can use either anomaly- based or signature-based detection methods.
Advance Networking & Communications: 1. Which of the following best describes the mapping of data held within a switch's table? A. IP address to port B. MAC address to port C. IP address to MAC address D. Physical port to logical port
B. A table in a switch maps the media access control (MAC) address to the physical port. Routers map network IP addresses to the physical port with the corresponding gateway IP addresses. The Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses, but this data is not held in a switch. Physical ports and logical ports are not mapped together.
9. Of the following choices, what is a tuple? A. A column in a database B. A row in a database C. A primary key D. A foreign key
B. A tuple is a row in a database. Columns are also known as attributes. A primary key uniquely identifies a row in a table and is related to a foreign key in another table to create a relationship between two tables.
9. Of the following choices, what best describes a whitelist as a replacement for a HIDS? A. A listing of websites that a user can visit, blocking access to all other websites for a HIDS? B. A listing of applications that a user can run, blocking attempts to run any other applications C. A listing of MAC addresses blocked through a firewall, allowing traffic from all other systems D. A listing of suitable vendors for IPSs
B. A whitelist can include a list of applications that a user can run and block all other applications. Some security professionals are suggesting this as a replacement for both HIDSs and AV software. A proxy server can block access to specific websites, but this isn't a replacement for a HIDS. A MAC address whitelist identifies addresses that are allowed, not blocked. A whitelist is not a list of vendors.
16. Which of the following formulas will determine the annual loss expectancy (ALE)? A. SLE - ARO B. SLE × ARO C. ARO - SLE D. SLE divide by ARO
B. ALE is the product calculated from the single loss expectancy (SLE) and the annual rate of occurrence (ARO), or SLE × ARO. The ALE is not calculated by subtraction of the ARO and SLE or by dividing the SLE and ARO.
15. What should administrators do after learning that a vendor has released a patch that is relevant for servers they manage? A. Apply the patch. B. Test the patch. C. Audit systems to see whether the patch is applied. D. Document the systems where the patch is applied.
B. Administrators should test patches before applying them to detect potential problems. If the patch is applied as soon as it is released, it can result in unforeseen problems. Systems are audited after the patch is applied to ensure that the patch was successfully applied. Change management and configuration control procedures are used to document patches.
Which of the following will disable an account if an attacker tries to guess the password multiple times? A. A password policy B. An account lockout policy C. A password history D. De-provisioning accounts
B. An account lockout policy can disable an account if an attacker (or a user) enters the wrong password too many times.
5. A user entered an incorrect password three times. Now, the user is no longer able to log on. What caused this to occur? A. Password policy B. Account lockout policy C. Clipping level D. Audit trail
B. An account lockout policy locks out an account after a predetermined number of failed logins. The password policy ensures that users create strong passwords and change them often. The account lockout policy is using a clipping level by ignoring failed login attempts until it detects a preset threshold, but the clipping level doesn't lock the account. An audit trail is one or more logs used to reconstruct events leading up to and occurring during an incident.
7. You have recently modified the network infrastructure within your network. What should be re-created to ensure that the anomaly-based NIDS continues to work properly? A. Signature database file B. Baseline C. Router gateways D. Firewalls
B. An anomaly-based NIDS compares current activity against a baseline to determine abnormal behavior, and this baseline should be updated when the network is modified. This provides the NIDS with an accurate baseline. A signature-based NIDS uses a signature database file. Router gateways and firewalls do not need to be re-created for the NIDS.
10. An organization has a business location in Miami, Florida. Due to the risks associated with hurricanes, the organization has decided to move the location to Atlanta, Georgia, away from any ocean. What risk management strategy is the organization using? A. Accept B. Avoid C. Mitigate D. Transfer
B. By moving the location to a city that can't be hit by a hurricane, the company is using risk avoidance. Risk acceptance doesn't take any action to mitigate the risk. In risk mitigation, you attempt to reduce the risk, perhaps by ensuring that the building is built with hurricane-resistant materials. The company can transfer the risk by purchasing hurricane and flood insurance.
4. Which of the following statements best describes a benefit of using clipping levels? A. Clipping levels ignore baselines and generate alerts when they detect security violations. B. Clipping levels ignore normal user errors, but generate alerts when these errors exceed a predetermined threshold. C. Audit trails use clipping levels to record all potential alerts for accountability. D. Clipping levels ensure systems generate alerts when they detect any potential security violations.
B. Clipping levels ignore normal user errors, but generate alerts when these errors exceed a predetermined threshold. Clipping levels are not associated with baselines. It is possible to configure an audit trail without clipping levels, but if clipping levels exist, the audit trail does not ignore them. Clipping levels do not generate alerts when they detect any potential errors or security violations, but instead only generate alerts when they detect the number of events has exceeded a predetermined threshold.
9. A website developer wants to provide assurances to users that ActiveX controls used on the site are not malicious. What can provide this assurance? A. Input validation B. Code signing C. Code review D. Enabling cross-site scripting
B. Code signing digitally signs ActiveX controls and provides assurances to users of who created the control and that it hasn't been modified. Input validation helps prevent injection attacks, but it's used to protect the website, not provide assurance to users. Code review is a valuable tool to detect problems with applications before an organization releases them. Cross-site scripting is an attack and would not be enabled.
12. A website is preventing users from entering the < and > characters when they enter data. What is the website trying to prevent? A. SQL injection attack B. Cross-site scripting attack C. Input validation attack D. Trojan horse
B. Cross-site scripting (XSS) injects HTML or JavaScript into a web page, and input validation techniques help prevent XSS attacks. The users are prevented from entering HTML or JavaScript tags that start with < and end with >. A SQL injection attack uses SQL code, but SQL code does not use < or > characters. Input validation is a prevention technique, not an attack. A Trojan horse is an application that looks like it's something useful but is actually something malicious.
20. Researchers are attempting to discover weaknesses in an encryption algorithm using a known-plaintext attack. What is this called? A. Cryptography B. Cryptanalysis C. Criminal behavior D. Hashing
B. Cryptanalysis is the process of deciphering codes through analysis, and a known-plaintext attack is one method of cryptanalysis. Cryptography is the science of using different methods and techniques to encrypt data. It is not criminal to search for weaknesses, but the action taken after these weaknesses are discovered can be criminal. Hashing is the process of creating a hash from a file or a message with a hashing algorithm, and it is used to prevent the loss of integrity.
7. A company wants to reduce the amount of space used to store files used and shared by employees. What can it use to reduce the amount of storage space used? A. Data loss prevention (DLP) systems B. Deduplication C. Information rights management (IRM) D. Retention policies
B. Deduplication ensures that a file is stored only once on a system, even if multiple users have access to the same file. DLP systems attempt to monitor data usage and prevent the unauthorized use or transmission of sensitive data. IRM refers to the different methods used to protect sensitive information from unauthorized access. Retention policies restrict how long data is retained.
5. Which of the following methods will reliably remove all data from a backup tape? A. Erasing B. Degaussing C. Diddling D. Sanitizing
B. Degaussing will reliably remove all data from a backup tape. Degaussing uses a powerful magnet to erase the data. Other methods of erasing data from a tape don't necessarily erase all the data. Data diddling is the unauthorized changing of data before or while entering it into a system and is unrelated to removing data from a tape. Sanitizing the tape is the goal, but it is not a method.
9. A forensic expert wants to examine data on a hard drive of a confiscated computer. Which of the following actions should the expert complete first? A. Ensure that the computer has UPS protection B. Create a bit copy of the disk C. Disable the antivirus software on the computer D. Move the hard drive to another system and examine it on the other system
B. Disk drives should be copied with an approved bit-copy tool prior to examining any of the data because the process of examining the data can result in the loss of data. An uninterruptible power supply (UPS) protects a system from a power loss, and antivirus (AV) software protects a system from malware, but neither has anything to do with protecting evidence. Moving the drive to another system and examining it on the other system will modify the original evidence.
13. Which of the following accurately identifies a difference between FTP and TFTP? A. FTP uses UDP and TFTP uses TCP. B. FTP supports authentication, but TFTP does not support authentication. C. TFTP sends data across a network in cleartext, but FTP encrypts data. D. TFTP is primarily used to transfer large files, and FTP is used to transfer configuration information to and from network devices.
B. File Transfer Protocol (FTP) supports authentication, but Trivial FTP (TFTP) does not support authentication. FTP uses TCP ports 20 and 21, while TFTP uses UDP port 69. Both FTP and TFTP send data across a network in cleartext, but it is possible to encrypt FTP with Secure Shell (as SFTP). TFTP is commonly used to transfer configuration files to and from network devices, and FTP is primarily used to transfer large files.
9. Which of the following topologies avoids collisions using a token? A. IEEE 802.3 B. IEEE 802.5 C. CSMA/CD D. CSMA/CA
B. IEEE 802.5 defines token ring networks, which avoid collisions using a token. Ethernet (IEEE 802.3) attempts to detect collisions using Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Wireless networks (802.11) attempt to avoid collisions using Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA).
7. What should an organization do when the cost of a control exceeds the cost of a risk? A. Implement the control B. Accept the risk C. Perform a risk assessment D. Mitigate the risk
B. If the cost of a control exceeds the cost of a risk, the organization should accept the risk. The organization might implement the control if the cost of the control was less than the cost of the risk, indicating a cost savings. A risk assessment can analyze the value of the control, but you wouldn't need to do a risk assessment if you already know the cost of the control exceeds the costs of the risk. Mitigating the risk indicates you would implement the control, but based on the known costs, it's appropriate to accept the risk.
9. Of the following choices, what provides the best protection against buffer overflow attacks? A. SQL injection B. Input validation C. Cross-site scripting D. Code signing
B. Input validation techniques validate data before using it and can help prevent a wide variety of attacks, including buffer overflow attacks. SQL injection is an attack that attempts to inject SQL code into an application. Cross-site scripting is an attack that attempts to inject HTML or JavaScript code into a web page. Code signing uses a certificate to digitally sign an application, but will not protect against buffer overflow attacks.
17. Which of the following statements is correct related to IPsec? A. IPsec provides confidentiality by encrypting data with AH. B. IPsec provides confidentiality by encrypting data on the Network layer. C. IPsec AH uses protocol number 50. D. IPsec ESP uses protocol number 51.
B. Internet Protocol security (IPsec) provides confidentiality by encrypting data on the Network layer. Encapsulating Security Payload (ESP) provides confidentiality by encrypting data, but Authentication Header (AH) only provides authentication and integrity. AH uses protocol number 51, and ESP uses protocol number 50.
14. What security practice moves employees into different positions periodically to reduce the risk of fraud? A. Separation of duties B. Job rotation C. Mandatory vacations D. Risk mitigation
B. Job rotation is a security practice of rotating employees into different positions periodically to reduce the risk of fraud. It is often combined with a separation of duties policy, but separation of duties by itself does not require employees to rotate between jobs only that a single employee doesn't control all elements of a process. A mandatory vacation security policy requires employees to take time away from work to increase the chances of suspicious activity being discovered. Risk mitigation is any practice that reduces risks, but it is not limited to only rotating employees to different positions or only reducing the risk of fraud.
16. A badge reader records employee names, dates, and times when employees enter and exit a secure server room. An auditor reviewed the logs and noticed that they showed that many employees entered the room, but the logs do not show when all of the employees exited the room. What does this indicate? A. The badge reader is operational B. Tailgating C. The mantrap is not being used D. Unauthorized entry
B. Logs that include entries showing employees entered a secure area but do not include entries showing they exited indicate tailgating is occurring. Some employees are using their credentials to exit (and the logs show them exiting), but other employees are following closely behind these employees without showing their credentials (and the log doesn't include entries for these employees). While it is possible the badge reader has a problem, it is recording some employees exiting, so this isn't the most likely cause. Mantraps prevent tailgating, and if a mantrap is in use, employees would be forced to use it. There isn't any indication of unauthorized entry.
Security Administration and Planning: 1. Of the following choices, which provides the highest-level authority for an organization? A. Standards B. Policies C. Guidelines D. Procedures
B. Policies are high-level documents and provide authoritative direction. Standards can influence a policy, but an organization chooses what standards to follow. Guidelines provide recommendations, but they are not mandatory. Personnel create procedures based on the policy.
12. Of the following choices, which provides high-level guidance to employees? A. Procedure B. Policy C. Action steps D. Disaster recovery plan
B. Policies provide high-level guidance to employees. Procedures include action steps to accomplish tasks. A disaster recovery plan can include one or more procedures to use in response to a disaster.
15. What port does POP3 use? A. 25 B. 110 C. 143 D. 443
B. Post Office Protocol version 3 (POP3) uses TCP port 110. Simple Mail Transfer Protocol (SMTP) uses TCP port 25. Internet Message Access Protocol version 4 (IMAP4) uses TCP port 143. HyperText Transfer Protocol Secure (HTTPS) uses TCP port 443.
6. What type of control are procedures to back up and restore data? A. Operational B. Corrective C. Detective D. Deterrent
B. Procedures to back up and restore data are corrective controls because they take action to reverse the effects of data loss. Operational is a class of control. Deterrent controls attempt to deter personnel from causing a security incident. A detective control identifies events either as they are occurring or after they've occurred.
Security Operations: 1. Of the following choices, what type of data requires the least amount of protection? A. Confidential B. Public C. Private D. Sensitive
B. Public data requires the least amount of protection. An organization would want to ensure that public data on a website is not modified, but the organization puts the data on the website to make it available to the public. The other choices indicate sensitive data that is important to an organization and deserves varying levels of protection.
16. How are public keys distributed to clients from Internet websites? A. As e-mail attachments B. Embedded in certificates C. As cookies D. Embedded in the HTML code for the page
B. Public keys are embedded in certificates and distributed to clients in the certificate. Although users can send certificates to each other as e-mail attachments, a website does not use this method. Public keys are not included in cookies or in HTML code.
15. Which of the following identifies the correct representation of RADIUS? A. Remote Access Dial-in User System. B. Remote Authentication Dial-in User Service C. Roaming Access Dial-in User Service D. Remote Authentication Dialing User System
B. RADIUS is an acronym for Remote Authentication Dial-in User Service. The other choices are not valid.
18. You have two disk drives and you want to provide fault tolerance by mirroring the two drives. What should you use? A. RAID-0 B. RAID-1 C. RAID-5 D. RAID-6
B. RAID-1 provides fault tolerance by mirroring two drives. RAID-0 does not provide fault tolerance. RAID-5 uses three or more drives. RAID-6 is an alternative to RAID-5 and uses four or more drives.
13. What is RPO in relation to business continuity planning? A. Restoring potential outage B. Recovery point objective C. Restoration process option D. Recovery process options
B. RPO represents recovery point objective and indicates the point in time to which a failed database should be restored. The other answers are not valid terms for RPO within business continuity planning.
14. What is RTO in relation to business continuity planning? A. Recovery terminal objective B. Recovery time objective C. Recovery tolerable outage D. Recovery tolerable objective
B. RTO is an acronym for recovery time objective and represents the maximum amount of time that can be taken to restore a system or process. The RTO is derived from the maximum allowable outage (MAO). The other answers are not valid terms for RTO within business continuity planning.
6. When Sally turns her computer on, she sees a screen indicating software has encrypted all of her data files. A message indicates she must pay $300 within 48 hours to access the decryption key. What does this describe? A. Logic bomb B. Ransomware C. Worm D. Spyware
B. Ransomware takes control of a user's computer or data and demands a ransom to return control to the user. This scenario describes CryptoLocker. A logic bomb is malware that executes in response to an event such as a specific date and time. Worms infect computers over a network, and while worms deliver malware, not all worms include ransomware. Spyware is software installed on a user's system without the user's knowledge with the goal of spying on the user, not extorting money from the user.
