CISSP Exam Collection - Part 2

Ace your homework & exams now with Quizwiz!

QUESTION 238 When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the proper term to refer to a single unit of TCP data at the transport layer? A. TCP segment. B. TCP datagram. C. TCP frame. D. TCP packet.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: A TCP Segment is the group of TCP data tramsmitted at the Transport Layer. TCP is segment based network technology. The message is sent to the transport layer, where TCP does its magic on the data. The bundle of data is now a segment. If the message is being transmitted overTCP, it is referred to as a "segment." Protocol Data Unit Layers The following answers are incorrect: TCP datagram. Is incorrect because a TCP datagram is only a distractor, IP datagram would be the proper terminology. TCP is segment based network technology. TCP frame. Is incorrect because a TCP frame is only a distractor, Ethernet Frame would be the proper terminology. TCP is segment based network technology. TCP packet. Is incorrect because a TCP packet is only a distractor. TCP is segment based network technology. References(s) used for this question: Wikipedia http://en.wikipedia.org/wiki/Transport_layer Wikipedia http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure TCP/IP Illustrated, Volume 1: The Protocols, Addison-Wesley, 1994, ISBN 0-201-63346-9. http://www.infocellar.com/networks/osi-model.htm

QUESTION 250 Which one of the following authentication mechanisms creates a problem for mobile users? A. Mechanisms based on IP addresses B. Mechanism with reusable passwords C. one-time password mechanism. D. challenge response mechanism.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next. Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP. NOTE FROM CLEMENT: The term MOBILE in this case is synonymous with Road Warriors where a user is contantly traveling and changing location. With smartphone today that may not be an issue but it would be an issue for laptops or WIFI tablets. Within a carrier network the IP will tend to be the same and would change rarely. So this question is more applicable to devices that are not cellular devices but in some cases this issue could affect cellular devices as well. The following answers are incorrect: mechanism with reusable password. This is incorrect because reusable password mechanism would not present a problem for mobile users. They are the least secure and change only at specific interval. one-time password mechanism. This is incorrect because a one-time password mechanism would not present a problem for mobile users. Many are based on a clock and not on the IP address of the user. challenge response mechanism. This is incorrect because challenge response mechanism would not present a problem for mobile users.

QUESTION 176 Which of the following is NOT a form of detective technical control? A. Audit trails B. Access control software C. Honeypot D. Intrusion detection system

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Detective technical controls warn of technical access control violations. Access control software is a rather an example of a preventive technical control. Other choices represent detective technical controls. Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 10 (march 2002).

QUESTION 220 A Differential backup process will: A. Backs up data labeled with archive bit 1 and leaves the data labeled as archive bit 1 B. Backs up data labeled with archive bit 1 and changes the data label to archive bit 0 C. Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0 D. Backs up data labeled with archive bit 0 and changes the data label to archive bit 1

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Archive bit 1 = On (the archive bit is set). Archive bit 0 = Off (the archive bit is NOT set). When the archive bit is set to ON, it indicates a file that has changed and needs to be backed up. Differential backups backup all files changed since the last full. To do this, they don't change the archive bit value when they backup a file. Instead the differential let's the full backup make that change. An incremental only backs up data since the last incremental backup. Thus is does change the archive bit from 1 (On) to 0 (Off). The following answers are incorrect: Backs up data labeled with archive bit 1 and changes the data label to archive bit 0 - This is the behavior of an incremental backup, not a differential backup. Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0 - If the archive bit is set to 0 (Off), it will only be backed up via a Full backup. Everything else will ignore it. Backs up data labeled with archive bit 0 and changes the data label to archive bit 1 - If the archive bit is set to 0 (Off), it will only be backed up via a Full backup. Everything else will ignore it. The following reference(s) were/was used to create this question: https://en.wikipedia.org/wiki/Archive_bit

QUESTION 235 Which of the following testing method examines the functionality of an application without peering into its internal structure or knowing the details of it's internals? A. Black-box testing B. Parallel Test C. Regression Testing D. Pilot Testing

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Black-box testing is a method of software testing that examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings (see white-box testing). This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. For your exam you should know the information below: Alpha and Beta Testing - An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically software goes to two stages testing before it consider finished.The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user. Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests usually over interim platform and with only basic functionalities. White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's specific logic path. H

QUESTION 225 Which access control method allows the data owner (the person who created the file) to control access to the information they own? A. DAC - Discretionary Access Control B. MAC - Mandatory Access Control C. RBAC - Role-Based Access Control D. NDAC - Non-Discretionary Access Control

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: DAC - Discretionary Access Control is where the user controls access to the data they create or manage. It is the least secure method of access control because of a few factors: - Employee changeover can lead to confusion of data ownership or abandoned data. - Employees are not traditionally experienced enough to manage data permissions and maintain them in a reliable fashion. - People in general are the least reliable component of any organization The following answers are incorrect: - MAC - Mandatory Access Control: This is incorrect because in the MAC model of access control, labels are used to identify the level of sensitivity of the data. If the user does not have privileges to such data he or she is denied access. - RBAC - Role-Based Access Control: Sorry, RBAC is Role-Based Access Control where the users' Role determines the access level to data they are given. - NDAC - Non-Discretionary Access Control: Sorry, this isn't a common term associated with access control methodologies. The following reference(s) was used to create this question: 2013 Official Security+ Curriculum.

QUESTION 229 You are a manager for a large international bank and periodically move employees between positions in your department. What is this process called? A. Job Rotation B. Separation of Duties C. Mandatory Rotations D. Dual Control

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Discussion: If a single employee were permitted to stay in one critical position for an extended period of time without close oversight he or she could carry out fraud undetected. For this reason it is important to rotate employees between jobs. Another good reason is to get employees experienced on their colleagues' jobs. This way, if an employee were for some reason unavailable to work, their position could be covered. The following answers are incorrect: Separation of Duties: This is similar to Job Rotation because critical functions are divided up between employees to avoid and detect fraud. It is incorrect because with Job Rotation, people move between positions to detect fraud or even get better at each position to provide some resiliency for the organization. Separation of Duties is more a preventative measure. Mandatory Rotations: This is incorrect because of the terminology. There are terms called Mandatory Vacations and Job Rotation but not mandatory rotations. Be familiar with these terms before trying to pass the exam. Dual Control: This term describes how a manager would require employees to work together (two or more) on critical actions so that no single employee can cause catastrophic damage. This isn't the correct answer but it is very similar to Job Rotation where an employee rotates between job duties. Dual Control requires employees to work together on critical tasks in hopes of limiting collusion to commit fraud. The following reference(s) was used to create this question: Gregg, Michael; Haines, Billy (2012-02-16). CASP: CompTIA Advanced Security Practitioner Study Guide Authorized Courseware: Exam CAS-001 (p. 245). Wiley. Kindle Edition.

QUESTION 222 Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? A. LCL and MAC; IEEE 8022 and 8023 B. LCL and MAC; IEEE 8021 and 8023 C. Network and MAC; IEEE 8021 and 8023

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network technology binary format for proper line transmission. Layer 2 is divided into two functional sublayers. The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 8022 specification. It communicates with the network layer, which is immediately above the data link layer. Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol requirements of the physical layer. Thus, the specification for this layer depends on the technology of the physical layer. The IEEE MAC specification for Ethernet is 8023, Token Ring is 8025, wireless LAN is 80211, and so on. When you see a reference to an IEEE standard, such as 80211 or 80216, it refers to the protocol working at the MAC sublayer of the data link layer of the protocol stack. The following answers are incorrect: LCL and MAC; IEEE 8022 and 8023 is incorrect because LCL is a distracter. The correct acronym for the upper sublayer of the data link layer is LLC. It stands for the Logical Link Control. By providing multiplexing and flow control mechanisms, the LLC enables the coexistence of network protocols within a multipoint network and their transportation over the same network media. LCL and MAC; IEEE 8021 and 8023 is incorrect because LCL is a distracter. The sublayers of the data link layer are the Logical Link Control (LLC) and the Media Access Control (MAC). Furthermore, the LLC is defined in the IEEE 8022 specification, not 8021 The IEEE 8021 specifications are concerned with protocol layers above the MAC and LLC layers. It addresses

QUESTION 221 When considering all the reasons that buffer overflow vulnerabilities exist what is the real reason? A. Human error B. The Windows Operating system C. Insecure programming languages D. Insecure Transport Protocols

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Discussion: Since computer program code is written by humans and there are proper and improper ways of writing software code it is clear that human errors create the conditions for buffer overflows to exist. Unfortunately as secure as any operating system is it becomes insecure when people install insecure code that can be host to buffer overflow attacks so it is human error that really causes these vulnerabilities. Mitigation: The best mitigation against buffer overflow attacks is to: - Be sure you keep your software updated with any patches released by the vendors. - Have sensible configurations for your software. (e.g,. lock it down) - Control access to your sensitive systems with network traffic normalizing systems like a filtering firewall or other devices that drops inappropriate network packets. - If you don't need the software or service on a system, remove it. If it is useless it can only be a threat. The following answers are incorrect: The Windows Operating system: This isn't the intended answer. Insecure programming languages: This isn't correct. Modern programming languages are capable of being used securely. It's only when humans make mistakes that any programming language becomes a threat. Insecure Transport Protocols: This is partially correct. If you send logon ID and passwords over the network in clear text, no programming language will protect you from sniffers. The following reference(s) were/was used to create this question: 2011 EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, v71, Module 17, Page 806

