CISSP (VCE Plus) Part I

Ace your homework & exams now with Quizwiz!

In non-discretionary access control, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on: A. the society's role in the organization B. the individual's role in the organization C. the group-dynamics as they relate to the individual's role in the organization D. the group-dynamics as they relate to the master-slave role in the organization

B

In the Lattice Based Access Control model, controls are applied to: A. Scripts B. Objects C. Models D. Factors

B

In the world of keystroke dynamics, what represents the amount of time it takes a person to switch between keys? A. Dynamic time B. Flight time C. Dwell time D. Systems time.

B

In which situation would TEMPEST risks and technologies be of MOST interest? A. Where high availability is vital. B. Where the consequences of disclose are very high. C. Where countermeasures are easy to implement D. Where data base integrity is crucial

B

If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible? A. Birthday B. Brute force C. Man-in-the-middle

B

In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessicity of answering 2 questions: A. what was the sex of a person and his age B. what part of the body to be used and how to accomplish identification to be viable C. what was the age of a person and his income level D. what was the tone of the voice of a person and his habits

B

In multi-processing systems, which one of the following lacks mandatory controls and is NORMALLY AVOIDED for communication? A. Storage channels B. Covert channels C. Timing channels D. Object channels

B

Kerberos depends upon what encryption method? A. Public Key cryptography B. Private Key cryptography C. El Gamal cryptography D. Blowfish cryptography

B

LOMAC uses what Access Control method to protect the integrity of processes and data? A. Linux based EFS. B. Low Water-Mark Mandatory Access Control. C. Linux based NFS. D. High Water-Mark Mandatory Access Control.

B

One method to simplify the administration of access controls is to group A. Capabilities and privileges B. Objects and subjects C. Programs and transactions D. Administrators and managers

B

Passwords can be required to change monthly, quarterly, or any other intervals: A. depending on the criticality of the information needing protection B. depending on the criticality of the information needing protection and the password's frequency of use C. depending on the password's frequency of use D. not depending on the criticality of the information needing protection but depending on the password's frequency of use

B

Program change controls must ensure that all changes are A. Audited to verify intent. B. Tested to ensure correctness. C. Implemented into production systems. D. Within established performance criteria.

B

Programmed procedures which ensure that valid transactions are processed accurately and only once in the current timescale are referred to as A. Data installation controls B. Application controls C. Operation controls D. Physical controls

B

QUESTION 261 In terms of the order of effectiveness, which of the following technologies is the most affective? A. Fingerprint B. Iris scan C. Keystroke pattern D. Retina scan

B

Related to information security, confidentiality is the opposite of which of the following? A. closure B. disclosure C. disposal D. disaster

B

Role based access control is attracting increasing attention particularly for what applications? A. Scientific B. Commercial C. Security D. Technical

B

Root login should only be allowed via: A. Rsh B. System console C. Remote program D. VNC

B

Rotating password can be restricted by the use of: A. Password age B. Password history C. Complex password D. All of the choices

B

The Clark Wilson model has its emphasis on: A. Security B. Integrity C. Accountability D. Confidentiality

B

The Lattice Based Access Control model was developed to deal mainly with ___________ in computer systems. A. Access control B. Information flow C. Message routes D. Encryption

B

The concept of least privilege currently exists within the context of: A. ISO B. TCSEC C. OSI D. IEFT

B

The purpose of information classification is to A. Assign access controls. B. Apply different protective measures. C. Define the parameters required for security labels. D. Ensure separation of duties.

B

The technique of skimming small amounts of money from multiple transactions is called the A. Scavenger technique B. Salami technique C. Synchronous attack technique D. Leakage technique

B

They in form of credit card-size memory cards or smart cards, or those resembling small calculators, are used to supply static and dynamic passwords are called: A. Tickets B. Tokens C. Token passing networks D. Coupons

B

To ensure least privilege requires that __________ is identified. A. what the users privilege owns B. what the users job is C. what the users cost is D. what the users group is

B

To support legacy applications that rely on risky protocols (e.g,, plain text passwords), which one of the following can be implemented to mitigate the risks on a corporate network? A. Implement strong centrally generated passwords to control use of the vulnerable applications. B. Implement a virtual private network (VPN) with controls on workstations joining the VPN. C. Ensure that only authorized trained users have access to workstations through physical access control. D. Ensure audit logging is enabled on all hosts and applications with associated frequent log reviews.