6. What is the purpose of risk management? A. Eliminate risks B. Reduce risks to an acceptable level C. Share or transfer risks D. Identify risks
B. Risk management reduces risks to an acceptable level. It is not possible to eliminate risk. One method of managing risk is to share or transfer risk, but that is not the only method. Similarly, risk management processes identify risk, but risk management is much more than just identifying risk.
2. Which of the following choices allows you to verify that a file has not been modified? A. AES B. SHA C. PKI D. IDEA
B. Secure Hashing Algorithm (SHA) is a hashing algorithm, and hashing is a key method of ensuring integrity (or verifying a file has not been modified). The hash is calculated at two different times, and if the hash is the same, the file has not been modified. Advanced Encryption Standard (AES) is a strong symmetric encryption protocol. A public key infrastructure (PKI) is used to support the creation, management, and distribution of certificates. International Data Encryption Algorithm (IDEA) is an older symmetric encryption protocol.
11. What is a common standard used to encrypt and digitally sign e-mail? A. Symmetric encryption B. S/MIME C. TLS D. Steganography
B. Secure/Multipurpose Internet Mail Extensions (S/MIME) is the standard used to encrypt and digitally sign e-mail. Symmetric encryption uses a single key to encrypt and decrypt data, but cannot digitally sign e-mail. Transport Layer Security (TLS) encrypts data sent over a network and is used with HTTPS. Steganography is the practice of hiding data within data or in plain sight.
12. A risk assessment recommended several controls to mitigate risks, but only some of the controls were accepted and implemented. Who is responsible for any losses that occur from the remaining risk? A. The person completing the risk assessment B. Senior management C. IT personnel managing the systems D. Security personnel
B. Senior management is responsible for making decisions on what risk to mitigate. The remaining risk is residual risk, and senior management is responsible for any losses from this residual risk.
14. An attacker sends an e-mail to many members of an organization and spoofs the From address so that the e-mail looks like it came from within the organization. The e-mail tries to trick recipients into following a link. What is the best definition of this action? A. Phishing B. Spear phishing C. Whaling D. Vishing
B. Spear phishing is a phishing tactic that targets a specific organization. Phishing doesn't target individual organizations, but instead casts a wide net, hoping to catch someone. Whaling targets a specific individual, such as an executive. Vishing uses voice methods such as the telephone or VoIP.
16. What port does TACACS+ typically use? A. 25 B. 49 C. 53 D. 443
B. Terminal Access Controller Access Control System+ uses TCP port 49. Simple Mail Transport Protocol (SMTP) uses TCP port 25, Domain Name System (DNS) uses TCP port 53 and UDP port 53, and HyperText Transfer Protocol Secure (HTTPS) uses TCP port 443.
2. Which layer of the OSI Model packages data as a frame? A. Physical layer B. Data Link layer C. Network layer D. Transport layer
B. The Data Link layer packages data as a frame. The Physical layer packages data as bits. The Network layer packages data as a packet. The Transport layer packages data as a segment.
Which of the following metrics identifies the number of valid users that a biometric authentication system falsely rejects? A. FAR B. FRR C. CER D. AAA
B. The False Rejection Rate (FRR, also called a type 1 error) refers to the percentage of times a biometric system falsely rejects a known user.
14. Which of the following choices identifies a regulation that mandates the protection of health-related information? A. SOX B. HIPAA C. Epsilon D. PII
B. The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of health-related information. The Sarbanes-Oxley (SOX) Act mandates specific requirements to guarantee the accuracy of data held by companies registered with the U.S. Securities and Exchange Commission. Epsilon is a marketing company that suffered a data breach and was required to report the loss to customers based on laws that protect personally identifiable information (PII).
19. Of the following choices, what is a U.S. government entity that regularly publishes Special Publications (known as SP 800 series documents) related to IT security? A. ITIL B. NIST C. CERT Division D. US-CERT
B. The National Institute of Standards and Technology (NIST) publishes documents in the SP 800 series related to IT security. ITIL is a United Kingdom project. CERT Division is a federally funded program located in the Software Engineering Institute at Carnegie Mellon University, and the United States Computer Emergency Readiness Team (US-CERT) provides response support and defense against cyber-attacks. While CERT Division and US-CERT publish documents related to IT security, they don't publish SP 800 series documents.
15. The CEO of a publicly held company in the United States is required to verify the accuracy of a company's financial data. What requires this activity? A. HIPAA B. SOX C. NIST SP 800-64 D. NIST SP 800-37
B. The Sarbanes-Oxley (SOX) Act requires high-level officers (such as the CEO and CFO) to verify personally the accuracy of a company's financial data. HIPAA mandates the protection of protected health information. NIST publishes documents that provide guidance to federal agencies and can be used by private companies, but these documents do not require any actions by private companies.
8. What type of log on a Microsoft system records auditable events, such as when a user deletes a file? A. System B. Security C. Application D. Forwarded Events
B. The Security log records auditable events, such as when a user accesses or deletes a file (as long as resource auditing is enabled). The System log records system events such as when a service stops or starts. The Application log records application events. The Forwarded Events log shows events forwarded from other systems as part of an event subscription.
5. Which layer of the OSI Model provides reliable end-to-end communication services? A. Physical layer B. Transport layer C. Data Link layer D. Host layer
B. The Transport layer provides reliable end-to-end communication services. Neither the Physical layer nor the Data Link layer provides this service. The Host layer is on the TCP/IP Model, not the OSI Model.
15. An organization's location has been hit by a tornado and the organization is moving to an alternative location. What provides the direction for this action? A. BIA B. BCP C. DRP D. Hot site
B. The business continuity plan (BCP) provides direction for moving to an alternative location after a disaster the primary purpose is to continue to provide critical business functions. The business impact analysis (BIA) helps an organization identify what functions are critical. The disaster recovery plan (DRP) has a narrower focus and helps an organization recover one or more systems after the disaster has passed. A hot site is a possible type of alternative location, so it doesn't provide direction for the action.
15. Of the following choices, what is the best technique you can implement on an e-mail server to reduce infection through e-mail? A. Block all e-mail B. Add a spam filter C. Add a polymorphic filter D. Remove all attachments
B. The majority of malware comes through spam, so a spam filter can reduce infections through e-mail. An e-mail server isn't very useful if it blocks all e-mail or removes all attachments. E-mail servers don't have polymorphic filters.
4. Your organization has a private phone system. Of the following, what is the best choice to control call forwarding? A. Ensure that the administrator password is kept private and changed often. B. Restrict phone numbers that can be used with call forwarding. C. Restrict long distance calling. D. Protect the phone system with physical security.
B. The primary way to control call forwarding is to restrict numbers that can be used for call forwarding. Protecting the administrator password and changing it often protects the overall system, but doesn't directly address call forwarding. Restricting long distance calling is also important, but it doesn't address call forwarding. Although physical security of the phone system is valuable, it won't control call forwarding.
17. Of the following choices, which one is a principle that prevents users from accidentally installing malicious software on their systems? A. Nonrepudiation B. Least privilege C. Separation of duties D. Accountability
B. The principle of least privilege specifies that users are given rights and privileges to do their job but no more. If a user doesn't need to install applications, the user is not given permission to do so, which reduces the possibility of the user accidentally installing malware. Nonrepudiation prevents a person from denying an action. Separation of duties divides tasks so that no single person or entity controls an entire process. Accountability ensures that user actions can be tracked and monitored.
20. Of the following choices, what best represents all of the steps related to incident response? A. Preparation, containment, detection, analysis, eradication, and recovery B. Preparation, detection, analysis, containment, eradication, and recovery C. Containment, preparation, detection, analysis, eradication, and recovery D. Containment, analysis, detection, eradication, and recovery
B. The steps recommended in NIST SP 800-61 are preparation, detection, analysis, containment, eradication, and recovery. Containment is important once an incident has been detected and analyzed, but can't be done beforehand.
16. An organization collects customer data such as their name, e-mail address, physical address, and phone number. What term best describes this information? A. PHI B. PII C. COFEE D. DECAF
B. This information is personally identifiable information (PII) because it can be used to identify the customers personally. Protected health information (PHI) is information concerning the health status, provision of health care, or payment of health care for an individual. COFEE is a forensic tool used by law enforcement agencies, and DECAF is an antiforensics tool designed to detect COFEE.
Which of the following actions is most appropriate if an employee leaves the company? A. Delete the user's account as soon as possible. B. Disable the user's account as soon as possible. C. Change the user's password as soon as possible. D. Change the user's permissions as soon as possible.
B. User accounts should be disabled as soon as possible after the user leaves the company under any circumstances.
18. Which of the following represents the greatest risk to virtual systems? A. Confidentiality B. VM escape C. Increased costs for power and cooling D. Loss of control of data in the cloud
B. VM escape is a known attack against virtual systems. If the attack is successful, an attacker can access the host system and all virtual systems within the host. Loss of confidentiality (not confidentiality) is a risk that can be reduced with encryption. Virtualization reduces costs for power and cooling. Loss of control of data stored in the cloud is a risk associated with cloud computing, but organizations can use virtual systems internally to keep control of their data.
5. Managers suspect that an employee in your organization has committed fraud. You are told to secure his computer as part of an incident response. Which of the following should you NOT do? A. Disconnect the computer from the LAN B. Power the system down C. Prevent anyone from accessing the system D. Take pictures of the system
B. You should not power the system down, as doing so will delete any data in volatile RAM. All of the other answers are valid actions in response to an incident that may result in legal proceedings. Organizations often have policies to disconnect a computer from the local area network (LAN) to isolate it and protect evidence on the system. No one should be allowed to access the system as a precaution to ensure that data (and potential evidence) is not modified. There's nothing wrong with taking pictures of the system to preserve evidence.
Base registers
Beginning of address space assigned to a process. Used to ensure a process does not make a request outside its assigned memory boundaries.
17. What is an important benefit to organizations that use virtual servers? (Choose all that apply.) A. VM escape capabilities B. Better control of data with cloud computing C. Reduction of costs associated with power and cooling D. Reduction of costs for physical security
C, D. Organizations often use virtualization to reduce costs associated with power and cooling and associated with physical security. Virtualization requires fewer physical servers to power, cool, and physically secure. Virtual machine (VM) escape is one of the biggest risks associated with virtual servers. Virtual servers can be used with cloud computing, but cloud computing reduces control of data.
The IDEA algorithm (used in PGP) is _______ bits long. A. 56 B. 158 C. 128 D. 168
C. 128
If you the text listed below at the beginning or end of an email message, what would it be anindication of? mQGiBDfJY1ERBADd1lBX8WlbSHj2uDt6YbMVl4Da3O1yG0exQnEwU3sKQARzspNB zB2BF+ngFiy1+RSfDjfbpwz6vLHo6zQZkT2vKOfDu1e4/LqiuOLpd/6rOrmH/Mvk A. A virus B. A worm C. A PGP Signed message D. A software error
C. A PGP Signed message
A systems ability to identify a particular individual, track their actions, and monitor their behavior is known as: A. Authorization B. Auditing C. Accountability D. Monitoring E. Logging
C. Accountability
Contracting with an insurance company to cover losses due to information security breaches is known as risk __________. A. Avoidance B. Reduction C. Assignment D. Acceptance
C. Assignment
Information security policies are a ___________________. A. Necessary evil B. Waste of time C. Business enabler D. Inconvenience for the end user E. All of the answers are correct
C. Business enabler
___________________ is ultimately responsible for security and privacy violations. A. Person committing the violation B. Security Officer C. CIO / CEO D. OS Software
C. CIO / CEO
A standardized list of the most common security weaknesses and exploits is the __________. A. SANS Top 10 B. CSI/FBI Computer Crime Study C. CVE - Common Vulnerabilities and Exposures D. CERT Top 10
C. CVE - Common Vulnerabilities and Exposures
A salami attack refers to what type of activity? A. Embedding or hiding data inside of a legitimate communication - a picture, etc. B. Hijacking a session and stealing passwords C. Committing computer crimes in such small doses that they almost go unnoticed D. Setting a program to attack a website at 11:59 am on New Year's Eve
C. Committing computer crimes in such small doses that they almost go unnoticed
According to the annual CSI/FBI Computer Crime report, which group commits the most computer crimes? A. Foreign governments B. Teenage Hackers C. Company Insiders D. Company Competitors E. All of these groups create equal numbers of computer crimes
C. Company Insiders
_____________ states that users should only be given enough access to accomplish their jobs. A. Separation of Duties B. Due Diligence C. Concept of Least Privilege D. All of the listed items are correct
C. Concept of Least Privilege
A ______________ is a means, method, or program to neutralize a threat or vulnerability. A. Risk Assessment B. Vulnerability Scan C. Countermeasure D. Firewall
C. Countermeasure
In the DoD accreditation process a __________ is the formal entity which ensures that information systems meet a certain criteria for secure operation. Once approved these machines are certified to operate with a set of listed safeguards. A. DISA - Defense Information Systems Agency B. ISC2 - International Information Systems Security Certification Consortium C. DAA - Designated Approving Authority D. ISACA - The Information Systems Audit and Control Association
C. DAA - Designated Approving Authority
Much like the layers of an onion, ______________ is a comprehensive set of security solutions layered to provide the best protection. A. Security policy B. Risk Assessment C. Defense in Depth D. Vulnerability Assessment E. Firewall Penetration Testing
C. Defense in Depth
When gathering digital evidence it is very important to do the following: (Choose all that apply) A. Shut down the compromised system to avoid further attacks B. Reboot the victim system offline C. Document the chain of evidence by taking good notes D. Perform a bit-level back up of the data before analysis
C. Document the chain of evidence by taking good notes D. Perform a bit-level back up of the data before analysis
The standard of __________ states that a certain level of integrity and information protection levels will be maintained. A. Due Diligence B. Due Process C. Due Care D. BSO 1799
C. Due Care
Passfilt.dll enforces which of the following? (Choose all that apply) A. 8 character minimum password length B. 90 day password change C. Each password must have a combination of upper case, lower case, numbers and special characters D. 6 character minimum password length
C. Each password must have a combination of upper case, lower case, numbers and special characters D. 6 character minimum password length
The most important component of antivirus software is the _______________? A. Desktop B. Definitions C. Engine D. Heuristics E. Console
C. Engine
IKE - Internet Key Exchange is often used in conjunction with what security standard? A. SSL B. OPSEC C. IPSEC D. Kerberos E. All of the above
C. IPSEC
_________ is the act of a user professing an identity to a system. A. Validation B. Authentication C. Identification D. Confirmation
C. Identification
Identifying specific attempts to penetrate systems is the function of the _______________. A. Firewall B. Router C. Intrusion Detection System D. Vulnerability Scanner E. CERT - Computer Emergency Response Team
C. Intrusion Detection System
The act of intercepting the first message in a public key exchange and substituting a bogus key for the original key is an example of which style of attack? A. Spoofing B. Hijacking C. Man In The Middle D. Social Engineering E. Distributed Denial of Service (DDoS)
C. Man In The Middle
If a sender is unable to deny having sent an electronic transmission, this concept is known as___________________ A. PKI B. Verification C. Non-Repudiation D. Irrevocable Trust E. Public Key
C. Non-Repudiation
What security control provides a method to insure that a transaction did or did not occur? A. Identification B. Accountability C. Nonrepudiation D. Verification E. Access control
C. Nonrepudiation
Smart cards are a secure alternative to which weak security mechanism? A. Biometrics B. Public Key Encryption C. Passwords D. Tokens
C. Passwords
A good password policy uses which of the following guidelines? (Choose all that apply) A. Passwords should contain some form of your name or userid B. Passwords should always use words that can be found in a dictionary C. Passwords should be audited on a regular basis D. Passwords should never be shared or written down
C. Passwords should be audited on a regular basis D. Passwords should never be shared or written down
What distinguishes a hacker / cracker from a phreak? A. Hackers and crackers specifically target telephone networks B. Phreaks specifically target data networks C. Phreaks specifically target telephone networks D. Phreaks cause harm, hackers and crackers do not
C. Phreaks specifically target telephone networks
PGP & PEM are programs that allow users to send encrypted messages to each other. What form of encryption do these programs use? A. DES B. 3DES C. RSA D. 3RSA E. Blowfish F. All of the above
C. RSA
Which three things must be considered for the design, planning, and implementation of access control mechanisms? (Choose three) A. Exposures B. Objectives C. Risks D. Vulnerabilities E. Threats
C. Risks D. Vulnerabilities E. Threats
Define the acronym RBAC A. Role Based Access Center B. Rule Based Access Center C. Role Based Access Control D. Rule Based Access Control
C. Role Based Access Control
Which one of these formulas is used in Quantitative risk analysis? A. SLO - Single Loss Occurrence B. ARE - Annual Rate of Exposure C. SLE - Single Loss Expectancy D. ALO - Annual Loss Occurrence
C. SLE - Single Loss Expectancy
Which of the following is NOT and encryption algorithm? A. DES B. 3DES C. SSL D. MD5 E. SHA-1
C. SSL
___________ programs decrease the number of security incidents, educate users about procedures, and can potentially reduce losses. A. New hire orientation B. HR Briefings C. Security Awareness D. Employee Termination
C. Security Awareness
Although it is considered a low tech attack ____________ is still a very effective way of gaining unauthorized access to network systems. A. Sniffing B. Eavesdropping C. Social Engineering D. Shoulder Surfing E. None of the items are correct
C. Social Engineering
The term "principle of least privilege" is best as: A. A separation of command, program and interface functions B. Active monitoring with network base intrusion detection systems and host based intrusion detection systems C. The process of granting each user the lowest clearance and access needed to accomplish their task D. Implementation of mandatory access control
C. The process of granting each user the lowest clearance and access needed to accomplish their task
How often should virus definition downloads and system virus scans be completed? A. Daily B. Monthly C. Weekly D. Yearly
C. Weekly
Digital Certificates use which protocol? A. X.400 B. X.500 C. X.509 D. X.511 E. X.525 F. None of the above
C. X.509
14. Your organization has contracted with a security organization to test your network's vulnerability. The security organization is not given access to any internal information from the company. What type of test will the organization perform? A. White box testing B. Gray box testing C. Black box testing D. Partial knowledge testing
C. A black box test (also called a zero knowledge test) is performed without any inside knowledge of the organization. A white box test (also called a full knowledge test) is performed with full access to internal documentation. A gray box test (also called a partial knowledge test) is performed with some internal knowledge.