QUESTION 248 In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class A network? A. The first bit of the IP address would be set to zero. B. The first bit of the IP address would be set to one and the second bit set to zero. C. The first two bits of the IP address would be set to one, and the third bit set to zero. D. The first three bits of the IP address would be set to one.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: Each Class A network address has a 8-bit network prefix, with the first bit of the ipaddress set to zero. See the diagram below for more details. The following answers are incorrect: The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because this would be a Class B network address. The first two bits of the IP address would be set to one, and the third bit set to zero. Is incorrect because, this would be a Class C network address. The first three bits of the ipaddress would be set to one. Is incorrect because, this is a distractor. Class D & E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1. See diagram below from the 3COM tutorial on everything you ever wanted to know about IP addressing: Classful IP addressing format Classless Internet Domain Routing (CIDR) Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and routing Internet Protocol packets. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet. Their goal was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses. For Class A, the addresses are 0.0.0.0 - 127.255.255.255. For Class B networks, the addresses are 128.0.0.0 - 191.255.255.255. For Class C, the addresses are 192.0.0.0 - 223.255.255.255. For Class D, the addresses are 224.0.0.0 - 239.255.255.255. For Class E, the addresses are 240.0.0.0 - 255.255.255.255. References: 3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf and AIOv3 Telecommunications and Networking Security (page 438) and https://secure.wikimedia.o

QUESTION 224 Which of the following answers best describes the type of penetration testing where the analyst has full knowledge of the network on which he is going to perform his test? A. White-Box Penetration Testing B. Black-Box Pen Testing C. Penetration Testing D. Gray-Box Pen Testing

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: In general there are three ways a pen tester can test a target system. - White-Box: The tester has full access and is testing from inside the system.- Gray-Box: The tester has some knowledge of the system he's testing. - Black-Box: The tester has no knowledge of the system. Each of these forms of testing has different benefits and can test different aspects of the system from different approaches. The following answers are incorrect: - Black-Box Pen Testing: This is where no prior knowledge is given about the target network. Only a domain name or business name may be given to the analyst. - Penetration Testing: This is half correct but more specifically it is white-box testing because the tester has full access. - Gray-Box Pen Testing: This answer is not right because Gray-Box testing you are given a little information about the target network. The following reference(s) was used to create this question: 2013 Official Security+ Curriculum. and tester is provided no information about the target's network or environment. The tester is simply left to his abilities Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 4742-4743). Auerbach Publications. Kindle Edition.

QUESTION 226 Suppose you are a domain administrator and are choosing an employee to carry out backups. Which access control method do you think would be best for this scenario? A. RBAC - Role-Based Access Control B. MAC - Mandatory Access Control C. DAC - Discretionary Access Control D. RBAC - Rule-Based Access Control

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: RBAC - Role-Based Access Control permissions would fit best for a backup job for the employee because the permissions correlate tightly with permissions granted to a backup operator. A role-based access control (RBAC) model, bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. The determination of what roles have access to a resource can be governed by the owner of the data, as with DACs, or applied based on policy, as with MACs. Access control decisions are based on job function, previously defined and governed by policy, and each role (job function) will have its own access capabilities. Objects associated with a role will inherit privileges assigned to that role. This is also true for groups of users, allowing administrators to simplify access control strategies by assigning users to groups and groups to roles. Specifically, in the Microsoft Windows world there is a security group called "Backup Operators" in which you can place the users to carry out the duties. This way you could assign the backup privilege without the need to grant the Restore privilege. This would prevent errors or a malicious person from overwriting the current data with an old copy for example. The following answers are incorrect: - MAC - Mandatory Access Control: This isn't the right answer. The role of Backup administrator fits perfectly with the access control Role-Based access control. - DAC - Discretionary Access Control: This isn't the correct answer because DAC relies on data owner/creators to determine who has access to information. - RBAC - Rule-Based Access Control: If you got this wrong it may be because you didn't read past the RBAC part. Be very careful to read the entire

QUESTION 241 What is a limitation of TCP Wrappers? A. It cannot control access to running UDP services. B. It stops packets before they reach the application layer, thus confusing some proxy servers. C. The hosts.* access control system requires a complicated directory tree. D. They are too expensive.

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: TCP Wrappers can control when a UDP server starts but has little control afterwards because UDP packets can be sent randomly. The following answers are incorrect: It stops packets before they reach the application layer, thus confusing some proxy servers. Is incorrect because the TCP Wrapper acts as an ACL restricting packets so would not confuse a proxy server because the packets would not arrive and would not be a limitation. The hosts.* access control system requires a complicated directory tree. Is incorrect because a simple directory tree is involved. They are too expensive. Is incorrect because TCP Wrapper is considered open source with a BSD licensing scheme.

QUESTION 227 Of the seven types of Access Control Categories, which is described as such? Designed to specify rules of acceptable behavior in the organization. Example: Policy stating that employees may not spend time on social media websites A. Directive Access Control B. Deterrent Access Control C. Preventive Access Control D. Detective Access Control

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: There are seven access control categories. Below you have the Access Control Types and Categories. - Access Control Types: - Administrative - Policies, data classification and labeling and security awareness training - Technical - Hardare - MAC FIltering or perimeter devices like - Software controls like account logons and encryption, file perms - Physical - Guard, fences and locks - Access Control Categories: Directive: specify rules of acceptable behavior - Policy stating users may not use facebook Deterrent: - Designed to discourage people from violating security directives - Logon banner reminding users about being subject to monitoring Preventive: - Implemented to prevent a security incident or information breach - Like a fence or file permissions Detective: - Used to mitigate the loss. - Example: Logging, IDS with a Firewall Compensating: - To subsititute for the loss of a primary control of add additinoal mitigation - Example: Logging, IDS inline with firewall Corrective: - To remedy circumstance, mitigate damage or restore control - Example: Fire extinguisher, firing an employee Recovery: - To restore conditions to normal after a security incident - Restore files from backup All these are designed to shape employee behavior to better maintain an environment that supports the business objectives and protects corporate assets. The following answers are incorrect: - Deterrent Access Control: This is not right because a deterrent access control discourages people from violating security directives. - Preventive Access Control: This is incorrect because a preventive access control category is used to simply stop or block unwanted behavior. Users don't have a choice about whether to violate the behavior rules. - Detective

QUESTION 249 Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)? A. 10.0.42.5 B. 11.0.42.5 C. 12.0.42.5 D. 13.0.42.5

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: This is a valid Class A reserved address. For Class A, the reserved addresses are 10.0.0.0 - 10.255.255.255. The following answers are incorrect: 11.0.42.5 Is incorrect because it is not a Class A reserved address.12.0.42.5 Is incorrect because it is not a Class A reserved address. 13.0.42.5 Is incorrect because it is not a Class A reserved address. The private IP address ranges are defined within RFC 1918: RFC 1918 private ip address range References: 3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf AIOv3 Telecommunications and Networking Security (page 438)

QUESTION 236 Which of the following testing method examines internal structure or working of an application? A. White-box testing B. Parallel Test C. Regression Testing D. Pilot Testing

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. For your exam you should know the information below: Alpha and Beta Testing - An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically software goes to two stages testing before it consider finished.The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users.

QUESTION 247 Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)? A. 192.168.42.5 B. 192.166.42.5 C. 192.175.42.5 D. 192.1.42.5

Correct Answer: A Section: Communication and Network Security Explanation Explanation/Reference:This is a valid Class C reserved address. For Class C, the reserved addresses are 192.168.0.0 - 192.168.255.255. The private IP address ranges are defined within RFC 1918: RFC 1918 private ip address range The following answers are incorrect: 192.166.42.5 Is incorrect because it is not a Class C reserved address. 192.175.42.5 Is incorrect because it is not a Class C reserved address. 192.1.42.5 Is incorrect because it is not a Class C reserved address.

QUESTION 173 A network-based vulnerability assessment is a type of test also referred to as: A. An active vulnerability assessment. B. A routing vulnerability assessment. C. A host-based vulnerability assessment. D. A passive vulnerability assessment.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets to infer weaknesses from their responses. Since the assessment is actively attacking or scanning targeted systems, network-based vulnerability assessment systems are also called active vulnerability systems. There are mostly two main types of test: PASSIVE: You don't send any packet or interact with the remote target. You make use of public database and other techniques to gather information about your target. ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in gathering information about hosts that are alive, services runnings, port state, and more. See example below of both types of attacks: Eavesdropping and sniffing data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to detect and stop them. Altering messages , modifying system files, and masquerading as another individual are acts that are considered active attacks because the attacker is actually doing something instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to carrying out an active attack.IMPORTANT NOTE: On the commercial vendors will sometimes use different names for different types of scans. However, the exam is product agnostic. They do not use vendor terms but general terms. Experience could trick you into selecting the wrong choice sometimes. See feedback from Jason b

QUESTION 164 Detective/Technical measures: A. include intrusion detection systems and automatically-generated violation reports from audit trail information. B. do not include intrusion detection systems and automatically-generated violation reports from audit trail information.C. include intrusion detection systems but do not include automatically-generated violation reports from audit trail information. D. include intrusion detection systems and customised-generated violation reports from audit trail information.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Detective/Technical measures include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can indicate variations from "normal" operation or detect known signatures of unauthorized access episodes. In order to limit the amount of audit information flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35

QUESTION 204 Which of the following term best describes a weakness that could potentially be exploited? A. Vulnerability B. Risk C. Threat D. Target of evaluation (TOE)

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A vulnerability is mostly a weakness, it could be a weakness in a piece of sotware, it could be a weakness in your physical security, it could take many forms. It is a weakness that could be exploited by a Threat. For example an open firewall port, a password that is never changed, or a flammable carpet. A missing Control is also considered to be a Vulnerability. The following answers are incorrect: Risk: It is the combination of a threat exploiting some vulnerability that could cause harm to some asset. Management is concerned with many types of risk. Information Technology (IT) security risk management addresses risks that arise from an organization's use of information technology. Usually a threat agent will give rise to the threat which will attempt to take advantage of one of your vulnerability. Risk is a function of the likelihood that a threat scenario will materialize, its resulting impact (consequences) and the existence/effectiveness of safeguards. If the evaluation of the risk meets the risk deemed acceptable by management, nothing needs to be done. Situations where evaluation of the risk exceeds the accepted risk (target risk) will necessitate a risk management decision such as implementing a safeguard to bring the risk down to an acceptable level. Threat: Possibility that vulnerability may be exploited to cause harm to a system, environment, or personnel. Any potential danger. The risk level associated with a threat is evaluated by looking at the likelihood which is how often it could happen and the impact (which is how much exposure or lost you would suffer) it would have on the asset. A low impact threat that repeats itself multiple times would have to be addressed. A high impact threat that happen not very often