4. Thousands of computers have been infected with malware and are periodically directed to send out spam to other computers. What does this describe? A. Zombies B. Spear phishing C. A botnet D. Phishing
C. A botnet is a group of computers that an attacker has taken over and now controls from a command and control center. The individual computers are referred to as zombies, but together they are a botnet. They may be directed to send out phishing or spear phishing e-mails, but that is the attack, not the network.
10. An application has received more input than it expected and the resulting error has exposed normally protected memory. What is the best explanation for what happened? A. Phishing attack B. Salami attack C. Buffer overflow D. Session hijacking
C. A buffer overflow occurs when an application receives more input than it expected and it is not able to handle the error gracefully. Attackers exploit buffer overflows to insert malware into systems. The best protection against a buffer overflow is to keep systems up to date. A phishing attack is sent through e-mail. A salami attack uses multiple small, usually unnoticeable actions, such as shaving a penny off a transaction. Session hijacking attempts to take over a session.
16. An organization decides to designate an alternative location to be used in case of an emergency. The organization doesn't need anything other than an open building with water and electricity. What type of site best meets this need? A. Hot B. Warm C. Cold D. Distant
C. A cold site is a building with water and electricity and nothing else (such as no computer equipment or data). A hot site includes everything and is ready to take over operations within a short time after an outage. A warm site is a compromise between the two. A distant site isn't a valid term for an alternative location.
10. Which one of the following is a valid step to perform during a business impact analysis? A. Identify alternative locations B. Create a plan to restore critical operations C. Identify resources needed by critical business functions D. Identify minimum outage times for key business services
C. A core goal of a BIA is to identify critical business functions and the resources needed by these critical business functions. Identifying alternative locations is part of a business continuity plan (BCP). A disaster recovery plan (DRP) is a plan to restore critical operations. A BIA does identify maximum acceptable outage times, but not minimum outage times.
12. Of the following choices, what is NOT provided with a digital signature used for e-mail? A. Authentication B. Integrity C. Confidentiality D. Nonrepudiation
C. A digital signature does not provide confidentiality because the digital signature does not encrypt the data. A digital signature does provide authentication, integrity, and nonrepudiation. It's possible to digitally sign an e-mail without encrypting it.
19. You need to ensure that a service continues to run even if a server fails. What should you implement? A. RAID-1 B. RAID-6 C. Failover cluster D. Warm site
C. A failover cluster includes two or more servers (called nodes), and if one server fails, the other server is able to handle the load for that server. RAID-1 and RAID-6 provide fault tolerance for disk drives. A warm site is a type of alternative site used to provide fault tolerance for an entire location.
18. An organization is updating its business continuity plan (BCP) and wants to implement an alternative location that is the easiest to relocate. What type of site best meets this need? A. Cold B. Hot C. Mobile D. Warm
C. A mobile site is the easiest to relocate. Hot, cold, and warm sites use a designated location that the organization either purchases or leases.
17. What can be used to examine the health of a client prior to allowing network access and restricting access of unhealthy clients to a quarantined network? A. RADIUS B. TACACS+ C. NAC D. SRTP
C. A network access control (NAC) system can check a system's health based on a predefined health policy and restrict the access of unhealthy clients to a quarantined network. Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System+ (TACACS+) are used to provide authentication, authorization, and accounting (AAA) for remote access. Secure Real-time Transport Protocol (SRTP) provides confidentiality, authentication, and replay protection for Voice over IP (VoIP) transmissions.
Monitoring and Analysis: 1. You want to monitor the network for possible intrusions or attacks and report on any activity. What would you use? A. HIPS B. HIDS C. NIDS D. AV software
C. A network-based IDS (NIDS) monitors the network in real time and sends alerts to report suspicious activity. A host-based intrusion detection or prevention system (HIDS or HIPS) cannot monitor network activity. AV software detects malware, but not necessarily network attacks.
13. A user receives an e-mail indicating that the bank has detected suspicious activity on the user's bank account. The message indicates the user should log on immediately to prevent loss of funds. What is the best term to describe this attack? A. Sniffing B. Session hijacking C. Phishing D. Tailgating
C. A phishing attack sends an e-mail to multiple recipients impersonating an e-mail from a legitimate company, indicating a problem, urging the recipient to take action, and warning of dire consequences if the recipient doesn't respond. A sniffing attack uses a protocol analyzer such as Wireshark to capture and analyze traffic. Session hijacking attempts to take over sessions and doesn't use e-mail. Tailgating is the practice of one person following another into a secure area while only the first person provides credentials.
Risk, Recovery and Response: 1. Which of the following choices best represents the definition of risk? A. The likelihood that a threat source can cause a threat event resulting in a vulnerability B. The likelihood that a vulnerability can exploit a threat and cause a loss C. The likelihood that a threat will exploit a vulnerability and cause a loss D. The likelihood that an incident can cause a vulnerability resulting in a loss
C. A risk is the likelihood that a threat will exploit a vulnerability and cause a loss. Threats do not create vulnerabilities, and vulnerabilities do not exploit threats. Similarly, incidents do not cause vulnerabilities.
9. Of the following choices, what is an example of an auditable event logged in an operating system's security log? A. Access through a firewall B. Accessing a website through a proxy server C. Reading a file D. The date and time when a service starts
C. A security log records auditable events related to resources, such as when a user reads, modifies, or deletes a file. Firewall and proxy server logs are not operating system logs. A system log would record events such as when a service stops or starts, but not security events.
7. An organization has a security policy in place. What can personnel within the organization do to ensure it remains relevant? A. Perform audits B. Perform training C. Review it D. Test it
C. A security policy should be reviewed on a regular basis (such as once a year or after a security incident) to ensure that it is still relevant. Audits help to prove that the security policy is being used and enforced. Training ensures that people know the contents of the security policy. It's appropriate to test a BCP or a DRP, but not a security policy.
7. Which of the following is a symmetric 128-bit block cipher? A. Data Encryption Standard (DES) B. Triple Data Encryption Standard (3DES) C. Advanced Encryption Standard (AES) D. Blowfish
C. AES is a 128-bit block cipher. All of the other answers are 64-bit block ciphers.
4. An organization wants to ensure that users are aware of their responsibilities related to the use of IT systems. What should the organization create? A. A video monitoring system B. An audio monitoring system C. An acceptable use policy D. An account lockout policy
C. An acceptable use policy (also called an acceptable usage policy) lets users know what is acceptable use of computer equipment and networks. Monitoring systems ensure users follow policies, but they don't ensure users know the policy. Account lockout policies lock out users after too many failed password attempts.
Which of the following statements is true? A. An access control matrix is object based and a capability table is object based. B. An access control matrix is subject based and a capability table is object based. C. An access control matrix is object based and a capability table is subject based. D. An access control matrix is subject based and a capability table is subject based.
C. An access control matrix is object based and a capability table is subject based.
4. What type of control is an audit log? A. Technical B. Corrective C. Detective D. Preventive
C. An audit log is a detective control because it identifies events either as they are occurring or after they've occurred. Technical is a class of control. A corrective control takes action to reverse the effects or impact of an incident. A preventive control prevents the event from occurring.
7. What type of control is an audit trail? A. Preventive control B. Corrective control C. Detective control D. Physical access control
C. An audit trail is a technical detective control, because it uses technology and can detect incidents after they occur. A preventive control attempts to prevent incidents. A corrective control attempts to reverse the impact of an incident after it has occurred. A physical access control is an item that you can physically touch.
17. Who would measure the effectiveness of an organization's security controls? A. An administrator B. A manager C. An auditor D. A data owner
C. An auditor would measure the effectiveness of a security control. An internal auditor might have other roles, such as an administrator, a manager, or a data owner. However, when measuring the effectiveness of security controls, they are acting as an auditor.
10. What does antivirus software use to detect previously unknown viruses? A. Signatures B. Polymorphism C. Heuristics D. Armor
C. Antivirus software uses heuristics to detect previously unknown viruses. Signatures detect known viruses. Polymorphism and armor are techniques used by virus authors to prevent the detection of a virus.
10. Which of the following is an accurate statement related to asymmetric encryption? A. It is used to privately share a private key. B. It is used to privately share a public key. C. It is used to privately share a secret key. D. It is faster than symmetric encryption.
C. Asymmetric encryption is used to privately share a secret key (or session key). Asymmetric encryption uses a matched pair of keys known as a private key and a public key. The private key is never shared, and the public key is publicly shared in a certificate. Symmetric encryption is faster than asymmetric encryption.
Auditing: 1. Your organization uses strong authentication and authorization mechanisms and has robust logging capabilities. Combined, what do these three elements provide? A. Guaranteed security B. Prevention of unintended outages from unauthorized changes C. Accountability D. Configuration control
C. Authentication, authorization, and accounting (AAA) provide accountability, and logging provides the accounting element. Although AAA increases security, it does not guarantee security. Change management prevents unintended outages from unauthorized changes. Configuration control ensures systems are deployed with a secure baseline and maintain approved configuration settings for system stability.
12. Countries sometimes engage in espionage against other countries. What is this called? A. Cyberbullying B. Cyberstalking C. Cyberwarfare D. Cyberterrorism
C. Cyberwarfare is a politically motivated attack on entities in another country and is done for sabotage and/or espionage. Cyberbullying occurs when one person harasses, coerces, or intimidates another person using the Internet. Cyberstalking is more serious than cyberbullying and is a criminal act. Cyberterrorism is the use of the Internet to launch terrorist attacks.
4. What forensic evidence can be lost if a system is powered down before the evidence is collected? A. Data on the disk drive B. Data on a USB drive C. Data in memory D. Data in files
C. Data in memory (volatile RAM) is lost if a system is powered down. Power isn't required to retain data on disk drives or USB drives, so it is not lost when powered down. Data in files is retained on disk drives.
20. Of the following choices, what is a primary task to accomplish in the disposal phase of a system's life cycle? A. Migrate all data to other systems B. Delete all data C. Remove data remnants from systems before disposal D. Back up all data to tape
C. Data remnants should be removed before disposal to ensure that data does not fall into the wrong hands. Depending on the value of the data, it could be migrated, deleted, or backed up, but this does not remove the need to ensure that data does not remain on the system before disposing of it.
11. Of the following choices, what is NOT one of the methods or goals of hardening a server? A. Reducing the attack surface B. Keeping a system up to date C. Disabling firewalls D. Adding AV software
C. Disabling firewalls is not a method used to harden a server. However, administrators would enable firewalls to harden a server. All of the other answers are valid methods or goals of hardening a server. Administrators reduce the attack surface by disabling or removing unneeded services and protocols.
11. Which of these ports does DNS use? A. TCP 23 B. TCP 25 C. UDP 53 D. UDP 69
C. Domain Name System (DNS) uses UDP port 53 when clients query the DNS server and TCP port 53 when DNS servers transfer data between each other. Telnet uses TCP port 23. Simple Mail Transfer Protocol (SMTP) uses TCP port 25. Trivial FTP (TFTP) uses UDP port 69.
14. Which of the following would most likely be used to encrypt data in an e-mail message before it is sent? A. The public key of the sender B. The private key of the sender C. The public key of the recipient D. The private key of the recipient
C. E-mail is encrypted using the recipient's public key. The recipient's public key actually encrypts a symmetric key and uses the symmetric key to encrypt the e-mail. The recipient uses the recipient's private key to decrypt the symmetric key and then decrypts the message with the symmetric key. The sender's keys are not used to encrypt or decrypt e-mail.
4. An organization wants to restrict risks associated with proprietary data transmitted over the network. What can it do in its data management policy to achieve this objective? A. Restrict how long data is retained B. Specify how data is deleted from storage media C. Require the encryption of data in motion D. Require the encryption of data at rest
C. Encrypting data in motion can protect it against loss of confidentiality when it is transmitted over a network. Retention policies restrict how long data is retained, but do not affect data in motion. Destruction policies dictate how to delete data or destroy media, but aren't related to data in motion. Encrypting data at rest doesn't ensure that it is encrypted when it is transmitted. Some data-at-rest encryption methods will decrypt the data before transmitting it over a network.
Cryptography: 1. What basic security function does asymmetric encryption provide? A. Integrity B. Authentication C. Confidentiality D. Availability
C. Encryption (any type of encryption, including both asymmetric and symmetric encryption) provides confidentiality for data. Hashing methods provide integrity. Authentication proves the identity of a user or system. Availability ensures that systems and data are available when needed.
16. Of the following choices, which one is NOT a valid method to reduce malware infections? A. Don't open attachments from unsolicited e-mails. B. Don't click links in unsolicited e-mails. C. Don't send encrypted personal information via e-mail. D. Don't follow shortened links from unknown sources.
C. If you need to send personal information via e-mail, the best choice is to send it in an encrypted format. All of the other choices are valid methods to reduce malware infections.
12. Of the following choices, which one is NOT a recommended strategy for audit logs? A. Review the logs regularly B. Archive logs for later review C. Periodically overwrite logs D. Store logs on remote servers
C. If you periodically overwrite logs, it is no longer possible to review the logs. However, all of the other choices (review the logs, archive the logs, and store logs on remote servers) are recommended strategies to retain the integrity of audit logs.