QUESTION 217 Which answer best describes a computer software attack that takes advantage of a previously unpublished vulnerability? A. Zero-Day Attack B. Exploit Attack C. Vulnerability Attack D. Software Crack

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: A zero-day (or zero-hour, or Oday, or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. The term derives from the age of the exploit. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software. Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability is first exploited and when software developers start todevelop a counter to that threat. For viruses, Trojans and other zero-day attacks, the vulnerability window follows this time line: The developer creates software containing an unknown vulnerability The attacker finds the vulnerability before the developer does The attacker writes and distributes an exploit while the vulnerability is not known to the developer The developer becomes aware of the vulnerability and starts developing a fix. The following answers are incorrect: Exploit Attack An exploit (from the verb to exploit, in the meaning of using something to one's own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalatio

QUESTION 169 Which of the following biometric devices has the lowest user acceptance level? A. Retina Scan B. Fingerprint scan C. Hand geometry D. Signature recognition

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: According to the cited reference, of the given options, the Retina scan has the lowest user acceptance level as it is needed for the user to get his eye close to a device and it is not user friendly and very intrusive. However, retina scan is the most precise with about one error per 10 millions usage. Look at the 2 tables below. If necessary right click on the image and save it on your desktop for a larger view or visit the web site directly at https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy . Biometric Comparison Chart Biometric Aspect Descriptions Reference(s) used for this question: RHODES, Keith A., Chief Technologist, United States General Accounting Office, National Preparedness, Technologies to Secure Federal Buildings, April 2002 (page 10). and https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy

QUESTION 218 Data which is properly secured and can be described with terms like genuine or not corrupted from the original refers to data that has a high level of what? A. Authenticity B. Authorization C. Availability D. Non-Repudiation

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Authenticity refers to the characteristic of a communication, document or any data that ensures the quality of being genuine or not corrupted from the original. The following answers are incorrect: Authorization is wrong because this refers to a users ability to access data based upon a set of credentials. Availability is wrong because this refers to systems which deliver data are accessible when and where required by users. Non-Repudiation is wrong because this is where a user cannot deny their actions on data they processed. Classic example is a legal document you signed either manually with a pen or digitally with a signing certificate. If it is signed then you cannot proclaim you did not send the document or do a transaction. The following reference(s) were/was used to create this question: 2011 EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, Volume 1, Module 1, Page. 11

QUESTION 160 Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished: A. through access control mechanisms that require identification and authentication and through the audit function. B. through logical or technical controls involving the restriction of access to systems and the protection of information. C. through logical or technical controls but not involving the restriction of access to systems and the protection of information. D. through access control mechanisms that do not require identification and authentication and do not operate through the audit function.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization's security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 178 Which of the following is not a preventive login control? A. Last login message B. Password aging C. Minimum password length D. Account expiration

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The last login message displays the last login date and time, allowing a user to discover if their account was used by someone else. Hence, this is rather a detective control. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 63).

QUESTION 207 An employee ensures all cables are shielded, builds concrete walls that extend from the true floor to the true ceiling and installs a white noise generator. What attack is the employee trying to protect against? A. Emanation Attacks B. Social Engineering C. Object reuse D. Wiretaping

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Explanation : Emanation attacks are the act of intercepting electrical signals that radiate from computing equipment. There are several countermeasures including shielding cabling, white noise, control zones, and TEMPEST equipment (this is a Faraday cage around the equipment) The following answers were incorrect: Social Engineering: Social Engineering does not involve hardware. A person make use of his/her social skills in order to trick someone into revealing information they should not disclose. Object Reuse: It is related to the reuse of storage medias. One must ensure that the storage media has been sanitized properly before it would be reuse for other usage. This is very important when computer equipment is discarded or given to a local charity organization. Ensure there is no sensitive data left by degaussing the device or overwriting it multiple times. Wiretapping: It consist of legally or illegally taping into someone else phone line to eavesdrop on their communication. The following reference(s) were/was used to create this question: Shon Harris AIO 4th Edition

QUESTION 163 Another type of access control is lattice-based access control. In this type of control a lattice model is applied. How is this type of access control concept applied? A. The pair of elements is the subject and object, and the subject has an upper bound equal or higher than the upper bound of the object being accessed. B. The pair of elements is the subject and object, and the subject has an upper bound lower then the upper bound of the object being accessed. C. The pair of elements is the subject and object, and the subject has no special upper or lower bound needed within the lattice. D. The pair of elements is the subject and object, and the subject has no access rights in relation to an object.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: In this type of control, a lattice model is applied. To apply this concept to access control, the pair of elements is the subject and object, and the subject has to have an upper bound equal or higher than the object being accessed. WIKIPEDIA has a great explanation as well: In computer security, lattice-based access control (LBAC) is a complex access control based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or organizations). In this type of label-based mandatory access control model, a lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34 and http://en.wikipedia.org/wiki/Lattice-based_access_control

QUESTION 166 When submitting a passphrase for authentication, the passphrase is converted into ... A. a virtual password by the system. B. a new passphrase by the system. C. a new passphrase by the encryption technology D. a real password by the system which can be used forever.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password's frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. It is recommended to use a passphrase instead of a password. A passphrase is more resistant to attacks. The passphrase is converted into a virtual password by the system. Often time the passphrase will exceed the maximum length supported by the system and it must be trucated into a Virtual Password. Reference(s) used for this question: http://www.itl.nist.gov/fipspubs/fip112htm and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37

QUESTION 195 Which of the following can be defined as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences? A. Extensible Authentication Protocol B. Challenge Handshake Authentication Protocol C. Remote Authentication Dial-In User Service D. Multilevel Authentication Protocol.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: RFC 2828 (Internet Security Glossary) defines the Extensible Authentication Protocol as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. It is intended for use primarily by a host or router that connects to a PPP network server via switched circuits or dial- up lines. The Remote Authentication Dial-In User Service (RADIUS) is defined as an Internet protocol for carrying dial-in user's authentication information and configuration information between a shared, centralized authentication server and a network access server that needs to authenticate the users of its network access ports. The other option is a distracter. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000

QUESTION 188 Most access violations are: A. Caused by internal untrained employees B. Caused by internal hackers C. Caused by external hackers D. Related to Internet

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The most likely source of exposure is from the uninformed, accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent. Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 4: Protection of Information Assets (page 192).

QUESTION 210 You wish to make use of "port knocking" technologies. How can you BEST explain this? A. Port knocking is where the client will attempt to connect to a predefined set of ports to identify him as an authorized client. B. Port knocking is where the user calls the server operator to have him start the service he wants to connect to. C. This is where all the ports are open on the server and the connecting client scans the open port to which he wants to connect to see if it's open and running. D. Port knocking is where the port sequence is encrypted with 3DES and only the server has the other key to decrypt the port sequence.

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The other answers are incorrect The following reference(s) were/was used to create this question: http://www.portknocking.org/

QUESTION 213 You have been approached by one of your clients . They are interested in doing some security re-engineering . The client is looking at various information securitymodels. It is a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications . Of primary concern to them, is the identification of potential covert channel. As an Information Security Professional , which model would you recommend to the client? A. Information Flow Model combined with Bell Lapadula B. Bell Lapadula C. Biba D. Information Flow Model

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Securing the data manipulated by computing systems has been a challenge in the past years. Several methods to limit the information disclosure exist today, such as access control lists, firewalls, and cryptography. However, although these methods do impose limits on the information that is released by a system, they provide no guarantees about information propagation. For example, access control lists of file systems prevent unauthorized file access, but they do not control how the data is used afterwards. Similarly, cryptography provides a means to exchange information privately across a non-secure channel, but no guarantees about the confidentiality of the data are given once it is decrypted. In low level information flow analysis, each variable is usually assigned a security level. The basic model comprises two distinct levels: low and high, meaning, respectively, publicly observable information, and secret information. To ensure confidentiality, flowing information from high to low variables should not be allowed. On the other hand, to ensure integrity, flows to high variables should be restricted. More generally, the security levels can be viewed as a lattice with information flowing only upwards in the lattice. Noninterference Models This could have been another good answer as it would help in minimizing the damage from covert channels. The goal of a noninterference model is to help ensure that high-level actions (inputs) do not determine what low-level user s can see (outputs ) . Most of the security models presented are secured by permitting restricted flows between high- and low-level users. The noninterference model maintains activities at different security levels to separate these levels from each other. In this way

QUESTION 185 How would nonrepudiation be best classified as? A. A preventive control B. A logical control C. A corrective control. D. A compensating control

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control. Source: STONEBURNER, Gary, NIST Special Publication 800-33: Underlying Technical Models for Information Technology Security, National Institute of Standards and Technology, December 2001, page 7

QUESTION 154 Which access control model was proposed for enforcing access control in government and military applications? A. Bell-LaPadula model B. Biba model C. Sutherland model D. Brewer-Nash model

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The Bell-LaPadula model, mostly concerned with confidentiality, was proposed for enforcing access control in government and military applications. It supports mandatory access control by determining the access rights from the security levels associated with subjects and objects. It also supports discretionary access control by checking access rights from an access matrix. The Biba model, introduced in 1977, the Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are concerned with integrity. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 11).

QUESTION 155 Which access control model achieves data integrity through well-formed transactions and separation of duties? A. Clark-Wilson model B. Biba model C. Non-interference model D. Sutherland model

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The Clark-Wilson model differs from other models that are subject- and object- oriented by introducing a third access element programs resulting in what is called an access triple, which prevents unauthorized users from modifying data or programs. The Biba model uses objects and subjects and addresses integrity based on a hierarchical lattice of integrity levels. The non- interference model is related to the information flow model with restrictions on the information flow. The Sutherland model approaches integrity by focusing on the problem of inference. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 12). And: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security Management, CRC Press, 1997, Domain 1: Access Control.