14. A company authorizes users to transport data from work to home using USB drives. What's the best method of protecting systems from malware without affecting the user? A. Install AV software on the network firewall B. Install AV software on the e-mail server C. Install AV software on each user's work computer D. Prevent users from using USB drives
C. Installing AV software on each user's work computer provides the best protection against a user inadvertently transporting malware from home to work. Installing software on the network firewall and on an e-mail server is a good practice, but it won't help if the virus is transported via a USB drive. Preventing the users from using USB drives will affect the users.
An organization has been using an iris scanner for authentication but has noticed a significant number of errors. Assuming the iris scanner is a high-quality scanner, which of the following could affect its accuracy? A. False Acceptance Rate (FAR) B. False Rejection Rate (FRR) C. Sunlight shining into the scanner D. Faulty laser beam
C. Lighting affects the accuracy of an iris scanner, so sunlight shining into the scanner's aperture will affect the accuracy.
14. Of the following choices, what indicates the primary improvement that MS-CHAPv2 included over previous protocols? A. Support for biometrics B. Use of certificates C. Mutual authentication D. Use of a nonce
C. MS-CHAPv2 uses mutual authentication, where the client authenticates to the server and the server authenticates to the client. MS-CHAPv2 does not directly support biometrics. MS-CHAPv2 can be used with the Extensible Authentication Protocol (EAP) to support certificates, but it cannot do so on its own. CHAP uses a nonce (a number used once), so this isn't an improvement.
16. Which of the following helps ensure that mobile devices have all relevant patches? A. BYOD B. COPE C. MDM D. USB
C. Mobile device management (MDM) solutions help ensure that mobile devices (such as smartphones and tablets) have all relevant patches. Bring your own device (BYOD) refers to employees bringing their own devices to work and connecting them to an organization's network. Corporate-owned, personally enabled (COPE) devices refer to mobile devices that an organization purchases and issues to employees. Universal Serial Bus (USB) cannot apply patches to mobile devices.
17. Which of the following EAL levels indicates a system was methodically designed, tested, and reviewed, and is the level of assurance assigned to many commercial operating systems? A. EAL0 B. EAL1 C. EAL4 D. EAL7
C. Most commercial operating systems achieve Evaluation Assurance Level 4 (EAL4) when evaluated by the Common Criteria (CC). EAL4 indicates the operating system has been methodically designed, tested, and reviewed. EAL0 is not a valid level of CC. EAL1, the lowest level of assurance, indicates the system has been functionally tested. EAL7 is the highest level of assurance and indicates the system has a formally verified design and has been tested, but EAL7 ratings are not as common as EAL4, especially for operating systems.
20. When should a penetration test stop? A. After discovering the vulnerabilities B. After discovering the threats C. Before causing any damage D. Before discovering the exploits
C. Most penetration steps stop before executing an exploit that can cause damage. Penetration steps include the basic vulnerability assessment components of identifying vulnerabilities, threats, and exploits, and then follow these steps with an attempt to exploit a discovered vulnerability.
3. Which of the following best describes the purpose of a security policy? A. Ensures personnel understand their responsibilities B. Ensures personnel use strong authentication C. Informs personnel of management priorities related to security D. Provides guidance on management controls
C. Of the choices, the best description is that the security policy informs personnel of management priorities related to security. The other answers provide some specific goals of a security policy but do not address the overall purpose. An acceptable use policy helps ensure personnel understand their responsibilities. Technical controls ensure personnel use strong authentication, but a security policy covers more than just technical controls. Similarly, a security policy provides guidance on more than just management controls.
Legal Issues: 1. Which of the following best describes a primary goal of incident handling? A. Collecting evidence B. Documenting evidence C. Containing any potential damage D. Improving security controls
C. Primary goals of incident handling include containing any potential damage and repairing the damage that has occurred. While incident handling often includes evidence collection and using chain-of-custody forms to document collected evidence, these are not primary goals. The feedback loop (or lessons learned) process often improves security controls, but this is not a primary goal.
6. An attacker is using Wireshark to capture and analyze TCP sessions. What is the best term that identifies this action? A. Dumpster diving B. Shoulder surfing C. Sniffing D. Vishing
C. Sniffing is the practice of capturing and analyzing packets with a sniffer (a protocol analyzer). Dumpster diving refers to going through the trash looking for information. Shoulder surfing is the practice of looking over someone's shoulder to gain information, such as the password that a user enters to log on. Vishing is a form of phishing using telephones or VoIP.
7. Which of the following protocols is connection oriented? A. IP B. RIP C. TCP D. UDP
C. TCP is connection oriented. IP uses TCP to provide a connection-oriented session but is not connection oriented itself. RIP is a routing protocol and is not connection oriented. UDP is connectionless. Instead of establishing a session, it makes a best effort to deliver data.
20. Which of the following is the recommended security mechanism to use with wireless networks? A. 802.11a B. 802.11g C. 802.11i D. 802.11n
C. The 802.11i standard documents Wi-Fi Protected Access 2 (WPA2), the recommended security mechanism for wireless networks. It uses AES-based CCMP for very strong security. The other standards focus on the base frequency and speed of wireless networks, not security.
What is the primary goal of the Bell-LaPadula model? A. Enforce separation of duties B. Enforce two-factor authentication C. Enforce confidentiality D. Enforce integrity
C. The Bell-LaPadula model has a primary goal of ensuring confidentiality.
20. What law requires organizations to post a privacy policy on their website? A. SOX B. PHI C. OPPA D. COPPA
C. The California Online Privacy Protection Act of 2003 (OPPA) requires operators of commercial websites to post a privacy policy on the website and comply with it if the website collects personally identifiable information (PII). Sarbanes-Oxley (SOX) Act is a U.S. law that requires executives of publicly held companies to validate the integrity of their financial data. HIPAA is a law focused on the protection of protected health information (PHI) and requires organizations to post a privacy policy. However, PHI is not a law. The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law that applies to the collection of information on children under the age of 13.
18. Which of the following is an international standard that provides a framework to evaluate the security of IT systems? A. ITSEC B. TCSEC C. Common Criteria D. Orange book
C. The Common Criteria provides a framework for evaluating the security of IT systems, and several countries (including the United States, Canada, United Kingdom, and France) have adopted it. The Information Technology Security Evaluation Criteria (ITSEC) is a standard used in Europe, but it has been largely replaced by the Common Criteria. The Trusted Computer System Evaluation Criteria (TCSEC or orange book) was used by the U.S. government, but it has been superseded by the Common Criteria.
3. Which layer of the OSI Model handles physical addressing? A. Physical layer B. Network layer C. Data Link layer D. Transport layer
C. The Data Link layer uses physical addresses, also called hardware addresses and media access control (MAC) addresses. The Physical layer packages data as bits and doesn,t use addresses. The Network layer uses IP addresses (also called logical addresses). The Transport layer doesn,t use addresses but uses ports to identify traffic.
4. Which layer of the OSI Model packages data as a packet? A. Physical layer B. Data Link layer C. Network layer D. Transport layer
C. The Network layer packages data as a packet. The Physical layer packages data as bits. The Data Link layer packages data as a frame. The Transport layer packages data as a segment.
8. Which layer of the TCP/IP Model corresponds to the OSI Network layer? A. Host layer B. Application layer C. Internet layer D. Link layer
C. The TCP/IP Internet layer corresponds to the OSI Network layer. The TCP/ IP Host (or Host-to-Host) layer corresponds to the OSI Transport layer. The TCP/IP Application layer corresponds to the Application, Presentation, and Session OSI layers. The TCP/IP Link layer (also called the Network Interface or Network Access layer) corresponds to the OSI Data Link and Physical layers.
16. What is the last step in a vulnerability assessment? A. Discovery B. Analysis C. Remediation D. Document vulnerabilities
C. The last step in a vulnerability assessment is remediation of vulnerabilities using controls approved by management. Discovery, analysis, and documentation all occur after gaining approval from management, but before remediation.
ACCESS CONTROLS: A user professes an identity by entering a user logon name and then enters a password. What is the purpose of the logon name? A. Authentication B. Accountability C. Identification D. Accounting
C. The logon name provides identification of the user. When combined with the username, the password provides authentication.
16. A user connected to a free wireless network at a coffee shop to access Facebook. Later, someone else started making posts on the user's page. What is the most likely cause of this? A. Zero day exploit B. WPS cracking C. Evil twin D. WPA cracking
C. The most likely cause is an evil twin. An attacker likely created a free wireless hotspot in the coffee shop (perhaps on the attacker's laptop). When the user connected to it, the attacker captured the user's data, including logon credentials. This is a known attack, and whereas a zero day exploit is not widely known. Wi-Fi Protected Setup (WPS) cracking discovers the PIN of an access point and uses it to discover the access point's password. Wi-Fi Protected Access (WPA) cracking discovers the password on the access point by intercepting the four-way handshake and performing an offline brute-force attack.
18. A website sent a user a certificate to initiate a secure web session over the Internet. What information would NOT be in the certificate? A. Name of the website B. Name of the issuing CA C. Private key D. Expiration date
C. The private key is not included in the certificate but instead is kept private on the server. The public key is included in the certificate along with the name of the website, the name of the CA that issued the certificate, the expiration date of the certificate, and more.
What form(s) of authentication are individuals using when they authenticate with a hardware token and a password? A. Something they have only B. Something they know only C. Something they have and something they know D. Something they have and something they are
C. The two factors of authentication are something they have (the hardware token) and something they know (the password). The third factor of authentication is something you are (using biometrics), but neither a hardware token nor a PIN uses biometrics.
10. Of the following choices, what is NOT used for VPNs? A. L2TP B. PPTP C. SSLTP D. TLS
C. There is no such thing as SSLTP in the context of virtual private networks (VPNs). The other choices (L2TP, PPTP, and TLS) are used for VPNs.
18. What are the principles of notice, choice, access, and enforcement most closely related to? A. Privacy policies B. Incident response C. Safe Harbor D. Protection of children's privacy
C. These are four of the seven principles in the Safe Harbor program. This program helps organizations protect data transferred to and from the European Union (EU). The California Online Privacy Protection Act of 2003 (OPPA) mandates the use of privacy policies for websites viewable in California, but it doesn't mention these principles. These principles are not related to incident response. The Children's Online Privacy Protection Act (COPPA) focuses on the protection of children's privacy, but it doesn't mention these principles.
15. A business in Florida gathers customers' names and ZIP codes and uses them to identify the customers' addresses. What is occurring? A. Violation of an EU directive B. Data breach C. Data inference D. Violation of COPPA
C. This is an example of data inference, because the company is collecting small pieces of information to get other information that isn't provided directly. Since it's occurring in Florida, it isn't in violation of a European Union (EU) directive. A data breach occurs when unauthorized individuals access stored data, but there's no indication of unauthorized access in this scenario. The Children's Online Privacy Protection Act (COPPA) protects the privacy of children under 13.
19. Your organization mandates security training for users within its security policy to educate users about malware and methods to prevent malware infections. What is the best description of this effort? A. A detective control B. A corrective control C. A preventive control D. A technical control
C. Training is a preventive control because it attempts to prevent incidents from occurring. Detective controls attempt to detect incidents, and corrective controls attempt to reverse the effects of an incident. Technical controls use technology to implement the control, but training doesn't require technology.
19. Which of the following is an example of SaaS? A. Access to an operating system over the Internet B. Access to a server over the Internet C. Web-based e-mail D. VM escape
C. Web-based e-mail is an example of Software-as-a-Service (SaaS). SaaS, also known as on-demand software, provides users with access to software or applications over the Internet. Platform-as-a-Service (PaaS) is a cloud computing service where users have access to a platform with an operating system. Infrastructure-as-a-Service (IaaS) provides users with access to hardware such as servers or network devices. VM escape is an attack on virtual systems.
3. What type of malware can spread without any user intervention? A. Virus B. Trojan horse C. Worm D. Spyware
C. Worms spread through a network without any user intervention. Viruses, Trojan horses, and spyware all require some level of interaction.
8. How can you provide defense diversity with a DMZ? A. Use a single firewall. B. Use two firewalls from the same vendor. C. Use two firewalls from different vendors. D. Ensure that only trusted partners are allowed access.
C. You can provide defense diversity with a DMZ by using two firewalls from different vendors. If a vulnerability appears in one, it's unlikely that a vulnerability will exist in the second firewall at the same time (unless the second is from the same vendor). A single firewall doesn't provide any diversity. An extranet (not a DMZ) would allow access only to trusted partners.
14. Of the following choices, what is an important first step in a risk management plan? A. Implementing controls B. Identifying vulnerabilities C. Identifying assets D. Identifying threats
C. You must identify assets first. You can then identify threats against these assets and vulnerabilities in these assets. You can't recommend or implement controls until you know what you want to control.
Assurance evaluation criteria
Check-list and process of examining the security-relevant parts of a system (TCB, reference monitor, security kernel) and assigning the system an assurance rating.
Software-as-a-Service (SaaS)
Cloud computing vendors provide software that is specific to their customers' requirements
Trapdoor
Code embedded in an application used to provide access to the application, the application's code, or its data via a covert method. It is also called a backdoor.
mobile code
Code that can be transferred between systems without the user taking explicit action to install it. It can include script code such as JavaScript, compiled code such as Java applets or ActiveX controls, documents with embedded macros, or malware that executes from a USB flash drive when the user inserts the drive into a system.
Attack surface
Components available to be used by an attacker against the product itself.
Provisioning
Configuration and allocation of resources to meet the capacity availability, performance, and security requirements.
Security Kernel
Consists of several components including software, firmware, and hardware. They represent represents all the security functionality of the operating system.
Analog signals
Continuously varying electromagnetic wave that represents and transmits data.
Directive Control
Controls dictated by organizational and legal authorities.
Preventive Control
Controls that block unwanted actions.
Deterrent Control
Controls that prescribe some sort of punishment, randing from embarrassment to job termination or jail time for noncompliance. Their intent is to dissuade people from performing unwanted acts.
Backups
Copies of data stored in case the original is stolen or becomes corrupt
Centralized Authentication
Credentials for the users are stored on a central server. Any user is able to log on to the network once and then access any computer in the network (as long as the user has permissions). For example, if a computer is part of a Microsoft domain, the central server will be a domain controller and hold accounts for all users in the domain.
Analytic attack
Cryptanalysis attack that exploits vulnerabilities within the algorithm structure.
Algebraic attack
Cryptanalysis attack that exploits vulnerabilities within the intrinsic algebraic structure of mathematical functions.
When packets are captured and converted to hexadecimal, _______ represents the ICMP protocol in the IP header. A. 17 B. 25 C. 16 D. 01 E. 06 F. All of the above
D. 01
As telnet is widely know to be insecure, one time passwords (OPIE) offer a great alternative. After a user logs on remotely, OPIE will issue a challenge. What two elements will thi challenge contain?(Choose two) A. CHAP B. A hashed value C. A random value D. A seed number E. A sequence number
D. A seed number E. A sequence number
The ability to identify and audit a user and his / her actions is known as ____________. A. Journaling B. Auditing C. Accessibility D. Accountability E. Forensics
D. Accountability
What is a big difference between Java Applets and Active X controls? A. Active X controls can run on any platform B. Java Applets only run in Windows C. Java Applets have access to the full Windows OS D. Active X controls have access to the full Windows OS
D. Active X controls have access to the full Windows OS
What type of software can be used to prevent, detect (and possibly correct) malicious activities on a system? A. Personal Firewall B. IDS - host based C. Antivirus D. All methods listed
D. All methods listed
The NT Event Viewer holds which of the following types of logs? A. System B. Application C. Security D. All three of the types listed
D. All three of the types listed
__________ is the most famous Unix password cracking tool. A. SNIFF B. ROOT C. NMAP D. CRACK E. JOLT
D. CRACK
Which major vendor adopted TACACS into its product line as a form of AAA architecture? A. Microsoft B. Dell C. Sun D. Cisco E. All of the above
D. Cisco
Inference attacks involve ___________________________. A. Gathering pieces of secret information to predict or guess an outcome B. Deciphering encrypted communications C. Spoofing a connection to intercept plain text transmissions D. Collecting unclassified pieces of information to predict or guess an outcome
D. Collecting unclassified pieces of information to predict or guess an outcome
An intrusion detection system is an example of what type of countermeasure? A. Preventative B. Corrective C. Subjective D. Detective E. Postulative
D. Detective
There are 6 types of security control practices. ___________ controls are management policies, procedures, and guidelines that usually effect the entire system. These types of controls deal with system auditing and usability. A. Preventive B. Detective C. Corrective D. Directive E. Recovery F. Combination
D. Directive
Trin00 is an example of what type of attack? A. Man in the Middle B. Spamming C. Spoofing D. Distributed Denial of Service E. Brute Force
D. Distributed Denial of Service
RSA has all of the following characteristics except? A. Can produce a digital signature B. Relies on large prime number factoring C. Uses third party key distribution centers D. Is based on a symmetric algorithm
D. Is based on a symmetric algorithm
HTTP, FTP, SMTP reside at which layer of the OSI model? A. Layer 1 - Physical B. Layer 3 - Network C. Layer 4 - Transport D. Layer 7 - Application E. Layer 2 - Data Link
D. Layer 7 - Application
Layer 4 in the DoD model overlaps with which layer(s) of the OSI model? A. Layer 7 - Application Layer B. Layers 2, 3, & 4 - Data Link, Network, and Transport Layers C. Layer 3 - Network Layer D. Layers 5, 6, & 7 - Session, Presentation, and Application Layers
D. Layers 5, 6, & 7 - Session, Presentation, and Application Layers
Insiders have a clear advantage in committing computer crime. Which two of the following do they possess? (Choose two) A. Advantage B. Motive C. Outside connections D. Means E. Opportunity F. Tools
D. Means E. Opportunity
____________ is a file system that was poorly designed and has numerous security flaws. A. NTS B. RPC C. TCP D. NFS E. None of the above
D. NFS
What reference model describes computer communication services and protocols in a layered approach? A. IETF - Internet Engineering Task Force B. ISO - International Standards Organization C. IANA - Internet Assigned Numbers Authority D. OSI - Open System Interconnection
D. OSI - Open System Interconnection
The most secure method for storing backup tapes is? A. In a locked desk drawer B. In the same building, but on a different floor C. In a cool dry climate D. Off site in a climate controlled area E. In a fire proof safe inside the data center (for faster retrieval) F. None of the above
D. Off site in a climate controlled area
This free (for personal use) program is used to encrypt and decrypt emails. A. SHA-1 B. MD5 C. DES D. PGP E. 3DES F. None of the above
D. PGP
Which of the following is not an element of a business continuity plan? A. Public Relations B. Costs C. Facilities D. Prosecution E. Human Resources
D. Prosecution
What term describes the amount of risk that remains after the countermeasures have been deployed and the vulnerabilities classified? A. Terminal risk B. Infinite risk C. Imminent risk D. Residual risk
D. Residual risk
In order to use L0pht, the ___________ must be exported from Windows NT. A. SAMBA B. LDAP C. Kernel D. SAM E. PD
D. SAM
_________ is a protocol developed by Visa and MasterCard to protect electronic transactions. A. SSL B. SHA-1 C. HMAC D. SET E. ETP
D. SET
_________ is a form of Denial of Service attack which interrupts the TCP three way handshake and leaves half open connections. A. DNS Recursion B. NMAP C. Land Attack D. SYN Flooding E. Port Scanning
D. SYN Flooding
DES, 3DES, Blowfish, and AES are all examples of what type of cryptography? A. Public Key B. Message Digest C. Hash Algorithm D. Secret Key
D. Secret Key
Which of the following is considered the MOST secure? A. Confidential B. Public C. Private D. Sensitive
D. Sensitive
SATAN stands for _______________________________________________ A. System Administrator Tool for Analyzing Networks B. Storage Administration Tool for Analyzing Networks C. Simple Administration Tool for Analyzing Networks D. System Administrator Tool for Analyzing Networks E. SANS Administrator Tool for Analyzing Networks
D. System Administrator Tool for Analyzing Networks
A. System will crash B. System will continue operations as normal C. No such registry key exists D. System will perform a shutdown if maximum log size is reached E. System will overwrite logs
D. System will perform a shutdown if maximum log size is reached
Of the protocols list, which one is connection oriented? A. IP B. UDP C. DNS D. TCP E. All protocols listed are connection oriente
D. TCP
The CERT (Computer Emergency Response Team) was created in response to what famous security problem? A. The ILoveYou virus B. CodeRed C. Kevin Mitnik D. The Morris worm E. SATAN
D. The Morris worm
What is the minimum recommended length of a security policy? A. 200 pages B. 5 pages C. 1 page D. There is no minimum length - the policy length should support the business needs
D. There is no minimum length - the policy length should support the business needs
Multi-partite viruses perform which functions? A. Infect multiple partitions B. Infect multiple boot sectors C. Infect numerous workstations D. Combine both boot and file virus behavior
D. Combine both boot and file virus behavior
16. Within the U.S. government, who can formally approve a system for operation at a specific level of risk? A. Certification authority B. NIST C. Senator D. Designated Approving Authority (DAA)
D. A DAA provides official accreditation by approving a system for operation at a specific level of risk. The certification authority does not approve a system, but instead evaluates, describes, and tests a system. The National Institute of Standards and Technology (NIST) provides recommendations of standard best practices, but it does not certify or accredit systems. Senators do not certify or accredit systems.
2. What is the difference between a DoS attack and a DDoS attack? A. There is no real difference. B. A DoS attack uses technical methods, but a DDoS attack uses nontechnical methods. C. A DDoS attack is an attack from a single system, but a DoS attack is an attack from multiple systems. D. A DoS attack is an attack from a single system, but a DDoS attack is an attack from multiple
D. A DoS attack is an attack from a single system, and a DDoS attack is an attack from multiple systems. Both typically use technical methods.
12. What port does a TLS VPN typically use? A. 80 B. 88 C. 143 D. 443
D. A Transport Layer Security (TLS) virtual private network (VPN) typically uses TCP port 443, the same port as HyperText Transfer Protocol Secure (HTTPS). HyperText Transfer Protocol (HTTP) uses TCP port 80. Kerberos uses TCP port 88. Internet Message Access Protocol version 4 (IMAP4) uses port 143.
4. A software application appears to have a useful purpose, but it includes malicious code. What does this describe? A. A virus B. A backdoor C. A worm D. A Trojan horse
D. A Trojan horse appears to be something useful to the user but includes malicious code or malware. While Trojans often include viruses and backdoors, not all viruses and backdoors come from Trojans. Worms travel over the network and are not embedded in software applications.
An organization uses a biometric system with a one-to-many search method. What does this system provide for the organization? A. Authentication B. Accountability C. Authorization D. Identification
D. A biometric system used for identification uses a one-to-many search method. Biometric systems used for authentication use a one-to-one search method. Once a system identifies and authenticates a user, biometric systems are not used for accountability or authorization.
6. Which of the following is a benefit of a chain-of-custody form? A. It helps ensure that evidence is protected. B. It helps ensure that evidence is controlled. C. It helps ensure that evidence is not modified. D. It helps ensure that evidence is admissible in court.
D. A chain-of-custody form provides proof that evidence has been protected and helps ensure that the evidence is admissible in court. Note that it only documents how the evidence has been protected and controlled, but it doesn't actually protect or control the evidence. It also doesn't ensure that the evidence is not modified.
2. An accounting system ignores logon failures until an account has three logon failures within a 30-minute period. It then generates an alert. What is the accounting system using? A. Account lockout B. Password policy C. Snipping level D. Clipping level
D. A clipping level uses a predetermined level as a threshold. A classic example is three or five logon failures in a short period, such as within 30 minutes. Although many operating systems use account lockout policies to actually lock the account after a predetermined level, the question doesn't ask what happens to the account, but instead asks what the accounting system is using to ignore the first two logon failures and only generate the alert after three logon failures. A password policy ensures that users have strong passwords and change them regularly. Snipping level isn't a valid term associated with accounting systems.
Controls and Countermeasures: 1. Which of the following provides the best definition of a control? A. The means, methods, actions, techniques, processes, procedures, or devices used to prevent attackers from launching attacks on systems B. A detective method that identifies threats C. A corrective method that reverses the impact of an incident D. The means, methods, actions, techniques, processes, procedures, or devices used to reduce the vulnerability of a system or the possibility of a threat exploiting a vulnerability
D. A control provides the means, methods, actions, techniques, processes, procedures, or devices that reduce the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. You can't actually prevent attackers from launching an attack, but you can reduce their possibilities of success by either reducing vulnerabilities or reducing the impact of the threat. Controls can be preventive, detective, and/or corrective, but it isn't accurate to limit a control to only one of these types.
19. Where is a DMZ located? A. Behind the intranet firewall B. In front of the first intranet-facing firewall C. In front of the first Internet-facing firewall D. Behind the first Internet-facing firewall
D. A demilitarized zone (DMZ), or perimeter network, is located behind the first Internet-facing firewall. It is not on the private network (behind the intranet firewall) or directly on the Internet (in front of the intranet or Internet-facing firewall).
Users are required to enter a different password each time they log on. What type of password is this? A. Static password B. Cognitive password C. Passphrase D. Dynamic password
D. A dynamic password is a one-time password that changes for each session.
18. A vulnerability assessment reports that a patch is not installed on a system, but you've verified that the patch is installed. What is this called? A. Anomaly-based vulnerability B. Signature-based vulnerability C. False negative D. False positive
D. A false positive occurs when a vulnerability assessment tool indicates that a vulnerability exists when it actually does not exist. A false negative occurs when a vulnerability assessment tool indicates that a vulnerability doesn't exist when it actually does exist. Anomaly-based and signature-based vulnerabilities are detection methods of IDSs and are not associated with vulnerability assessment tools.
20. You don't have enough maintenance time during the week to perform full backups, so you decide to implement a backup strategy that takes less time to do backups during the week. Of the following choices, what strategy will minimize the amount of time needed to restore a backup after a failure? A. Full B. Incremental C. Full / incremental D. Full / differential
D. A full/differential backup strategy takes the least amount of time to restore because it will require only two backups to restore: the full backup and the last differential backup. The scenario says that there isn't enough time to do a full backup during the week, and you can't do an incremental backup by itself. A full & incremental would require you to restore the full backup and each of the incremental backups since the last full backup, which usually requires restoring more than just two backups.
9. It's common to enable or install a firewall on a server to protect the server. What type of firewall is this? A. Network-based B. Hardware-based C. Packet-filtering D. Host-based
D. A host-based firewall is installed or enabled on individual hosts, such as desktop computers or servers, and provides protection for the host. Network- based firewalls protect the network rather than individual systems. Packet filtering identifies the method used by the firewall, and both network-based and host- based firewalls can filter packets.
17. An organization decides to designate an alternative location for operations during a disaster. The site must be up and operational within minutes of an outage at the primary location. What type of site best meets this need? A. Mobile B. Cold C. Warm D. Hot
D. A hot site includes everything and is ready to take over operations within minutes after an outage. A mirrored site (not available as an answer) is a type of hot site that can take over operations almost immediately. A mobile site will take much longer to relocate and set up. A cold site is a building with water and electricity, and it would take much longer to become operational. A warm site is a compromise between a hot site and a cold site and takes longer to become operational than a hot site.
Of the following choices, what most accurately identifies the major drawback of SSO systems? A. It allows users to access multiple systems after logging on once. B. It increases the difficulty for users to log on. C. It increases the administrative workload. D. It risks maximum unauthorized access with compromised accounts.
D. A major concern with SSO systems is that if any single account is compromised, it maximizes the potential unauthorized access.
13. What is the purpose of mandatory vacations in relation to security? A. To ensure that employees do not burn out B. To ensure that employees take time to relax C. To reduce the payroll of an organization D. To reduce the chance of fraud
D. A mandatory vacation policy can reduce the chance of fraud by requiring other employees to take over the tasks and responsibilities of a vacationing employee. While vacations are good to help employees relax and reduce the chance of burnout, these matters aren't as relevant to security issues as reducing the chance of fraud. While some companies do implement mandatory vacations to reduce payroll expenses during periods of low activity, this is not a security policy.
19. A user attempted to access http:/mcgraw-hill.com/ but was redirected to a website that advertised pharmaceutical drugs for sale. What does this describe? A. Phishing B. Impersonation C. Whaling D. Pharming
D. A pharming attack is one where the user is redirected to another website by manipulating one of the name resolution methods. Phishing involves sending an e-mail to many users and encouraging them to respond with personal information or by clicking a link. Impersonation, also known as masquerading or spoofing, is a social engineering tactic where the social engineer impersonates someone. Whaling is phishing attack that targets executives such as CEOs
3. Which of the following identifies a primary responsibility of a first responder after a computer security incident? A. Capturing images of disks B. Capturing data in RAM C. Interviewing witnesses D. Preserving the scene
D. A primary responsibility of first responders is the preservation of the scene. Forensics experts acquire and analyze the evidence, which includes capturing images of disks and data in RAM. Investigators interview witnesses.
8. What type of malware takes control of the operating system at the kernel level? A. Trojan horse B. Worm C. Keylogger D. Rootkit
D. A rootkit is a set of programs that runs on a system, largely undetected, because it runs at the kernel level or root level of the operating system. A Trojan horse is malware that looks like one thing but is something else. A worm is a type of malware that spreads through a network without any user intervention. A keylogger captures keystrokes from users.
5. Which of the following keys is changed the most often? A. Public key B. Private key C. Symmetric key D. Session key
D. A session key is only used for a session (such as a web browsing session) and is changed more often than the other keys. Public and private keys typically last for a year or longer. Symmetric encryption uses a symmetric key (also called a secret key), which can stay the same for a specific piece of data as long as the data remains encrypted.
11. What type of attack can access data in a database used by a website? A. Cross-site scripting B. Cross-site request forgery C. Rootkit D. SQL injection
D. A successful SQL injection attack can access data in a database. Cross-site scripting injects HTML or JavaScript into a web page and runs the code on a user's system. A cross-site request forgery attack performs actions on behalf of a user without the user's knowledge. A rootkit is malware that takes over a user's system.
17. How does a vulnerability scanner fingerprint a system? A. With a biometric scanner B. Using an ICMP sweep C. By identifying its IP address D. By analyzing packets
D. A vulnerability scanner fingerprints a system by analyzing packets sent out by the system. In this context, fingerprinting is a metaphor and it doesn't use a biometric scanner. An Internet Control Message Protocol (ICMP) sweep identifies IP addresses on a network, but the IP addresses do not fingerprint a system.
7. Which of the following choices provides the best protection against potentially malicious FTP commands? A. Defense diversity B. Packet-filtering firewall C. Stateful inspection firewall D. Application firewall
D. An application firewall (also called an application proxy or an application gateway firewall) can inspect commands used by individual protocols such as File Transfer Protocol (FTP) and block potentially malicious commands. Defense diversity refers to using firewalls from two different vendors in a demilitarized zone (DMZ). A packet-filtering firewall can only inspect individual packets for IP addresses, ports, and protocol IDs. A stateful inspection firewall can track the activity within TCP and UDP sessions, but can't interpret commands.
6. What do you call a group of one or more logs used to re-create events leading up to and occurring during an incident? A. A configuration control program B. A change management program C. A security audit D. An audit trail
D. An audit trail is one or more logs that can re-create events leading up to and occurring during an incident. Configuration control helps ensure that systems are configured in a secure manner. A change management program allows stakeholders to request changes and helps reduce unintended outages from unauthorized changes. A security audit examines an organization's policies and procedures to determine whether the organization follows these policies and procedures.