QUESTION 211 Tim is a network administrator of Acme inc. He is responsible for configuring the network devices. John the new security manager reviews the configuration of the Firewall configured by Tim and identifies an issue. This specific firewall is configured in failover mode with another firewall. A sniffer on a PC connected to the same switch as the firewalls can decipher the credentials, used by Tim while configuring the firewalls. Which of the following should be used by Tim to ensure a that no one can eavesdrop on the communication? A. SSH B. SFTP C. SCP D. RSH

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The SSH protocol provides an encrypted terminal session to the remote firewalls. By encrypting the data, it prevents sniffing attacks using a protocol analyzer also called a sniffer. With more and more computers installed in networked environments, it often becomes necessary to access hosts from a remote location. This normally means that a user sends login and password strings for authentication purposes. As long as these strings are transmitted as plain text, they could be intercepted and misused to gain access to that user account without the authorized user even knowing about it. Apart from the fact that this would open all the user's files to an attacker, the illegal account could be used to obtain administrator or root access or to penetrate other systems. In the past, remote connections were established with telnet, which offers no guards against eavesdropping in the form of encryption or other security mechanisms. There are other unprotected communication channels, like the traditional FTP protocol and some remote copying programs. The SSH suite provides the necessary protection by encrypting the authentication strings (usually a login name and a password) and all the other data exchanged between the hosts. With SSH, the data flow could still be recorded by a third party, but the contents are encrypted and cannot be reverted to plain text unless the encryption key is known. So SSH enables secure communications over insecure networks such as the Internet. The following answers are incorrect: SCP and SFTP The SCP protocol is a network protocol that supports file transfers. The SCP protocol, which runs on port 22, is based on the BSD RCP protocol which is tunneled through the Secure Shell (SSH) protocol to provide encrypti

QUESTION 151 Which of the following biometric parameters are better suited for authentication use over a long period of time? A. Iris pattern B. Voice pattern C. Signature dynamics D. Retina pattern

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: The iris pattern is considered lifelong. Unique features of the iris are: freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas. Voice, signature and retina patterns are more likely to change over time, thus are not as suitable for authentication over a long period of time without needing re- enrollment. Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1 (derived from the Information Security Management Handbook, 4th Ed., by Tipton & Krause).

QUESTION 167 In the context of Biometric authentication, what is a quick way to compare the accuracy of devices. In general, the device that have the lowest value would be the most accurate. Which of the following would be used to compare accuracy of devices? A. the CER is used. B. the FRR is used C. the FAR is used D. The FER is used

Correct Answer: A Section: Identity and Access Management Explanation Explanation/Reference: equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate. In the context of Biometric Authentication almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher False Reject Rate (FRR). Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase. Thus, to have a valid measure of the system performance, the CrossOver Error Rate (CER) is used. The following are used as performance metrics for biometric systems:false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. In case of similarity scale, if the person is imposter in real, but the matching score is higher than the threshold, then he is treated as genuine that increase the FAR and hence performance also depends upon the selection of threshold value. false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful.

QUESTION 244 What is the proper term to refer to a single unit of IP data? A. IP segment. B. IP datagram. C. IP frame. D. IP fragment.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: IP is a datagram based technology. DIFFERENCE BETWEEN PACKETS AND DATAGRAM As specified at: http://en.wikipedia.org/wiki/Packet_(information_technology) In general, the term packet applies to any message formatted as a packet, while the term datagram is generally reserved for packets of an "unreliable" service. A "reliable" service is one that notifies the user if delivery fails, while an "unreliable" one does not notify the user if delivery fails. For example, IP provides an unreliable service. Together, TCP and IP provide a reliable service, whereas UDP and IP provide an unreliable one. All these protocols use packets, but UDP packets are generally called datagrams. If a network does not guarantee packet delivery, then it becomes the host's responsibility to provide reliability by detecting and retransmitting lost packets. Subsequent experience on the ARPANET indicated that the network itself could not reliably detect all packet delivery failures, and this pushed responsibility for error detection onto the sending host in any case. This led to the development of the end-to-end principle, which is one of the Internet's fundamental design assumptions. The following answers are incorrect: IP segment. Is incorrect because IP segment is a detractor, the correct terminology is TCP segment. IP is a datagram based technology. IP frame. Is incorrect because IP frame is a detractor, the correct terminology is Ethernet frame. IP is a datagram based technology. IP fragment. Is incorrect because IP fragment is a detractor. References: Wikipedia http://en.wikipedia.org/wiki/Internet_Protocol

QUESTION 242 The IP header contains a protocol field. If this field contains the value of 1, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: If the protocol field has a value of 1 then it would indicate it was ICMP. The following answers are incorrect: TCP. Is incorrect because the value for a TCP protocol would be 6. UDP. Is incorrect because the value for an UDP protocol would be 17. IGMP. Is incorrect because the value for an IGMP protocol would be 2.

QUESTION 234 During an IS audit, one of your auditor has observed that some of the critical servers in your organization can be accessed ONLY by using shared/common user name and password. What should be the auditor's PRIMARY concern be with this approach? A. Password sharing B. Accountability C. Shared account management D. Difficulty in auditing shared account

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The keyword PRIMARY is used in the question. Accountability should be the primary concern if critical servers can be accessed only by using shared user id and password. It would be very difficult to track the changes done by employee on critical server. For your exam you should know the information below: Accountability Ultimately one of the drivers behind strong identification, authentication, auditing and session management is accountability. Accountability is fundamentally about being able to determine who or what is responsible for an action and can be held responsible. A closely related information assurance topic is non-repudiation. Repudiation is the ability to deny an action, event, impact or result. Non-repudiation is the process of ensuring a user may not deny an action. Accountability relies heavily on non-repudiation to ensure users, processes and actions may be held responsible for impacts. The following contribute to ensuring accountability of actions: Strong identification Strong authentication User training and awareness Comprehensive, timely and thorough monitoring Accurate and consistent audit logs Independent audits Policies enforcing accountability Organizational behaviour supporting accountability The following answers are incorrect: The other options are also valid concern. But the primary concern should be accountability. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 328 and 329Official ISC2 guide to CISSP CBK 3rd Edition Page number 114

QUESTION 240 ICMP and IGMP belong to which layer of the OSI model? A. Datagram Layer. B. Network Layer. C. Transport Layer. D. Data Link Layer.

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The network layer contains the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP) The following answers are incorrect: Datagram Layer. Is incorrect as a distractor as there is no Datagram Layer. Transport Layer. Is incorrect because it is used to data between applications and uses the TCP and UDP protocols. Data Link Layer. Is incorrect because this layer deals with addressing hardware.

QUESTION 192 Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector? A. Using a TACACS+ server. B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall. C. Setting modem ring count to at least 5 D. Only attaching modems to non-networked hosts.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Containing the dial-up problem is conceptually easy: by installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet. The use of a TACACS+ Server by itself cannot eliminate hacking. Setting a modem ring count to 5 may help in defeating war-dialing hackers who look for modem by dialing long series of numbers. Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from being hacked. Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000, Chapter 2: Hackers.

QUESTION 237 Which of the following type of traffic can easily be filtered with a stateful packet filter by enforcing the context or state of the request? A. ICMP B. TCP C. UDP D. IP

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: The question is explict in asking *easily*. With TCP connection establishment there is a distinct state or sequence that can be expected. Consult the references for further details. ICMP, IP and UDP don't have any concept of a session; i.e. each packet or datagram is handled individually, with no reference to the contents of the previous one. With no sessions, these protocols usually cannot be filtered on the state of the session. Some newer firewalls, however, simulate the concept of state for these protocols, and filter out unexpected packets based upon normal usage. Although these are commonly treated like normal stateful filters, they are more complex to program, and hence more prone to errors. A stateful packet filter or stateful inspection inspects each packet and only allows known connection states through. So, if a SYN/ACK packet was recieved and there was not a prior SYN packet sent it would filter that packet and not let it in. The correct sequence of steps are known and if the sequence or state is incorrect then it is dropped. The incorrect answers are: ICMP. ICMP is basically stateless so you could not *easily* filter them based on the state or sequence. UDP. UDP has no real state so you could only partially filter them based on the state or sequence. The question was explicit in asking *easily*. While it is possible, UDP is not the best answer. IP. IP would refer to the Internet Protocol and as such is stateless so you would not be able to filter it out *easily*. The following reference(s) were used for this question: http://www.nwo.net/ipf/ipf-howto.pdf

QUESTION 223 Which of the following is NOT part of user provisioning? A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration

Correct Answer: B Section: Communication and Network Security Explanation Explanation/Reference: User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. User provisioning software may include one or more of the following components: change propagation, self-service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers, or other recipients of a service. Services may include electronic mail, access to a database, access to a file server or mainframe, and so on The following answers are all incorrect answers: Creation and deactivation of user accounts Maintenance and deactivation of user objects and attributes Delegating user administration The following reference(s) were/was used to create this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 179). McGraw-Hill . Kindle Edition.

QUESTION 182 Which authentication technique best protects against hijacking? A. Static authentication B. Continuous authentication C. Robust authentication D. Strong authentication

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: A continuous authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. This is the best protection against hijacking. Static authentication is the type of authentication provided by traditional password schemes and the strength of the authentication is highly dependent on the difficulty of guessing passwords. The robust authentication mechanism relies on dynamic authentication data that changes with each authenticated session between a claimant and a verifier, and it does not protect against hijacking. Strong authentication refers to a two-factor authentication (like something a user knows and something a user is). Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 3: Secured Connections to External Networks (page 51).

QUESTION 157 Which of the following are additional access control objectives? A. Consistency and utility B. Reliability and utility C. Usefulness and utility D. Convenience and utility

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Availability assures that a system's authorized users have timely and uninterrupted access to the information in the system. The additional access controlobjectives are reliability and utility. These and other related objectives flow from the organizational security policy. This policy is a high-level statement of management intent regarding the control of access to information and the personnel who are authorized to receive that information. Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system's vulnerability to these threats, and the risk that the threat may materialize Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32

QUESTION 209 Business Impact Analysis (BIA) is about A. Technology B. Supporting the mission of the organization C. Due Care D. Risk Assessment

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Business impact analysis is not about technology ; it is about supporting the mission of the organization. The following answers are incorrect: Technololgy Due Care Risk Assessment The following reference(s) were/was used to create this question: Information Security Management Handbook , Sixth Edition by Tipton & Al page 321

QUESTION 186 What are cognitive passwords? A. Passwords that can be used only once. B. Fact or opinion-based information used to verify an individual's identity. C. Password generators that use a challenge response scheme. D. Passphrases.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Cognitive passwords are fact or opinion-based information used to verify an individual's identity. Passwords that can be used only once are one-time or dynamic passwords. Password generators that use a challenge response scheme refer to token devices. A passphrase is a sequence of characters that is longer than a password and is transformed into a virtual password. Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 2), /Documents/CISSP_Summary_2002/ index.html.

QUESTION 175 Ensuring least privilege does not require: A. Identifying what the user's job is. B. Ensuring that the user alone does not have sufficient rights to subvert an important process. C. Ensuring that the user alone does not have sufficient rights to subvert an important process. D. Restricting the user to required privileges and nothing more.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Ensuring that the user alone does not have sufficient rights to subvert an important process is a concern of the separation of duties principle and it does not concern the least privilege principle. Source: DUPUIS, Clément, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002 (page 33).

QUESTION 161 In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on: A. The societies role in the organization B. The individual's role in the organization C. The group-dynamics as they relate to the individual's role in the organization D. The group-dynamics as they relate to the master-slave role in the organization

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In Non-Discretionary Access Control, when Role Based Access Control is being used, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individual's role in the organization. Reference(S) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 172 What is an error called that causes a system to be vulnerable because of the environment in which it is installed? A. Configuration error B. Environmental error C. Access validation error D. Exceptional condition handling error

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In an environmental error, the environment in which a system is installed somehow causes the system to be vulnerable. This may be due, for example, to an unexpected interaction between an application and the operating system or between two applications on the same host. A configuration error occurs when user controllable settings in a system are set such that the system is vulnerable. In an access validation error, the system is vulnerable because the access control mechanism is faulty. In an exceptional condition handling error, the system somehow becomes vulnerable due to an exceptional condition that has arisen. Source: DUPUIS, Clement, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002 (page 106).

QUESTION 162 In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because: A. people need not use discretion B. the access controls are based on the individual's role or title within the organization. C. the access controls are not based on the individual's role or title within the organization D. the access controls are often based on the individual's role or title within the organization

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: In an organization where there are frequent personnel changes, non-discretionary access control (also called Role Based Access Control) is useful because the access controls are based on the individual's role or title within the organization. You can easily configure a new employee acces by assigning the user to a role that has been predefine. The user will implicitly inherit the permissions of the role by being a member of that role. These access permissions defined within the role do not need to be changed whenever a new person takes over the role. Another type of non-discretionary access control model is the Rule Based Access Control (RBAC or RuBAC) where a global set of rule is uniformly applied to all subjects accessing the resources. A good example of RuBAC would be a firewall. This question is a sneaky one, one of the choice has only one added word to it which is often. Reading questions and their choices very carefully is a must for the real exam. Reading it twice if needed is recommended. Shon Harris in her book list the following ways of managing RBAC: Role-based access control can be managed in the following ways: Non-RBAC Users are mapped directly to applications and no roles are used. (No roles being used) Limited RBAC Users are mapped to multiple roles and mapped directly to other types of applications that do not have role-based access functionality. (A mix of roles for applications that supports roles and explicit access control would be used for applications that do not support roles) Hybrid RBAC Users are mapped to multiapplication roles with only selected rights assigned to those roles. Full RBAC Users are mapped to enterprise roles. (Roles are used for all access being granted) NIST defines RBAC as: Security

QUESTION 200 Pin, Password, Passphrases, Tokens, smart cards, and biometric devices are all items that can be used for Authentication. When one of these item listed above in conjunction with a second factor to validate authentication, it provides robust authentication of the individual by practicing which of the following? A. Multi-party authentication B. Two-factor authentication C. Mandatory authentication D. Discretionary authentication

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Once an identity is established it must be authenticated. There exist numerous technologies and implementation of authentication methods however they almost all fall under three major areas. There are three fundamental types of authentication: Authentication by knowledge--something a person knows Authentication by possession--something a person has Authentication by characteristic--something a person is Logical controls related to these types are called "factors." Something you know can be a password or PIN, something you have can be a token fob or smart card, and something you are is usually some form of biometrics. Single-factor authentication is the employment of one of these factors, two-factor authentication is using two of the three factors, and three-factor authentication is the combination of all three factors. The general term for the use of more than one factor during authentication is multifactor authentication or strong authentication. Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 2367-2379). Auerbach Publications. Kindle Edition.

QUESTION 165 Passwords can be required to change monthly, quarterly, or at other intervals: A. depending on the criticality of the information needing protection B. depending on the criticality of the information needing protection and the password's frequency of use. C. depending on the password's frequency of use. not depending on the criticality of the information D. needing protection but depending on the password's frequency of use.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password's frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37q

QUESTION 216 You are a security consultant who is required to perform penetration testing on a client's network. During penetration testing, you are required to use a compromised system to attack other systems on the network to avoid network restrictions like firewalls. Which method would you use in this scenario: A. Black box Method B. Pivoting method C. White Box Method. D. Grey Box Method

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Pivoting refers to method used by penetration testers that uses compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multi-layered attacks. Pivoting is also known as island hopping. Pivoting can further be distinguished into proxy pivoting and VPN pivoting: Proxy pivoting generally describes the practice channeling traffic through a compromised target using a proxy payload on the machine and launching attacks from this computer.[1] This type of pivoting is restricted to certain TCP and UDP ports that are supported by the proxy. VPN pivoting enables the attacker to create an encrypted layer 2 tunnel into the compromised machine to route any network traffic through that target machine, for example to run a vulnerability scan on the internal network through the compromised machine, effectively giving the attacker full network access as if they were behind the firewall. Typically, the proxy or VPN applications enabling pivoting are executed on the target computer as the payload (software) of an exploit. The following answers are incorrect: Black Box Method Black-box testing is a method of software testing that tests the functionality of an application as opposed to its internal structures or workings (see white-box testing). Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is only aware of what the software is supposed to do, but not how

QUESTION 190 Which of following is not a service provided by AAA servers (Radius, TACACS and DIAMETER)? A. Authentication B. Administration C. Accounting D. Authorization

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Radius, TACACS and DIAMETER are classified as authentication, authorization, and accounting (AAA) servers. Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, Page 33 also see: The term "AAA" is often used, describing cornerstone concepts [of the AIC triad] Authentication, Authorization, and Accountability. Left out of the AAA acronym is Identification which is required before the three "A's" can follow. Identity is a claim, Authentication proves an identity, Authorization describes the action you can perform on a system once you have been identified and authenticated, and accountability holds users accountable for their actions. Reference: CISSP Study Guide, Conrad Misenar, Feldman p. 10-11, (c) 2010 Elsevier.

QUESTION 208 The best technique to authenticate to a system is to: A. Establish biometric access through a secured server or Web site. B. Ensure the person is authenticated by something he knows and something he has. C. Maintain correct and accurate ACLs (access control lists) to allow access to applications. D. Allow access only through user ID and password.

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Something you know and something you have is two authentication factors and is better than a single authentication factor. Strong Authentication or Two Factor Authentication is widely accepted as the best practice for authentication. There are three type of authentication factors: Type 1 - Something you know (password, pin) Type 2 - Something you have (token, smart card, magnetic card) Type 3 - Something you are (biometics) Whenever two of the three types of factors are used together, this is called strong authentication or two factors authentication The following answers are incorrect: Establish biometric access through a secured server or Web site: This is a single factor authentication and it could be weaker than two factors, in most cases it is . Biometric devices can be tricked or circumvented in some cases, this is why they MUST be supplemented with a second factor of authentication. Multiple attacks have been done on different types of biometric devices. Two factors is always the best to authenticate a user.Maintain correct and accurate ACLs (access control lists) to allow access to applications: ACL are attached to objects. They are used within the access control matrix to define what level of access each of the subjects have on the object. It is a column within the Access Control matrix. This is related to authorization and not authentication. Allow access only through user ID and password: This is once again a single factor of authentication because both are something the person knows.

QUESTION 199 An access system that grants users only those rights necessary for them to perform their work is operating on which security principle? A. Discretionary Access B. Least Privilege C. Mandatory Access D. Separation of Duties

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 205 Which of the following best describes an exploit? A. An intentional hidden message or feature in an object such as a piece of software or a movie. B. A chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software C. An anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer D. A condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: The following answers are incorrect: An intentional hidden message or feature in an object such as a piece of software or a movie. This is the definition of an "Easter Egg" which is code within code. A good example of this was a small flight simulator that was hidden within Microsoft Excel. If you know which cell to go to on your spreadsheet and the special code to type in that cell, you were able to run the flight simulator. An anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer This is the definition of a "Buffer Overflow". Many pieces of exploit code may contain some buffer overflow code but considering all the choices presented this was not the best choice. It is one of the vulnerability that the exploit would take care of if no data input validation is taking place within the software that you are targeting. A condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system This is the definition of a "System Crash". Such behavior might be the result of exploit code being launched against the target. The following reference(s) were/was used to create this question: http://en.wikipedia.org/wiki/Main_Page and The official CEH courseware Version 6 Module 1 The Official CEH Courseware Version 7 Module 1

QUESTION 214 Which of the following is a reasonable response from the Intrusion Detection System (IDS) when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port? A. Allow the packet to be processed by the network and record the event B. Record selected information about the packets and drop the packets C. Resolve the destination address and process the packet D. Translate the source address and resend the packet