5. Sally notices that Homer appears to be stealing from the company. What should Sally do? A. Confront Homer B. Ignore the activity because it doesn't concern her C. Call the police D. Report the activity to a manager
D. An employee's loyalty should be to the organization, so Sally should report this activity to a manager or supervisor. An organization's ethics policy often includes procedures for reporting these types of incidents. Confronting Homer may not solve the problem but instead may result in Homer causing problems for Sally, especially if Homer is stealing from the company. Because continued employment is based on the success of an organization, losses are the concern of every employee. The organization should make the decision of whether or not to call the police.
15. What is an important first step in a vulnerability assessment? A. Document vulnerabilities B. Fingerprinting C. Reconnaissance D. Gaining approval
D. An important first step in a vulnerability assessment is gaining written approval from management. Discovery includes a reconnaissance scan and fingerprinting techniques, but should not be done without approval. Documenting the vulnerabilities comes after discovery and analysis.
4. Of the following choices, what best describes an IPS? A. An active antivirus program that can detect malware B. An inline monitoring system that can perform penetration testing C. An inline monitoring system that can perform vulnerability assessments D. An inline monitoring system that can modify the environment to block an attack
D. An intrusion prevention system is an inline monitoring and detection system that can modify the environment (such as by changing ACLs or closing half-open connections) to block an attack. Although it may be able to detect some malware such as worms, this isn't the best definition. It is not used for vulnerability assessments or penetration tests.
5. Which of the following best identifies a computer controlled by a botnet? A. DoS computer B. DDoS computer C. Attacker D. Zombie
D. Computers controlled within a botnet are commonly called zombies. They are not referred to as DoS or DDoS computers, or attackers, although they can be directed to take part in a DDoS attack.
18. Of the following choices, what network device can filter e-mail, spam, and malware? A. Packet-filtering firewall B. Proxy server C. An intrusion detection system D. Content-filtering appliance
D. Content-filtering appliances can filter e-mail to remove spam and malicious attachments. They can also act as a proxy server or an intrusion detection system (IDS). A packet-filtering firewall can only examine packets. A proxy server can filter websites but not e-mail. An IDS detects attacks, but not e-mail and spam.
11. An attacker has collected several pieces of unclassified information to deduce a conclusion. What is this called? A. Data mining B. Database normalization C. OLAP D. Data inference
D. Data inference occurs when someone is able to piece together unclassified information to predict or guess an outcome. Data mining is the process of retrieving relevant data from a large database. Database normalization is the process of dividing the data into multiple tables in a database to reduce duplication of data. Online analytical processing (OLAP) uses techniques to make it easier to retrieve data.
2. Which of the following provides the best confidentiality protection for data at rest? A. Marking it B. Labeling it C. Backing it up D. Encrypting it
D. Encryption provides the best confidentiality protection for data at rest. While it is appropriate to mark or label it, this isn't as strong as encrypting it. Backing it up provides protection for availability.
2. Which one of the following is mostly like to be performed during a feedback loop in an incident handling process? A. Chain of custody B. Hashing C. Escalation D. Perform a lessons learned review
D. Feedback loops in an incident handling process include a lessons learned review, which examines the incident and the response. The goal is to prevent a recurrence of the incident. A chain of custody validates that evidence has been controlled since it was collected. Hashing provides assurances that data (such as a bit-by-bit copy of a disk) is identical. Escalation refers to getting more people involved in an incident.
11. Which of the following can detect if a system file has been modified? A. Encryption algorithm B. Anomaly-based detection C. Signature-based detection D. File integrity checker
D. File integrity checkers use hashing techniques to detect whether modifications of system or other important files have occurred. File integrity checkers use hashing algorithms, not encryption algorithms. Intrusion detection and prevention systems use signature-based detection to detect known attacks and use anomaly-based detection to detect previously unknown attacks, but these are not related to detecting modifications to system files.
3. Which of the following choices provides one-way encryption of data? A. Symmetric B. Asymmetric C. Transport Layer Security D. Hashing
D. Hashing algorithms use a one-way encryption method to create a hash from the data. They are also known as one-way functions. The hashing algorithm creates a fixed-length hash from a file, but the hash cannot be used to re-create the file. Symmetric encryption and asymmetric encryption are both two-way, because data can be encrypted and decrypted. Transport Layer Security (TLS) is widely used to encrypt Internet traffic and uses both symmetric and asymmetric encryption.
9. You decide to manage risk by purchasing insurance to cover any losses. Which one of the following risk management techniques are you using? A. Accept B. Avoid C. Mitigate D. Transfer
D. Insurance is one of the ways that you can manage risk by transferring the risk to a third party. Risk acceptance doesn't take any further action to mitigate the risk. In risk avoidance, you avoid the activity that results in the risk. It's most common to try to reduce the risk using risk mitigation.
8. Which of the following choices is the most important consideration when gathering evidence as part of a computer forensic investigation? A. Ensuring that systems are turned off as soon as possible B. Ensuring that a record of files on a system is recorded by accessing the system C. Ensuring that users can log on to the system D. Ensuring that evidence is not modified
D. It's important that evidence is not modified when collecting evidence. If a system is turned off, data in volatile RAM is lost. If files on a system are accessed, it modifies the files by showing new access times. If a user logs on to a system, it can modify information about the last user that logged on.
12. Which of the following protocols is commonly used with diagnostic utilities? A. TFTP B. RARP C. IGMP D. ICMP
D. Many diagnostic utilities such as ping, pathping, and tracert use Internet Control Message Protocol (ICMP). Administrators commonly use Trivial FTP (TFTP) to transfer configuration files to and from network devices. Reverse ARP (RARP) allows a system with a MAC address to get an IP address. The Internet Group Message Protocol (IGMP) is used for IPv4 multicasting.
6. Which of the following is a secure method of sanitizing optical media? A. Degaussing B. Overwriting C. Shining D. Destroying
D. Optical media must be destroyed to ensure it doesn't include any remaining data. Degaussing isn't effective because optical media doesn't use magnetic methods of storing data. Overwriting isn't effective because the media might still have data remaining after overwriting it. Shining is not a valid method of sanitizing media.
14. Your organization has recently completed a security audit. Which of the following is NOT a valid step to take after completing the audit? A. Approve changes B. Evaluate controls C. Implement fixes D. Delete the security audit
D. Organizations should keep security audits instead of deleting them. This allows personnel to use them as reference points in future audits. Audits typically evaluate existing controls and recommend changes. Management approves the changes and directs personnel within the organization to implement the fixes.
What can be used to prevent a user from reusing the same password? A. Minimum password age B. Maximum password age C. Password length D. Password history
D. Password history remembers users' previous passwords and prevents them from reusing passwords.
19. Which of the following is NOT a valid method used for configuration control? A. Imaging B. Microsoft's Group Policy C. Change management D. Proxy server logs
D. Proxy server logs record what websites users visit and are not used for configuration control. Each of the other choices can be used for configuration control.
6. Which of the following is NOT a symmetric encryption standard? A. AES B. Blowfish C. RC4 D. RSAChapter
D. RSA is an asymmetric encryption standard using public and private keys and is widely used with Transport Layer Security (TLS). The other choices are all symmetric encryption standards using a single key to encrypt and decrypt the data.
11. An organization has implemented several controls to mitigate risks. However, some risk remains. What is the name of the remaining risk? A. Vulnerable risk B. Mitigated risk C. Alternate risk D. Residual risk
D. Residual risk is any risk that remains after implementing controls to mitigate the risk. It's often not cost effective to implement controls to eliminate all risks, so senior management must make decisions on what risk to mitigate and what risk to accept as residual risk. Vulnerable risk and alternate risk are not valid terms associated with risk management.
2. You are involved in risk management activities within your organization. Of the following activities, which one is the best choice to reduce risk? A. Reducing threats B. Increasing vulnerabilities C. Increasing impact D. Mitigating risk
D. Risk mitigation is the process of reducing risk. You can rarely reduce threats, but you can often reduce (not increase) vulnerabilities or reduce (not increase) the impact of a risk.
5. After visiting a website, a user sees a pop-up indicating a virus has infected his system and offering free antivirus software. He downloads the free antivirus software, but finds that it won't clean the virus unless he purchases the full version. What does this describe? A. Shareware B. Rootkit C. Freeware D. Scareware
D. Scareware is malware that scares users into thinking a virus has infected their system and encourages them to install a free download. The free download appears as antivirus software that doesn't remove viruses unless users pay, but it often includes malware itself. Shareware is software that users are free to try and pay for if they like it and continue to use it. A rootkit takes over the system with root-level privileges. Freeware is free software.
14. Which of the following protocols is a more secure alternative for remote login? A. Telnet B. rlogin C. rexec D. SSH
D. Secure Shell (SSH) encrypts data sent over a network and is the most secure method for remotely accessing systems of the given choices. Telnet, rlogin (which is remote login), and rexec (remote execute) all send data across a network in cleartext.
15. Someone has embedded a secret code within a picture used on a web page. What is the best description of this? A. Symmetric encryption B. Asymmetric encryption C. Hashing D. Steganography
D. Steganography is the practice of hiding data within data, such as embedding a secret code within a picture. Symmetric encryption uses a single key for encryption and decryption of data, while asymmetric encryption uses two keys (a public key and a private key) for encryption and decryption. Hashing creates a hash that can be used for integrity.
8. Of the following choices, which one is considered a strong, efficient symmetric encryption algorithm? A. TLS B. DES C. 3DES D. AES
D. The Advanced Encryption Standard (AES) is considered a strong, efficient symmetric encryption algorithm and it is widely used. DES is an older algorithm that has been cracked. 3DES is strong, but takes more processing power and is less efficient than AES. Transport Layer Security (TLS) uses both symmetric and asymmetric encryption, and calling it a symmetric encryption algorithm is inaccurate.
20. What provides a standardized method of describing malware? A. The Consortium of Antivirus Vendors (CAV) B. The Consortium of Virus Authors (CVA) C. The National Institute of Standards and Technology (NIST) D. The Common Vulnerabilities and Exposures (CVE) list
D. The CVE is maintained by the MITRE Corporation and provides a standardized method of describing security vulnerabilities, exploits, and malware. There is no such thing as the Consortium of Antivirus Vendors (CAV) or Consortium of Virus Authors (CVA). NIST is a U.S. government entity that regularly publishes standard publications related to IT security, standards, and practices, but it does not maintain the CVE.
11. What port does PPTP typically use? A. 143 B. 443 C. 1701 D. 1723
D. The Point-to-Point Tunneling Protocol (PPTP) uses TCP port 1723. Internet Message Access Protocol version 4 (IMAP4) uses TCP port 143, Transport Layer Security (TLS) and Secure Sockets Layer (SSL) use TCP port 443, and Layer 2 Tunneling Protocol (L2TP) uses UDP port 1701.
3. Which of the following can provide security for VoIP? A. RADIUS B. TACACS+ C. PSTN D. SRTP
D. The Secure Real-time Transport Protocol (SRTP) provides confidentiality, authentication, and replay protection for Voice over IP (VoIP) transmissions. Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System+ (TACACS+) are used to provide authentication, authorization, and accounting (AAA) for remote access. The public switched telephone network (PSTN) is one of the methods used for Internet access.
20. Which of the following organizations provides regular cyber-security alerts about current security issues, vulnerabilities, and exploits as part of the U.S. National Cyber Awareness System? A. ITL B. NIST C. CERT Division D. US-CERT
D. The U.S. Computer Emergency Response Team (US-CERT) manages the National Cyber Awareness System, which provides cyber-security alerts, bulletins, tips, and updates. The other organizations provide information, but not alerts through the National Cyber Awareness System.
8. Users within an organization have recently sent sensitive data outside the organization in e-mail attachments. Management believes this was an accident, but they want to prevent a recurrence. Which of the following is the best method to do so? A. Implement a network-based intrusion prevention system (IPS) B. Provide training to users C. Ensure the data is marked appropriately D. Implement a network-based data loss prevention (DLP) system
D. The best solution is to implement a network-based DLP system. It can scan outgoing data to look for sensitive data and block any it finds. An IPS focuses on incoming traffic to block attacks, and doesn't necessarily scan outgoing traffic. Thus, it wouldn't necessarily stop data sent as an e-mail attachment. Training is appropriate, but training doesn't necessarily prevent accidents. Also, training wouldn't stop a malicious insider from this action. The data should be marked with its appropriate classification, but there isn't any indication that it isn't. Also, even if the data is marked, it doesn't necessarily prevent accidents.
9. What is the purpose of a BIA? A. To identify recovery plans B. To drive the creation of the BCP C. To test recovery plans D. To identify critical business functions
D. The business impact analysis (BIA) identifies critical business functions and is a part of the BCP. Personnel create recovery plans later in the process, after creating recovery strategies. The BCP drives the creation of the BIA, not the other way around as suggested by answer B. You can only test the plans after personnel have created them.
3. Who is responsible for classifying data? A. Management B. User C. Administrator D. Owner
D. The data owner is responsible for classifying data. Management is responsible for defining data classifications, such as in a data policy. Users access the data, but they are not responsible for assigning or modifying data classifications. Administrators grant access to users based on the individual user's need and often at the direction from the data owner.
19. What is the first step in incident response? A. Analysis B. Containment, eradication, and recovery C. Detection D. Preparation
D. The first step in incident response is preparation, which includes creating an incident response plan. The other answers are valid steps in incident response, but they aren't the first step.
11. What is MTO in relation to business continuity planning? A. Minimum time for an outage B. Maximum time for an outage C. Minimum tolerable outage D. Maximum tolerable outage
D. The maximum tolerable outage (MTO), sometimes called maximum allowable outage (MAO) or maximum tolerable downtime (MTD), identifies the maximum amount of time that a system can be down before critical business functions are affected. The T does not represent time, and the M does not represent minimum.
14. What is the overall goal of a change management process? A. To slow down changes B. To ensure that systems are configured similarly C. To enable stakeholders to deny unwanted changes D. To reduce unintended outages from unauthorized changes
D. The overall goal of a change management process is to reduce unintended outages from unauthorized changes. The intent isn't to slow down changes, but that is often a side effect. A change management process gives stakeholders the ability to propose changes, but several entities within the organization grant or deny changes. A configuration management process ensures that systems are configured similarly.
18. What is the protocol number for IPsec AH? A. 1 B. 6 C. 50 D. 51
D. The protocol number for Internet Protocol security (IPsec) Authentication Header is 51. The protocol number for IPsec Encapsulating Security Protocol (ESP) is 50. The protocol number for Internet Control Message protocol (ICMP) is 1, and the protocol number for Transmission Control Protocol (TCP) is 6.
Authentication includes three types, or factors. Which of the following best describes these authentication methods? A. Something you say, something you think, and something you are B. Something you know, something you have, and something you type C. Something you know, something you say, and something you are D. Something you know, something you have, and something you are
D. The three factors of authentication are something you know, something you have, and something you are. Something you think, something you type, or something you say are not authentication factors.
9. A computer system records events into a security log, and administrators periodically review the log for security incidents. What type of control is this? A. A preventive, technical security control B. A detective, physical security control C. A preventive, physical security control D. A detective, technical security control
D. This describes an audit log, which is a detective, technical security control. It is detective because it identifies incidents after they've occurred. It is technical because it is implemented with technology. It doesn't prevent the events, and the log is a digital file, not a physical item that you can touch.