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: This question refers specificly to the LAND Attack. This question is testing your ability to recognize common attacks such as the Land Attack and also your understanding of what would be an acceptable action taken by your Intrusion Detection System. You must remember what is a LAND ATTACK for the purpose of the exam. You must also remember that an IDS is not only a passive device. In the context of the exam it is considered an active device that is MOSTLY passive. It can take some blocking actions such as changing a rule on a router or firewall for example. In the case of the Land Attack and this specific question. It must be understand that most Operating System TCP/IP stack today would not be vulnerable to such attack. Many of the common firewall could also drop any traffic with same Source IP/Port as the Destination IP/Port as well. So there is multiple layers where such an attack could be stopped. The downfall of IDS compared with IPS is the fact they are usually reacting after the packets have been sent over the network. A single packet attack should as the Land Attack could be detected but would still complete and affect the destination target. This is where IPS could come into play and stop the attack before it completes. Techtarget on their SearchSecurity website has the following definition for this type of attack: A land attack is a remote denial-of-service (DOS) attack caused by sending a packet to a machine with the source host/port the same as the destination host/port. This is a rather old attack and current patches should stop them for most systems. This is one of the attacks you are expected to know within the CBK. This question mention specifically what would the reaction of the IDS be? The choices presented an

QUESTION 171 Which of the following tools is less likely to be used by a hacker? A. l0phtcrack B. Tripwire C. OphCrack D. John the Ripper

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: Tripwire is an integrity checking product, triggering alarms when important files (e.g. system or configuration files) are modified. This is a tool that is not likely to be used by hackers, other than for studying its workings in order to circumvent it. Other programs are password-cracking programs and are likely to be used by security administrators as well as by hackers. More info regarding Tripwire available on the Tripwire, Inc. Web Site. NOTE: The biggest competitor to the commercial version of Tripwire is the freeware version of Tripwire. You can get the Open Source version of Tripwire at the following URL: http://sourceforge.net/projects/tripwire/

QUESTION 180 What is considered the most important type of error to avoid for a biometric access control system? A. Type I Error B. Type II Error C. Combined Error Rate D. Crossover Error Rate

Correct Answer: B Section: Identity and Access Management Explanation Explanation/Reference: When a biometric system is used for access control, the most important error is the false accept or false acceptance rate, or Type II error, where the system would accept an impostor. A Type I error is known as the false reject or false rejection rate and is not as important in the security context as a type II error rate. A type one is when a valid company employee is rejected by the system and he cannot get access even thou it is a valid user. The Crossover Error Rate (CER) is the point at which the false rejection rate equals the false acceptance rate if your would create a graph of Type I and Type II errors. The lower the CER the better the device would be. The Combined Error Rate is a distracter and does not exist. Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 10).

QUESTION 245 A packet containing a long string of NOP's followed by a command is usually indicative of what? A. A syn scan. B. A half-port scan. C. A buffer overflow attack. D. A packet destined for the network's broadcast address.

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: A series of the same control, hexidecimal, characters imbedded in the string is usually an indicator of a buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal equivalent is 0x90) The following answers are incorrect: A syn scan. This is incorrect because a SYN scan is when a SYN packet is sent to a specific port and the results are then analyzed. A half-port scan. This is incorrect because the port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed. Also known as a Half Open Port scan. A packet destined for the network's broadcast address. This is incorrect because this type of packet would not contain a long string of NOP characters.

QUESTION 246 In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class C network? A. The first bit of the IP address would be set to zero. B. The first bit of the IP address would be set to one and the second bit set to zero. C. The first two bits of the IP address would be set to one, and the third bit set to zero. D. The first three bits of the IP address would be set to one.

Correct Answer: C Section: Communication and Network Security Explanation Explanation/Reference: Each Class C network address has a 24-bit network prefix, with the three highest order bits set to 1-1-0 The following answers are incorrect: The first bit of the IP address would be set to zero. Is incorrect because, this would be a Class A network address. The first bit of the IP address would be set to one and the second bit set to zero. Is incorrect because, this would be a Class B network address . The first three bits of the IP address would be set to one. Is incorrect because, this is a distractor. Class D & E have the first three bits set to 1. Class D the 4th bit is 0 and for Class E the 4th bit to 1. Classless Internet Domain Routing (CIDR) High Order bits are shown in bold below. For Class A, the addresses are 0.0.0.0 - 127.255.255.255 The lowest Class A address is represented in binary as 00000000.00000000.0000000.00000000 For Class B networks, the addresses are 128.0.0.0 - 191.255.255.255. The lowest Class B address is represented in binary as 10000000.00000000.00000000.00000000 For Class C, the addresses are 192.0.0.0 - 223.255.255.255 The lowest Class C address is represented in binary as 11000000.00000000.00000000.00000000 For Class D, the addresses are 224.0.0.0 - 239.255.255.255 (Multicast) The lowest Class D address is represented in binary as 11100000.00000000.00000000.00000000 For Class E, the addresses are 240.0.0.0 - 255.255.255.255 (Reserved for future usage) The lowest Class E address is represented in binary as 11110000.00000000.00000000.00000000 Classful IP Address Format References: 3Com http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf AIOv3 Telecommunications and Networking Security (page 438)

QUESTION 179 What is the most critical characteristic of a biometric identifying system? A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Scalability

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Accuracy is the most critical characteristic of a biometric identifying verification system. Accuracy is measured in terms of false rejection rate (FRR, or type I errors) and false acceptance rate (FAR or type II errors). The Crossover Error Rate (CER) is the point at which the FRR equals the FAR and has become the most important measure of biometric system accuracy. Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 1, Biometric Identification (page 9).

QUESTION 194 An attack initiated by an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization is known as a(n): A. active attack. B. outside attack. C. inside attack. D. passive attack.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: An inside attack is an attack initiated by an entity inside the security perimeter, an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization whereas an outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system. An active attack attempts to alter system resources to affect their operation and a passive attack attempts to learn or make use of the information from the system but does not affect system resources. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000

QUESTION 158 Controls are implemented to: A. eliminate risk and reduce the potential for loss B. mitigate risk and eliminate the potential for loss C. mitigate risk and reduce the potential for loss D. eliminate risk and eliminate the potential for loss

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks. It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32

QUESTION 159 Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct? A. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks but do not include a review of vacation history, and also do not include increased supervision. B. Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols. C. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. D. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33

QUESTION 203 Which of the following describes the sequence of steps required for a Kerberos session to be established between a user (Principal P1), and an application server (Principal P2)? A. Principals P1 and Principals P2 authenticate to the Key Distribution Center (KDC), B. Principal P1 receives a Ticket Granting Ticket (TGT), and then Principal P2 requests a service ticket from the KDC. C. Principal P1 authenticates to the Key Distribution Center(KDC), Principal P1 receives a Ticket Granting Ticket (TGT), and Principal P1 requests a service ticket from the Ticket Granting Service (TGS) in order to access the application server P2 D. Principal P1 authenticates to the Key Distribution Center (KDC), E. Principal P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and then Principal P1 requests a service ticket from the application server P2 F. Principals P1 and P2 authenticate to the Key D

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Principles P1 and P2 authenticate to the Key Distribution Center (KDC), principle P1 receives a Ticket Granting Ticket (TGT), and principle P2 requests a service ticket from the KDC. The principle P2 does not request a service ticket. P1 would request a service ticket. Principles P1 and P2 authenticate to the Key Distribution Center (KDC), principle P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and application server P2 requests a service ticket from P1 A request by P1 to access P2 will fail without a service ticket, but this is not the best answer.Principle P1 authenticates to the Key Distribution Center (KDC), principle P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and principle P1 requests a service ticket from the application server P2 The request for a service ticket is made to the KDC, not to P2 P2 does not proxy authentication requests for the principle P1 The following reference(s) were/was used to create this question: Sybex CISSP Study Guide, Third Edition. pg 21 Kerberos logon process: User types in username and password, a symmetric key is derive from the password, the user sends a Kerberos Authentication requrest to KDC, which returns a TGT showing the user was identified. "1) The client sends its TGT back to Ticket Granting Service (TGS) on the KDC with request for access to a server or service" "3) A service ticket (ST) is granted and sent to the client. The service ticket includes a session key encrypted with the client symmetric key and also encrypted with the service or server symmetric key" "4) The client sends the ST to the server or service host."

QUESTION 153 Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure? A. Access control lists B. Discretionary access control C. Role-based access control D. Non-mandatory access control

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An access control list (ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access control, administration is decentralized and owners of resources control other users' access. Non- mandatory access control is not a defined access control technique. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 9).

QUESTION 212 Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high traffic passing through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets? A. UDP B. SNMP V1 C. SNMP V3 D. SNMP V2

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). SNMP V3 Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks much different due to new textual conventions, concepts, and terminology. SNMPv3 primarily added security and remote configuration enhancements to SNMP. Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used. SNMPv3 provides important security features: Confidentiality - Encryption of packets to prevent snooping by an unauthorized source. Integrity - Message integrity to ensure that a packet has not been tampered with in transit including an optional packet replay protection mechanism. Authentication - to verify that the message is from a valid source. The following answers are incorrect: UDP SNMP can make use of the User Datagram Protocol (UDP) protocol but the UDP protocol by itself is not use for network monitoring. SNMP V1 SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. SNMPv1 operates over

QUESTION 197 What is the PRIMARY use of a password? A. Allow access to files. B. Identify the user. C. Authenticate the user. D. Segregate various user's accesses.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 198 The three classic ways of authenticating yourself to the computer security software are: something you know, something you have, and something: A. you need. B. you read. C. you are. D. you do.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 193 In the Bell-LaPadula model, the Star-property is also called: A. The simple security property B. The confidentiality property C. The confinement property D. The tranquility property

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The Bell-LaPadula model focuses on data confidentiality and access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects. The notion of a "secure state" is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby proving that the system satisfies the security objectives of the model. The Bell-LaPadula model is built on the concept of a state machine with a set of allowable states in a system. The transition from one state to another state is defined by transition functions. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. To determine whether a specific access mode is allowed, the clearance of a subject is compared to the classification of the object (more precisely, to the combination of classification and set of compartments, making up the security level) to determine if the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties: The Simple Security Property - a subject at a given security level may not read an object at a higher security level (no read-up). The *-property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The *-property is also known as the Confinement property. The Discretionary Security Property -

QUESTION 189 Which of the following biometrics devices has the highest Crossover Error Rate (CER)? A. Iris scan B. Hand geometry C. Voice pattern D. Fingerprints

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The Crossover Error Rate (CER) is the point where false rejection rate (type I error) equals the false acceptance rate (type II error). The lower the CER, the better the accuracy of the device. At the time if this writing, response times and accuracy of some devices are: System type Response time Accuracy (CER) Fingerprints 5-7 secs. 5% Hand Geometry 3-5 secs. 2% Voice Pattern 10-14 secs. 10% Retina Scan 4-7 secs. 15% Iris Scan 25-4 secs. 05% The term EER which means Equal Error Rate is sometimes use instead of the term CER. It has the same meaning. Source: Chris Hare's CISSP Study Notes on Physical Security, based on ISC2 CBK document. Available at http://www.ccure.org.

QUESTION 187 Which of the following Kerberos components holds all users' and services' cryptographic keys? A. The Key Distribution Service B. The Authentication Service C. The Key Distribution Center D. The Key Granting Service

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The Key Distribution Center (KDC) holds all users' and services' cryptographic keys. It provides authentication services, as well as key distribution functionality. The Authentication Service is the part of the KDC that authenticates a principal. The Key Distribution Service and Key Granting Service are distracters and are not defined Kerberos components. Source: WALLHOFF, John, CISSP Summary 2002, April 2002, CBK#1 Access Control System & Methodology (page 3), /Documents/CISSP_Summary_2002/ index.html.

QUESTION 191 Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access Control System TACACS for communication between clients and servers? A. TCP B. SSL C. UDP D. SSH

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The original TACACS, developed in the early ARPANet days, had very limited functionality and used the UDP transport. In the early 1990s, the protocol was extended to include additional functionality and the transport changed to TCP. TACACS is defined in RFC 1492, and uses (either TCP or UDP) port 49 by default. TACACS allows a client to accept a username and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. TACACSD uses TCP and usually runs on port 49 It would determine whether to accept or deny the authentication request and send a response back. TACACS+ TACACS+ and RADIUS have generally replaced TACACS and XTACACS in more recently built or updated networks. TACACS+ is an entirely new protocol and isnot compatible with TACACS or XTACACS. TACACS+ uses the Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). Since TCP is connection oriented protocol, TACACS+ does not have to implement transmission control. RADIUS, however, does have to detect and correct transmission errors like packet loss, timeout etc. since it rides on UDP which is connectionless. RADIUS encrypts only the users' password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol. RADIUS and TACACS + are client/ server protocols, which means the server portion cannot send unsolicited commands to the client portion. The server portion can only speak when spoken to. Diameter is a peer-b

QUESTION 168 The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of: A. 100 subjects per minute. B. 25 subjects per minute. C. 10 subjects per minute. D. 50 subjects per minute.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a biometric system. Acceptable throughput rates are in the range of 10 subjects per minute. Things that may impact the throughput rate for some types of biometric systems may include: A concern with retina scanning systems may be the exchange of body fluids on the eyepiece. Another concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or high blood pressure. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38

QUESTION 206 A smart Card that has two chips with the Capability of utilizing both Contact and Contactless formats is called: A. Contact Smart Cards B. Contactless Smart Cards C. Hybrid Cards D. Combi Cards

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: This is a contactless smart card that has two chips with the capability of utilizing both contact and contactless formats. Two additional categories of cards are dual-interface cards and hybrid cards which is mentioned above. Hybrid Card A hybrid card has two chips, one with a contact interface and one with a contactless interface. The two chips are not interconnected. Dual-Interface card Do not confuse this card with the Hybrid Card. This one has only one chip. A dual-interface card has a single chip with both contact and contactless interfaces. With dual-interface cards, it is possible to access the same chip using either a contact or contactless interface with a very high level of security. Inner working of the cards The chips used in all of these cards fall into two categories as well: microcontroller chips and memory chips. A memory chip is like a small floppy disk with optional security. Memory chips are less expensive than microcontrollers but with a corresponding decrease in data management security. Cards that use memory chips depend on the security of the card reader for processing and are ideal for situations that require low or medium security. A microcontroller chip can add, delete, and otherwise manipulate information in its memory. A microcontroller is like a miniature computer, with an input/output port, operating system, and hard disk. Smart cards with an embedded microcontroller have the unique ability to store large amounts of data, carry out their own on-card functions (e.g., encryption and digital signatures) and interact intelligently with a smart card reader. The selection of a particular card technology is driven by a variety of issues, including: Application dynamics Prevailing market infrastructure Eco

QUESTION 177 Which of the following does not apply to system-generated passwords? A. Passwords are harder to remember for users. B. If the password-generating algorithm gets to be known, the entire system is in jeopardy. C. Passwords are more vulnerable to brute force and dictionary attacks. D. Passwords are harder to guess for attackers.

Correct Answer: C Section: Identity and Access Management Explanation Explanation/Reference: Users tend to choose easier to remember passwords. System-generated passwords can provide stronger, harder to guess passwords. Since they are based on rules provided by the administrator, they can include combinations of uppercase/lowercase letters, numbers and special characters, making them less vulnerable to brute force and dictionary attacks. One danger is that they are also harder to remember for users, who will tend to write them down, making them more vulnerable to anyone having access to the user's desk. Another danger with system-generated passwords is that if the password-generating algorithm gets to be known, the entire system is in jeopardy. Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 64).

QUESTION 201 Legacy single sign on (SSO) is: A. Technology to allow users to authenticate to every application by entering the same user ID and password each time, thus having to remember only a single password. B. Technology to manage passwords consistently across multiple platforms, enforcing policies such as password change intervals. C. A mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications. D. Another way of referring to SESAME and KryptoKnight, now that Kerberos is the de-facto industry standard single sign on mechanism.

Correct Answer: C Section: Identity and Access ManagementExplanation Explanation/Reference: A mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications. The following answers are incorrect: Technology to allow users to authenticate to every application by entering the same user ID and password each time, thus having to remember only a single password. This is a detractor. Note that it is not even a descripton of SSO, because the user is entering user ID and password for EACH access attempt. Technology to manage passwords consistently across multiple platforms, enforcing policies such as password change intervals. This is a good description for Identity Management Password Management system, but not for Legacy SSO. Another way of referring to SESAME and KryptoKnight, now that Kerberos is the de-facto industry standard single sign on mechanism. This is a detractor. The following reference(s) were/was used to create this question: Official (ISC)2 Guide to the CISSP CBK 2007, pg 176: "many legacy systems do not support an external means to identify and authenticate users. Therefore, it is possible to store the credentials outside of the various applications and have them automatically entered on behalf of the user when an application is launched."

QUESTION 170 Which of the following would be an example of the best password? A. golf001 B. Elizabeth C. T1me4g0lF D. password

Correct Answer: CSection: Identity and Access Management Explanation Explanation/Reference: The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfil both criteria is to use two small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn't be used: common names, DOB, spouse, phone numbers, words found in dictionaries or system defaults. Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 1

QUESTION 232 Which of the following attack is also known as Time of Check(TOC)/Time of Use(TOU)? A. Eavesdropping B. Traffic analysis C. Masquerading D. Race Condition

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: A Race Condition attack is also known as Time of Check(TOC)/Time of Use(TOU). A race condition is when processes carry out their tasks on a shared resource in an incorrect order. A race condition is possible when two or more processes use a shared resource, as in data within a variable. It is important that the processes carry out their functionality in the correct sequence. If process 2 carried out its task on the data before process 1, the result will be much different than if process1 carried out its tasks on the data before process 2 In software, when the authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step. This would be a flaw in the software that the attacker has figured out how to exploit. A race condition occurs when two or more processes use the same resource and the sequences of steps within the software can be carried out in an improper order, something that can drastically affect the output. So, an attacker can force the authorization step to take place before the authentication step and gain unauthorized access to a resource. The following answers are incorrect: Eavesdropping - is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage that "eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to matters that concern them." Traffic analysis - is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even

QUESTION 231 During an IS audit, auditor has observed that authentication and authorization steps are split into two functions and there is a possibility to force the authorization step to be completed before the authentication step. Which of the following technique an attacker could user to force authorization step before authentication? A. Eavesdropping B. Traffic analysis C. Masquerading D. Race Condition

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: A race condition is when processes carry out their tasks on a shared resource in an incorrect order. A race condition is possible when two or more processes use a shared resource, as in data within a variable. It is important that the processes carry out their functionality in the correct sequence. If process 2 carried out its taskon the data before process 1, the result will be much different than if process1 carried out its tasks on the data before process 2 In software, when the authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step. This would be a flaw in the software that the attacker has figured out how to exploit. A race condition occurs when two or more processes use the same resource and the sequences of steps within the software can be carried out in an improper order, something that can drastically affect the output. So, an attacker can force the authorization step to take place before the authentication step and gain unauthorized access to a resource. The following answers are incorrect: Eavesdropping - is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary. This is commonly thought to be unethical and there is an old adage that "eavesdroppers seldom hear anything good of themselves...eavesdroppers always try to listen to matters that concern them." Traffic analysis - is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the great

QUESTION 243 The IP header contains a protocol field. If this field contains the value of 2, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP.

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: If the protocol field has a value of 2 then it would indicate it was IGMP. The following answers are incorrect: TCP. Is incorrect because the value for a TCP protocol would be 6. UDP. Is incorrect because the value for an UDP protocol would be 17. ICMP. Is incorrect because the value for an ICMP protocol would be 1.