15. A system has been attacked by an exploit that isn't published. What type of attack is this? A. Scareware B. APT C. Pharming D. Zero day
D. Zero day exploits are attacks that take advantage of vulnerabilities that are unpublished and often include attacks that are unknown by the vendor. The other answers are known methods. Scareware is malware that scares users into thinking their system is infected with a virus and encourages them to install malware on their system. An advanced persistent threat (APT) is a group of people who have the capability and intent to launch extended attacks against organizations. Pharming is an attack that redirects users to bogus websites.
name 5 access control models
DAC, NON-DAC, RBAC, RBAC MAC
what are supporting documents to a BCP
DRP, BIA, bcp TESTING, bcp MAINTAINENCE PERSONEL SUCCESION
Ciphertext
Data that is encrypted and not readable until it is decrypted into plain text. Authorized personnel can decrypt ciphertext to return it to plaintext and read it. Ideally, unauthorized personnel cannot read ciphertext. Encryption techniques convert plaintext to ciphertext.
Cleartext
Data that is not in an encrypted format. It is easily readable without any cryptographic or cryptanalysis techniques. Encryption techniques convert plain text to ciphertext. Also called plain text.
Plaintext
Data that is not in an encrypted format. It is easily readable without any cryptographic or cryptanalysis techniques. Encryption techniques convert plaintext to ciphertext. Also called cleartext.
Authorization
Defines what the user(s) can access
Single Sign-On (SSO)
Designed to provide strong authentication using secret-key cryptography, allowing a single identity to be shared across multiple applications.
Authorization
Determines whether a user is permitted to access a particular resource.
Separation of Duties
Distributing tasks and associated privileges among multiple people, primary objective to prevent fraud and errors
Which of the following are used in Biometrics? A. Retinal Scanning B. Fingerprints C. Face Recognition D. Voice Recognition E. All of the above F. None of the above
E. All of the above
Which of the following organizations can be a valid Certificate Authority (CA)? A. Verisign B. Microsoft C. Netscape D. Dell E. All of the entities listed could be valid Certificate Authorities
E. All of the entities listed could be valid Certificate Authorities
A password audit consists of checking for ____________? A. Minimum password length B. Password aging C. Password Strength D. Blank Passwords E. All of the items listed
E. All of the items listed
Which organization(s) are responsible for the timely distribution of information security intelligence data? A. CERT B. SANS C. CERIAS D. COAST E. All of the organizations listed
E. All of the organizations listed
A chronologically sorted record of all the activities on a system is known as an ____________ A. IDS system B. Packet sniffer C. Application log D. Audit log E. Audit trail
E. Audit trail
Which form of media is handled at the Physical Layer (Layer 1) of the OSI Reference Model? A. MAC B. L2TP C. SSL D. HTTP E. Ethernet
E. Ethernet
Tripwire is a ___________________- A. Log analyzer B. Port Scanner C. Digital Certificate Company D. Polymorphic virus E. File Integrity Checker
E. File Integrity Checker
Countermeasures address security concerns in which of the following categories? A. Physical B. Operations C. Computer D. Communication E. Information F. All of the listed categorie
E. Information
Instructions or code that executes on an end user's machine from a web browser is known as __________ code. A. Active X B. JavaScript C. Malware D. Windows Scripting E. Mobile
E. Mobile
PGP allows which of the following to be encrypted? A. Files B. Email C. Network connections D. Disk volumes E. PGP will encrypt all of the listed items
E. PGP will encrypt all of the listed items
___________________ viruses change the code order of the strain each time they replicate to another machine. A. Malicious B. Zenomorphic C. Worm D. Super E. Polymorphic
E. Polymorphic
Asynchronous token generating method
Employs a challenge/response scheme to authenticate the user.
Asymmetric algorithm
Encryption method that uses two different key types, public and private. Also called public key cryptography.
Confidentiality
Ensures that unauthorized entities cannot access data. Access con trols and encryption help protect against the loss of confidentiality. Confidentiality is one of the three main goals of information security known as the CIA security triad. The other two goals are integrity and availability.
IT Asset Management (ITAM)
Entails collecting inventory and financial and contractual data to manage the IT asset throughout its life cycle.
Decentralized Authentication
Every computer has a separate database that stores credentials. If a user needed to log on to all four computers in this network, he or she would need to have four separate sets of credentials—one for each system.
Which of the following is NOT an encryption method used by VPNs (Virtual Private Networks)? A. IPSEC - IP Security B. L2F - Layer 2 Forwarding C. L2TP - Layer 2 Tunneling Protocol D. SSH - Secure Shell E. PPTP - Point to Point Tunneling Protocol F. All of the above are encryption methods used by VPNs
F. All of the above are encryption methods used by VPNs
From a security standpoint, the product development life cycle consists of which of the following? A. Code Review B. Certification C. Accreditation D. Functional Design Review E. System Test Review F. All of the items listed
F. All of the items listed
Which of the following are Unix / Linux based security tools? A. Tiger B. TCP Wrappers C. TripWire D. LogCheck E. SATAN F. All of the tools listed can work on the Unix platforms
F. All of the tools listed can work on the Unix platforms
Contactless Tokens
Form a logical connection to the client computer but do not require a physical connection.
Accreditation
Formal acceptance of the adequacy of a system's overall security by management.
4G
Fourth generation of wireless technologies. It's an improvement over 3G and includes speeds as high as 100 Mbps for highly mobile users in trains and cars, and 1 Gbps for indi viduals walking or staying still.
Attenuation
Gradual loss in intensity of any kind of flux through a medium. As an electrical signal travels down a cable, the signal can degrade and distort or corrupt the data it is carrying.
Where is two places you might find an AUP
HR folder or on a splash screen
Absolute addresses
Hardware addresses used by the CPU.
Disconnected Tokens
Have neither a physical nor logical connection to the client computer.
Policy
Highlevel documents used to provide guidance to members of an organiza tion. A security policy provides direction to employees and is authoritative in nature.
Redundant sites
Hot, cold, or warm sites are planned for business continuity incase of emergency. Hot sites are ready at a moment's notice. Cold sites are empty buildings with just electricity and running water. Warm sites are hybrids.
what is a virtual site
IAAS provides backup or disaster recovery in the cloud
AH - Authentication Header is used in what industry standard protocol? A. SSL - Secure Sockets Layer B. ESP - Encapsulating Security payload C. ISAKMP - Internet Security Association and Key Management Protocol D. IKE - Internet Key Exchange E. IPSEC - Internet Protocol Security
IPSEC - Internet Protocol Security
Authenication
Identifies user(s)
Attribute
In a database, a table column. Data within the table is stored in rows, or tuples.
what is iso 27000
Information security management systems overview
personally identifiable information (PII)
Information that can be used to personally identify an individual. Many laws mandate the protection of PII.
Compensating Controls
Introduced when the existing capabilities of a system do not support the requirements of a policy.
wellknown port
Logical port numbers from 0 to 1,023 mapped to specific proto cols by the Internet Assigned Numbers Authority (IANA). For example, IANA assigned port 80 to the HTTP protocol. Port numbers are assigned as Transmission Control Pro tocol (TCP) ports and User Datagram Protocol (UDP) ports.
Accounting
Logs that track the activity of a user through monitoring. One method of accounting is audit logs that create an audit trail.
logic bomb
Malicious code that executes in response to an event, such as a point in time, or in response to specific actions.
Malware
Malicious software or malicious code. It includes any code or software that can be described as being harmful or destructive to computers, networks, or the comput ing environment as a whole. Some of the common malicious code types include viruses, worms, logic bombs, and Trojan horses.
Scareware
Malware that describes itself as free antivirus software to trick users into downloading it. It typically attempts to scare the user with a popup or other message that indicates the user's system is infected with a virus. Sometimes called rogue-ware.
Trojan horse
Malware that looks like one thing but is actually something different. Users are often tricked into installing the malware, thinking that it will provide some benefit. When the application is installed, the Trojan horse also installs the malware.
Worm
Malware that travels over the network looking for systems to infect. Worms do not require any type of interaction to execute.
access control
Mechanism used to restrict or control access to resources. Access controls can be logical (implemented with technology) and implemented by the security kernel, or physical, such as a locked door or security guard. Access controls allow subjects access to objects, such as allowing a user to access a file. Some relevant access control models are Mandatory Access Control (MAC), Discretionary Access Control (DAC), Rolebased Access Control (RoleBAC), Rulebased Access Control (RuleBAC), and Attributebased Access Control (ABAC). Biba, BellLaPadula, ClarkWilson, and the Chinese Wall are specific MAC models.
Address space layout randomization (ASLR)
Memory protection mechanism used by some operating systems. The addresses used by components of a process are randomized so that it is harder for an attacker to exploit specific memory vulnerabilities.
biometrics
Method of identifying unique characteristics of a person, such as a finger print or retina scan. Biometrics provide authentication in the "something you are" factor.
information rights management (IRM)
Methods used to protect documents after they've been sent to an untrusted party. IRM can prevent recipients from forward ing, copying, modifying, printing, faxing, or pasting the contents from a file.
Open Systems Interconnection (OSI)
Model A sevenlayer model developed by the International Organization for Standardization (ISO) as a framework for connect ing computers and networks together. The seven layers are Physical (layer 1), Data Link (layer 2), Network (layer 3), Transport (layer 4), Session (layer 5), Presentation (layer 6), and Application (layer 7).
Connected Tokens
Must be physically connected to the computer to which the user is authenticating.
Due Diligence
Necessary level of care and attention that is taken to investigate an action before it is taken. (Look before jumping)
Bus
Network configuration where all computing devices are connected directly to each other via a shared cable connection. Both ends of the bus must be terminated. If one of the terminators is not present or the cable is disconnected, communication with all devices on the bus stops. See also mesh, star, token ring, and tree.
Star
Network configuration where all computing devices are connected to a central device, such as a hub or a switch. Most networks use a star configuration, with all of the devices connected to the central device with twisted pair cable. See also bus, mesh, token ring, and tree.
Simple Integrity Axiom
No read down. Subjects granted access to any security level may not read an object at a lower security level
Simple Security Property Rule
No read up. No subject can read information from an object with a security classification higher than that possessed by the subject itself.
The * Property (Star-property) Rule
No write down. Subjects granted access to any security level may not write to any object at a lower security level.
The * Integrity Axiom (Star Integrity Axiom)
No write up. Subjects granted access to any security level may not write to any object at a higher security level
port number
Numbers that identify protocols based on assigned well-known ports. For example, SMTP uses TCP port 25. This is not a protocol number, though protocol numbers also identify some protocols. Compare to protocol number and well--known port.
something you have
One of the three factors of authentication. This factor includes items such as proximity cards, smart cards, hardware tokens, and identification badges.
something you know
One of the three factors of authentication. This factor includes knowledge such as passwords, personal identification numbers, mother's maiden name, or even personal information such as the name of your first pet.
something you are
One of the three factors of authentication. This factor includes the use of biometrics to authenticate an individual based on fingerprints, retina, or other facial characteristics, keystroke dynamics, and handwriting.
availability
One of the three main goals of information security known as the CIA security triad. Availability ensures that systems and data are up and operational when needed. The other two parts of the CIA triad are confidentiality and integrity.
Encapsulating Security Protocol (ESP)
One of the underlying protocols of IPsec, ESP encrypts the data and also provides the same authentication services provided from Authentication Header (AH). Data encrypted with ESP cannot be read if captured with a sniffer. Packets protected with ESP are identified with protocol ID 50.
One-Time Passwords
Passwords created to be used only once. Because it's used only once, there's little risk of the password being reused even if an attacker is able to capture it while it is transmitted.
protected health information (PHI)
Personally identifiable information that includes an individual's medical and health history.
Address bus
Physical connections between processing components and memory segments used to communicate the physical memory addresses being used during processing procedures.
Authentication
Proof of an identity, established by providing credentials. There are three types or factors of authentication: something you know (such as a username and password), something you have (such as a smart card), and something you are (using biometrics).
Address Resolution Protocol (ARP)
Protocol that resolves Internet Protocol (IP) addresses to Media Access Control (MAC) addresses. ARP is used on the Data Link layer of the Open Systems Interconnection (OSI) Model. Compare to Bootstrap Protocol (BootP) and Reverse Address Resolution Protocol (RARP).
Authentication Header (AH) Protocol
Protocol within the IPSec suite used for integrity and authentication.
Chinese Wall (Brewer-Nash)
Provides a barrier between these two groups of employees by classifying data
Redundant servers
Provides fault tolerance by having one or more entire systems available in case the primary one crashes.
Redundant connections
Provides fault tolerance by having redundant internet connections so if one fails, the organization can still has connectivity
Redundant disks
Provides fault tolerance by mirroring data on another drive. If the first drive fails, data is not lost since the system can automatically switch over to the other drive.
Domain Name System (DNS)
Provides name resolution services by resolving host names to IP addresses and IP addresses to host names. DNS uses port 53.
Platform-as-a-Service (PaaS)
Provides users with an operating system available over the internet, without the need for users to purchase the hardware and software
Least Privilege
Providing only the minimum amount of privileges necessary to perform a job or function.
Defense-in-depth
Provision of several overlapping subsequent limiting barriers with no respect to one safety or security threshold, so that the threshold can only be surpassed if all barriers have failed.
Guidelines
Recommendations provided to members of an organization. Guidelines aren't mandatory or authoritative in nature. Guidelines (and procedures) are derived from policies.
Availability
Refers to the ability to access and use information systems when and as needed to support an organization's operations.
Confidentiality
Refers to the property of information in which it is only made available to those who have a legitimate need to know.
Access Control Models
Regulate the admission of users into trusted areas of the organization-both logical access to information systems and physical access to the organization's facilities
Availability
Reliable and timely access to data and resources is provided to authorized individuals.
Network Discovery Protocol (NDP)
Resolves IPv6 addresses to EUI64 addresses. It is similar to ARP, which resolves IPv4 addresses to MAC addresses. IPv6 uses a 64bit modified EUI64 address instead of the MAC address.
Release Manager
Responsible for planning, coordination, implementation, and communication of all application releases.
Bell-LaPadula Model
Security model that deals only with confidentiality. Two rules: simple security property rule, the star property rule
Biba Model
Security model that deals only with integrity.
Ethernet
Set of local area network (LAN) standards defined by the IEEE 802.3 doc uments. It is the most widely used standard for LANs.
Algorithm
Set of mathematical and logic rules used in cryptographic functions.
intrusion prevention system (IPS)
Similar to an intrusion detection system (IDS), but with two primary differences. An IPS is placed inline with the traffic, pre venting the malicious traffic from reaching the protected network. An IPS provides an active response.
Application programming interface (API)
Software interface that enables process-to- process interaction. Common way to provide access to standard routines to a set of software programs.
Firewall
Software or hardware used to filter traffic into or out of a network. A firewall can be a dedicated physical device or an additional application running on a system such as a desktop computer.
Spyware
Software that is installed on a user's system without the user's knowledge or consent. Spyware is considered a form of malware because it can cause damage to an individual.
Three Factors of Authentication
Something you... know, have and are
Infrastructure-as-a-Service (IaaS)
Sometimes called hardware-as-a-service. Users rent access to hardware such as servers and networking infrastructure.
Procedure
Specific action steps to accomplish tasks. Procedures (and guidelines) are derived from policies.
Release Management Policy
Specifies the conditions that must be met for an application or component to be released to production, roles and responsibilities for packaging, approving, moving, and testing code releases, and approval and documentation requirements.
code of ethics
Statements and principles that individuals can use to guide their decisions and help in ethical dilemma situations. (ISC)2's Code of Ethics includes a pre amble and four canons describing ethical expectations from its certified practitioners. Candidates must commit to and abide by them to earn and keep the SSCP certification. Organizations can also use ethics statements for internal employees.
Procedures
Step-by-step instructions for performing a specific task or set of tasks.