QUESTION 228 Which of the following is NOT a disadvantage of Single Sign On (SSO)? A. Support for all major operating system environment is difficult B. The cost associated with SSO development can be significant C. SSO could be single point of failure and total compromise of an organization asset D. SSO improves an administrator's ability to manage user's account and authorization to all associated system

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: Single sign-on (SSO)is a Session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. SSO Advantages include - Multiple passwords are no longer required - It improves an administrator's ability to manage user's accounts and authorization to all associated systems - It reduces administrative overhead in resetting forgotten password over multiple platforms and applications - It reduces time taken by users to logon into multiple application and platform SSO Disadvantages include - Support for all major operating system is difficult - The cost associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary - The centralize nature of SSO presents the possibility of a single point of failure and total compromise of an organization's information asset. The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 332

QUESTION 239 How do you distinguish between a bridge and a router? A. A bridge simply connects multiple networks, a router examines each packet to determine which network to forward it to. B. "Bridge" and "router" are synonyms for equipment used to join two networks. C. The bridge is a specific type of router used to connect a LAN to the global Internet. D. The bridge connects multiple networks at the data link layer, while router connects multiple networks at the network layer.

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: The following answers are incorrect: A bridge simply connects multiple networks, a router examines each packet to determine which network to forward it to. Is incorrect because both forward packets this is not distinctive enough. "Bridge" and "router" are synonyms for equipment used to join two networks. Is incorrect because the two are unique and operate at different layers of the OSI model. The bridge is a specific type of router used to connect a LAN to the global Internet. Is incorrect because a bridge does not connect a LAN to the global internet, but connects networks together creating a LAN.

QUESTION 230 Which of the following is NOT an example of a detective control? A. System Monitor B. IDS C. Monitor detector D. Backup data restore

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: The word NOT is used as a keyword in the question. You need to find out a security control from an given options which in not detective control. Backup data restore is a corrective control and not a detective control. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcing the identification and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is significantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attacker's appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attemp

QUESTION 219 Which of the following is most appropriate to notify an internal user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement

Correct Answer: D Section: Communication and Network Security Explanation Explanation/Reference: This is a tricky question, the keyword in the question is Internal users. There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous/external users. Internal users should always have a written agreement first, then logon banners serve as a constant reminder. Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system, who is authorized and unauthorized, and if it is an unauthorized user then he is fully aware of trespassing. Anonymous/External users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner.References used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 50 and Shon Harris, CISSP All-in-one, 5th edition, pg 873

QUESTION 152 Which of the following is required in order to provide accountability? A. Authentication B. Integrity C. Confidentiality D. Audit trails

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Accountability can actually be seen in two different ways: 1) Although audit trails are also needed for accountability, no user can be accountable for their actions unless properly authenticated. 2) Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails that record events on the system and network. Audit trails can be used for intrusion detection and for the reconstruction of past events. Monitoring individual activities, such as keystroke monitoring, should be accomplished in accordance with the company policy and appropriate laws. Banners at the log-on time should notify the user of any monitoring that is being conducted. The point is that unless you employ an appropriate auditing mechanism, you don't have accountability. Authorization only gives a user certain permissions on the network. Accountability is far more complex because it also includes intrusion detection, unauthorized actions by both unauthorized users and authorized users, and system faults. The audit trail provides the proof that unauthorized modifications by both authorized and unauthorized users took place. No proof, No accountability. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 50 The Shon Harris AIO book, 4th Edition, on Page 243 also states: Auditing Capabilities ensures users are accountable for their actions, verify that the secutiy policies are enforced, and can be used as investigation tools. Accountability is tracked by recording user, system, and application ac

QUESTION 183 Which of the following is not a security goal for remote access? A. Reliable authentication of users and systems B. Protection of confidential data C. Easy to manage access control to systems and network resources D. Automated login for remote users

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: An automated login function for remote users would imply a weak authentication, thus certainly not a security goal. Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th edition, volume 2, 2001, CRC Press, Chapter 5: An Introduction to Secure Remote Access (page 100).

QUESTION 202 Identity Management solutions include such technologies as Directories services, Single Sign-On and Web Access management. There are many reasons for management to choose an identity management solution. Which of the following is a key management challenge regarding identity management solutions? A. Increasing the number of points of failures. B. Users will no longer be able to "recycle" their password for different applications. C. Costs increase as identity management technologies require significant resources. D. It must be able to scale to support high volumes of data and peak transaction rates.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Any identity management system used in an environment where there are tens of thousands of users must be able to scale to support the volumes of data and peak transaction rates. The following answers are incorrect: Increasing number of points of failures. This is actually a potential negative impact of not implementing an identity management solution. Identity management is meant to decrease cost and inefficiencies that organizations struggle with so that failures can be managed more efficiently. Users will no longer be able to "recycle" their password for different applications. This is actually a function of an effective password management system. Consistency and efficiency are maintained by minimizing unique user authentication requirements. Costs increase as identity management technologies require significant resources. On the contrary, "When users access multiple systems, they may be presented with multiple log-in IDs, multiple passwords, and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs The following reference(s) were/was used to create this question: ISC2 Official Guide to the CISSP CBK 2007, pg 173 "Key management challenges regarding identity management solutions are:" [consistency, efficiency, usability, reliabliity and scalability.] "Scalability: Enterprises manage user profile data for large numbers of people. There are typically tens of thousands of internal users, and hundreds or thousands of partners or clients."

QUESTION 156 This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill. What best describes this scenario? A. Excessive Rights B. Excessive Access C. Excessive Permissions D. Excessive Privileges

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented. Reference(s) used for this question: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 645 and

QUESTION 184 Which of the following questions is less likely to help in assessing identification and authentication controls? A. Is a current list maintained and approved of authorized users and their access? B. Is a current list maintained and approved of authorized users and their access? C. Are inactive user identifications disabled after a specified period of time? D. Is there a process for reporting incidents?

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes) from entering an IT system. Access control usually requires that the system be able to identify and differentiate among users. Reporting incidents is more related to incident response capability (operational control) than to identification and authentication (technical control). Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A- 30 to A-32).

QUESTION 215 What is the BEST definition of SQL injection. A. SQL injection is a database problem. B. SQL injection is a web Server problem. C. SQL injection is a windows and Linux website problem that could be corrected by applying a website vendors patch. D. SQL injection is an input validation problem.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: SQL injection is execution of unexpected SQL in the database as a result of unsanitized user input being accepted and used in the application code to form the SQL statement.It is a coding problem which affects inhouse, open source and commercial software. The following answers are incorrect: SQL injection is a database problem.SQL injection is a web Server problem. SQL injection is a windows and Linux website problem that could be corrected by applying a website vendors patch. The following reference(s) were/was used to create this question: https://security.berkeley.edu/sites/default/files/uploads/SQLi_Prevention.pdf (page 9 and 10)

QUESTION 196 What is the name of the first mathematical model of a multi-level security policy used to define the concept of a secure state, the modes of access, and rules for granting access? A. Clark and Wilson Model B. Harrison-Ruzzo-Ullman Model C. Rivest and Shamir Model D. Bell-LaPadula Model

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

QUESTION 181 How can an individual/person best be identified or authenticated to prevent local masquerading attacks? A. User Id and password B. Smart card and PIN code C. Two-factor authentication D. Biometrics

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure that you do identify the person, however they are not perfect and they would have to be supplemented by another factor. Some people are getting thrown off by the term Masquarade. In general, a masquerade is a disguise. In terms of communications security issues, a masquerade is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security gaps in programs, or through bypassing the authentication mechanism. Spoofing is another term used to describe this type of attack as well. A UserId only provides for identification. A password is a weak authentication mechanism since passwords can be disclosed, shared, written down, and more.A smart card can be stolen and its corresponding PIN code can be guessed by an intruder. A smartcard can be borrowed by a friend of yours and you would have no clue as to who is really logging in using that smart card. Any form of two-factor authentication not involving biometrics cannot be as reliable as a biometric system to identify the person. See an extract below from the HISM book volume 1 Biometric identifying verification systems control people. If the person with the correct hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage,

QUESTION 174 Why would anomaly detection IDSs often generate a large number of false positives? A. Because they can only identify correctly attacks they already know about. B. Because they are application-based are more subject to attacks. C. Because they can't identify abnormal behavior. D. Because normal patterns of user and system behavior can vary wildly.

Correct Answer: D Section: Identity and Access Management Explanation Explanation/Reference: Unfortunately, anomaly detectors and the Intrusion Detection Systems (IDS) based on them often produce a large number of false alarms, as normal patterns of user and system behavior can vary wildly. Being only able to identify correctly attacks they already know about is a characteristic of misuse detection (signature- based) IDSs. Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software application. They are more vulnerable to attacks than host-based IDSs. Not being able to identify abnormal behavior would not cause false positives, since they are not identified. Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 10, march 2002 (page 92).

QUESTION 233 Which of the following biometrics methods provides the HIGHEST accuracy and is LEAST accepted by users? A. Palm Scan B. Hand Geometry C. Fingerprint D. Retina scan

Correct Answer: DSection: Communication and Network Security Explanation Explanation/Reference: Retina based biometric involves analyzing the layer of blood vessels situated at the back of the eye. An established technology, this technique involves using a low-intensity light source through an optical coupler to scan the unique patterns of the retina. Retinal scanning can be quite accurate but does require the user to look into a receptacle and focus on a given point. This is not particularly convenient if you wear glasses or are concerned about having close contact with the reading device. For these reasons, retinal scanning is not warmly accepted by all users, even though the technology itself can work well. For your exam you should know the information below: Biometrics Biometrics verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification and not well received by society. Biometrics is a very sophisticated technology; thus, it is much more expensive and complex than the other types of identity verification processes. A biometric system can make authentication decisions based on an individual's behavior, as in signature dynamics, but these can change over time and possibly be forged. Biometric systems that base authentication decisions on physical attributes (such as iris, retina, or fingerprint) provide more accuracy because physical attributes typically don't change, absent some disfiguring injury, and are harder to impersonate Biometrics is typically broken up into two different categories. The first is the physiological. These are traits that are physical attributes unique to a specific individual. Fingerprints are a common example of a physiological trait used in biometric systems. The second category


Related study sets

Introduction to Pharmacology - CHAPTER 21 Antineoplastic Drugs

View Set

Chapter 3: Creating Anglo-America, 1660-1750

View Set

Chapter 3: Evaluating the External Environment

View Set

Chapter 17: Evolution of Populations

View Set

intro to interpersonal communications 1-7

View Set