Clark-Wilson
Subjects can access data only through programs (access triple - user, object, program) ensure separation of duties, and required auditing
data loss prevention (DLP)
Techniques used to monitor data usage and prevent the unauthorized use or transmission of sensitive data. Different types of DLP systems can monitor data in motion and data at rest.
near field communication (NFC)
Technology in smartphones that allows a user to transfer information to other devices by waving a smartphone close to the other device or tapping the other device. NFC can be used to make purchases with credit cards reg istered on the phone.
Accountability
The ability of a system to track the activity of an individual. It depends on proper identification and authentication. If a system can identify individual users, track their actions, and monitor their behavior, it provides accountability.
data inference
The ability of someone to gain knowledge by piecing together unclassified data to determine classified or secret information. It also includes the ability to gather large quantities of information and attempt to learn details of the information through deduction.
Identification
The act of claiming an identity, typically by using a username. Users prove identity by providing proper credentials such as a password.
residual risk
The amount of risk that remains after steps have been taken to mitigate risk. In other words, residual risk = total risk - mitigated risk. Management is responsible for any losses that occur as a result of residual risk.
Abstraction
The capability to suppress unnecessary details so the important, inherent properties can be examined and reviewed.
HyperText Transfer Protocol (HTTP)
The common protocol used to transfer web pages over the Internet. Most web browsers use HTTP by default. HTTP uses TCP port 80.
Crossover Error Rate
The crossover error rate, also called the equal error rate, is the point at which the number of false positives matches the number of false negatives in a bio metric system. Select the system with the lowest crossover error rate within your budget.
Transport Layer Security (TLS)
The designated replacement for Secure Sockets Layer (SSL). It is based on SSL and is formally defined in RFC 5246. Almost all HTTPS sessions today are encrypted with TLS due to known vulnerabilities with SSL. TLS commonly uses TCP port 443.
Static Password Token
The device contains a password that is physically hidden (not visible to the possessor) but that is transmitted for each authentication.
Voice over Internet Protocol (VoIP)
The different technologies used to trans mit multimedia and voice communications over IP networks, including the Internet.
first responder
The first forensicstrained person on the scene of an information technology (IT) incident. It could be a highly trained forensics expert or a system admin istrator with only basic training. One of the primary responsibilities of a first responder is the preservation of the scene of the incident and all associated evidence.
Wired Equivalent Privacy (WEP)
The first security algorithm used for 802.11 wireless networks. WEP has several security issues and has been deprecated in favor of WPA and WPA2. It should not be used.
Access
The flow of information between a subject and an object.
what is acquire time
The incriment of time that it takes to get the scan data
Breach
The intentional or unintentional release of secure information to an untrusted environment.
due diligence
The investigative steps that an organization takes prior to taking on something new, such as signing a contract or making a major purchase. An organization has an obligation to exercise due diligence to discover risks.
Discretionary Access Control (DAC)
The least restrictive access control. Is an access policy determined by the owner of a file (or other resource). The owner decides who's allowed access to a file and what privileges they have.
Systems Integrity
The maintenance of a known good configuration and expected operational function.
maximum acceptable outage (MAO)
The maximum amount of time a system can be down before critical business functions are affected. MAO is sometimes called maximum tolerable outage (MTO) or maximum tolerable downtime (MTD). The MAO helps an organization determine the recovery time objective (RTO).
recovery time objective (RTO)
The maximum amount of time that can be taken to restore a system or process to operation. If a failure takes longer than the RTO to restore, then it impacts the mission. The maximum acceptable outage (MAO) helps an organization determine the RTO. Remote Authentication DialIn User Service (RADIUS)\ A service that provides centralized authentication, authorization, and accounting (AAA) for remote clients. Remote users are authenticated against a credential's database, their account is checked to verify that they are authorized to use remote access, and their remote access activity is tracked in an accounting log.
Mandatory Access Control (MAC)
The most restrictive access control. Users are assigned a security level or clearance, and when they try to access an object, their clearance level is compared to the objects sensitivity level. If they match the user can access the object, if not, the user is denied access
False Accept Rate
The percentage of identification instances in which unauthorized users are allowed access to systems or areas as a result of a failure in the biometric device.
False Reject Rate
The percentage or value associated with the rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device.
Crossover Error Rate (CER)
The point where the False Acceptance Rate (FAR) and the False Rejection Rate (FRR) of a biometric system are equal or cross over. A lower CER indicates a betterperforming biometric system. Compare to False Acceptance Rate (FAR) and False Rejection Rate (FRR).
fault tolerance
The practice of adding and maintaining redundancy for disks, serv ers, connections, and sites. Fault tolerance controls help eliminate outages from single points of failure by adding redundancies.
single signon (SSO)
The practice of allowing a subject (such as a user) to authenticate once and use the same credentials to access additional resources without authenticating again. This increases security because users have to remember only a single set of credentials and are less likely to write their credentials down. Federated access SSO systems allow users to access systems owned and managed by different organizations by logging on once using credentials recognized by the federated access system.
shoulder surfing
The practice of attempting to gain information by looking over a user's shoulder as he or she is entering data.
Nonrepudiation
The practice of ensuring that a party cannot believably deny (or repudiate) taking an action. Nonrepudiation is enforced through audit logging and with digital signatures.
Steganography
The practice of hiding data within data. When used to hide data within files, it modifies the least significant bits of bytes within the files.
due care
The practice of implementing security policies and practices to protect resources. Organizations are required by law to exercise due care or they can be found legally negligent.
Hardening
The practice of making a system more secure from its default configura tion. Hardening often includes removing or disabling unused protocols and services, changing defaults, keeping systems up to date, enabling firewalls, and using AV software.
job rotation
The practice of moving employees between different jobs on a periodic basis. Job rotation is a security practice that can reduce the risk of fraud within a com pany. Organizations commonly combine it with a separation of duties policy.
social engineering
The practice of using primarily nontechnical means to get people to give up sensitive data or to perform actions they wouldn't normally perform. A social engineer uses deception and fraud to trick or manipulate unsuspecting users.
Entitlement
The privileges granted to users. Following the principle of least privilege is important here.
Risk
The probability or likelihood of a threat exploiting a vulnerability, resulting in a loss. A threat is any activity that can be a possible danger. A vulnerability is a weakness, and a loss represents a negative event for an organization. The level of loss represents the impact.
input validation
The process of checking data before using it within an applica tion. Web applications use input validation to prevent different types of injection attacks, such as SQL injection or crosssite scripting attacks. Input validation also helps prevent buffer overflow attacks.
Decryption
The process of converting ciphertext data into plaintext data. Data is encrypted to prevent loss of confidentiality. Compare to encryption.
Encryption
The process of converting plaintext data into ciphertext data to prevent loss of confidentiality. The process is reversed by decrypting the ciphertext data to create the original plaintext data. Compare to decryption.
Hashing
The process of creating a hash (a number) by executing a hashing algorithm against a piece of data. As long as the original data is not changed, the hash will always be the same. You can execute the hashing algorithm on the file or message at one point to cre ate a hash and then later execute the same hashing algorithm again. If the hashes are the same, the original data has not been modified and it has retained integrity.
Cryptanalysis
The process of deciphering codes through analysis. Both attackers and researchers use cryptanalysis techniques. Researchers use them to search for weak nesses in cryptography, with the goal of improving cryptographic methods. Attackers use them to search for weaknesses, with the goal of exploiting them.
Accreditation
The process of formally declaring that the system is approved to operate. Accreditation comes after system certification.
Deduplication
The process of keeping only a single copy of a file on a system instead of multiple identical files. Deduplication saves storage space.
identity management
The process of managing accounts and access to resources. Provisioning includes creating accounts for users and granting appropriate privileges. Maintenance ensures that password policies and account policies are implemented prop erly and ensures that inactive accounts are disabled. Entitlement\ helps ensure that the principle of least privilege is enforced.
incident response
The process of responding to an incident. Many organizations have formal procedures for responding to incidents.
Integrity
The property of information whereby it is recorded, used, and maintained in a way that ensures its completeness, accuracy, internal consistency, and usefulness for a stated purpose.
Due Care
The requirement that a professional exercise reasonable ability and judgement in a specific circumstance, the absence of which constitutes negligence. Also called standard of care.
Object
The resource being accessed (ex: data, hardware, applications, networks, facilities)
Privacy
The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.
Forensics
The science of examining and inspecting crime scenes for evidence. Com puter forensics is the science of examining and inspecting computer systems for evidence about an event or crime.
Cryptography
The science of scrambling, or encrypting, data. Cryptography includes the study of algorithms and other methods that help protect the confidentiality of data.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
The standard used to encrypt and digitally sign email. Almost all email applications that support encryption and digital signatures use S/MIME.
Identity Management
The task of controlling information about users on computers.
CIA security triad
The three main goals of information security: confidentiality, integrity, and availability. Confidentiality ensures that unauthorized individuals cannot access data. Integrity prevents any unauthorized or unwanted modification of data or sys tem configurations. Availability ensures that systems and data are available when needed.
Secure Hashing Algorithm 3 (SHA3)
The winner of the NIST hash function competition from 2007 to 2012. It is not based on SHA1 or SHA2, but instead is a subset of the Keccak algorithm. It creates hashes of 224, 256, 384, or 512 bits.
Hashing
These algorithms provide data integrity only
Corrective Control
These controls remedy the circumstances that enabled unwarranted activity, and/ or return conditions to where they were prior to the unwanted activity.
Access Control Lists
These lists are used to identify systems and specify which users, protocols, or services are allowed
What is SAP in terms of classification of material
These programs are used by military to classify material into compartments. uses two words like yankee white
3G
Third generation of wireless technologies. 1G uses analog signals, and 2G uses digital signals. 3G provides higher transfer speeds using digital technologies.
Describe TCB
This system has two main components the reference monitor and the security kernel database and helps to enforce a MAC model.
what is SCI in terms of classification of material
This system uses a single code word such as umbra to compartmentalize top secret material
Assemblers
Tools that convert assembly code into the necessary machine-compatible binary language for processing activities to take place.
Accounting
Tracking user(s) activities.
6to4
Transition mechanism for migrating from IPv4 to IPv6. It allows systems to use IPv6 to communicate if their traffic has to transverse an IPv4 network.
Asynchronous communication
Transmission sequencing technology that uses start and stop bits or similar encoding mechanism. Used in environments that transmit a variable amount of data in a periodic fashion.
Accountability
Underlying goals of the AAAs of security. The trait of being willing to take responsibility for your actions
Spam
Unsolicited commercial email (UCE) and other unwanted electronic messages sent in bulk. Spam is most often associated with email, but can also be delivered via other means, such as instant messaging. It usually includes advertisements, but can also be used in different types of attacks launched from botnets and phishing.
Role-base Access Control (RBAC)
Use roles to determine access.
Authentication Header (AH)
Used with Internet Protocol security (IPsec) to provide authentication between systems and integrity of the packets. The AH is created from a hash of the packet with additional authentication data, and the hash is encrypted to prevent tampering. The hash provides integrity. Packets protected with AH are iden tified with protocol ID 51. See also Encapsulating Security Protocol (ESP) and Internet Protocol security (IPsec).
Baseband transmission
Uses the full bandwidth for only one communication channel and has a low data transfer rate compared to broadband.
Proof of Identity
Verify people's identities before the enterprise issues them accounts and credentials.
Asymmetric mode multiprocessing
When a computer has two or more CPUs and one CPU is dedicated to a specific program while the other CPUs carry out general processing procedures
WiFi Protected Access (WPA/WPA2)
WiFi-related security protocols. WPA was introduced as a replacement for Wired Equivalent Privacy (WEP) to secure wireless networks. WPA2 was created as a permanent replacement and is formalized as IEEE 802.11i. WPA and WPA2 can operate in either Personal mode or Enterprise mode. Personal mode uses a preshared key (PSK), and Enterprise mode uses an authentication server such as a Remote Dialin User Authentication Service (RADIUS) or 802.1x server.
WiMAX
Worldwide Interoperability for Microwave Access, the commercial name for 802.16related products. WiMAX provides broadband wireless access over a large metro politan area, such as a city, with speeds comparable to wired broadband access.
Reverse Address Resolution Protocol (RARP)
You can think of this as a simplified version of DHCP. A client has a MAC address and uses RARP to get an IP address. It provides the clients some TCP/IP configuration information, but doesn't have the full capabilities of DHCP.
what is the reference monitor
a stripped down server that has high availability . this system mediates access to object by checking the clearances of subjects
what are two characteristics of a subject
active, clearance levels and access objects
what is role base example
all investors in IP get access to word, your role in company dictates a certain level of privileges
what is reverse authentication
also known as mutual authentication both the end user and the system being access authenticate to each other one example it the picture on a bank website
explain throughput time
amount of time from acquire to approved or denied in a bio system
what is a hot patch
applied to a system without the need to turn it off
how does a user access kerberose
authenticate to kerb kerb issuses tgt use tgt to get session ticket present session ticket to application
what are three ways to control session level access
auto timeout , continous authentication , origin location authentication
what is opie
based on s/key, password is passed through md4 or 5 hash to produce a opie
what is a BIA
business impact analysis
describe business impact analysis
categorize systems on importance and and determine how long the business can function without their activities
what is the bell lapuda model
concerned with confidentiality used by governments simple security-no read up star property- no write down constrained tranquil strong star / you read and write at your level
explain the biba model
concerned with integrity simple integrity-no read down star axiom - no write up invocation property - you can not invoke privileges at a higher level
list a general public classification
confidential , internal use and public
what is the Brewer-Nash Chinese wall
conflicts of interest between business units
Confidentiality
data is not disclosed to unauthorized users
what is the DAC access model
data owners decide who gets access to the folders and data
Availability
ensures that IT systems and data are available when needed
Spam
filter An email scanner that attempts to detect and block unsolicited email (spam). Spam filters can be installed on end-user systems and email servers and at the boundary of the network to scan all traffic from the Internet.
what are 3 components used in endpoint defense
firewall, HIDS and antivirus
what is iso 27001
information security management requiremnt system evalluation
what is iso 27005
information security risk managment
what is iso 27003
isms implementation guidance
what is iso 27002
isms taking risk appetite into consideration
what is assurance of accountability
like non-repudation . you know for sure this is the user
what is iso 27004
measurement of isms
what is NAC
network access control is used to check te health of endpoint devices
what are two popular frameworks for info sec security
nist 800 series add iso 27000 series
name some characteristics of objects
objects are access by subjects and given lables of classified or sensative
what are 3 types of security policies
operational functional organizational
name 3 types of controls
physical , logical or technical and administrative.
what is a one to one search in a biometric system
point data from a scan is presented against point data in a system
describe the heirarchy from policy to guidelines
policy regulations baselines procedures guidelines
Integrity
prevents any unauthorized or unwanted modification of data
what is the 3 rd cannon
provide comp and diligent service
what is another name for a partnership site
reciprical- two companies share resources in event of disaster
what are the three states of data
rest transit and proccess
what is microsoft sdl
security development lifecycle
what is the clark wilson model
seeperation of duties , well formed transactions and object integrity
what are 4 methods of authentication ( you do)
signature dynamics, heartbeat, voice print and keystrokes
what is a patch
software meant to improve useability
name two parts to a data classification system
subjects and objects
what is a non-dac
system admins or management control who has access to the data
what is enrollment time
the time it takes to initially set up individuals in a bio metric system
what is dual control or split knowledge
the use of seperation of duties to ensue that two poeple are needeed two access resources
what is an example of rule base access control
time of the day restrictions
bitcopy
tools Software used to capture the contents of a drive without modifying the data. The copy is known as a forensic duplicate image and can be examined without affecting the original.
list gov classification from top to bottom
top secret , secret, confidential and unclassified
describe a MAC model
used by gov, most secure, objects are given classification lables, subjects are given clearance levels
Virtualization
when one physical machine hosts multiple activities that are normally done on multiple machines.
how can a device authenticate to an end user
with the use of digital certificate