B

Under DAC, a subjects rights must be ________ when it leaves an organization altogether. A. recycled B. terminated C. suspended D. resumed

B

Under MAC, which of the following is true? A. All that is expressly permitted is forbidden. B. All that is not expressly permitted is forbidden. C. All that is not expressly permitted is not forbidden. D. None of the choices.

B

Under MAC, who can change the category of a resource? A. All users. B. Administrators only. C. All managers. D. None of the choices.

B

Under the MAC control system, what is required? A. Performance monitoring B. Labeling C. Sensing D. None of the choices

B

What are the methods used in the process of facial identification? A. None of the choices. B. Detection and recognition. C. Scanning and recognition. D. Detection and scanning.

B

What are the three fundamental principles of security? A. Accountability, confidentiality, and integrity B. Confidentiality, integrity, and availability C. Integrity, availability, and accountability D. Availability, accountability, and confidentiality

B

What can be accomplished by storing on each subject a list of rights the subject has for every object? A. Object B. Capabilities C. Key ring D. Rights

B

What can best be described as an abstract machine which must mediate all access to subjects to objects? A. A security domain B. The reference monitor C. The security kernel D. The security perimeter

B

What ensures that the control mechanisms correctly implement the security policy for the entire life cycle of an information system? A. Accountability controls B. Mandatory access controls C. Assurance procedures D. Administrative controls

B

What is Kerberos? A. A three-headed dog from Egyptian Mythology B. A trusted third-party authentication protocol C. A security model D. A remote authentication dial in user server

B

What is a protocol used for carrying authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server? A. IPSec B. RADIUS C. L2TP D. PPTP

B

What is an access control model? A. A formal description of access control ID specification. B. A formal description of security policy. C. A formal description of a sensibility label.

B

What is an error called that causes a system to be vulnerable because of the environment in which it is installed? A. Configuration error B. Environmental error C. Access validation error D. Exceptional condition handling error

B

What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? A. Authentication B. Identification C. Integrity D. Confidentiality

B

What is called the percentage of invalid subjects that are falsely accepted? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. True Acceptance Rate (TAR) or Type III error

B

What is known as the chance that someone other than you is granted access to your account? A. ERR B. FAR C. FRR D. MTBF

B

What is known as the probability that you are not authenticated to access your account? A. ERR B. FRR C. MTBF D. FAR

B

What is the main purpose of undertaking a parallel run of a new system? A. Resolve any errors in the program and file interfaces B. Verify that the system provides required business functionality C. Validate the operation of the new system against its predecessor D. Provide a backup of the old system

B

What is the method of coordinating access to resources based on the listening of permitted IP addresses? A. MAC B. ACL C. DAC D. None of the choices.

B

What is the most effective means of determining how controls are functioning within an operating system? A. Interview with computer operator B. Review of software control features and/or parameters C. Review of operating system manual D. Interview with product vendor

B

What is typically used to illustrate the comparative strengths and weaknesses of each biometric technology? A. Decipher Chart B. Zephyr Chart C. Cipher Chart D. Zapper Chart

B

What process determines who is trusted for a given purpose? A. Identification B. Authorization C. Authentication D. Accounting

B

What security risk does a covert channel create? A. A process can signal information to another process. B. It bypasses the reference monitor functions. C. A user can send data to another user. D. Data can be disclosed by inference.

B

Which of the following is true regarding a secure access model? A. Secure information cannot flow to a more secure user. B. Secure information cannot flow to a less secure user. C. Secure information can flow to a less secure user.

B

Which of the following offers greater accuracy then the others? A. Facial recognition B. Iris scanning C. Finger scanning D. Voice recognition

B

Monitoring electromagnetic pulse emanations from PCs and CRTs provides a hacker with that significant advantage? A. Defeat the TEMPEST safeguard B. Bypass the system security application. C. Gain system information without trespassing D. Undetectable active monitoring.

D

Most computer attacks result in violation of which of the following security properties? A. Availability B. Confidentiality C. Integrity and control D. All of the choices.

D

Normalizing data within a database includes all of the following except which? A. Eliminating repeating groups by putting them into separate tables B. Eliminating redundant data C. Eliminating attributes in a table that are not dependent on the primary key of that table D. Eliminating duplicate key fields by putting them into separate tables

D

On Linux, LOMAC is implemented as: A. Virtual addresses B. Registers C. Kernel built in functions D. Loadable kernel module

D

What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account? A. Data fiddling B. Data diddling C. Salami techniques D. Trojan horses

C

What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects? A. A capacity table B. An access control list C. An access control matrix D. A capability table

C

What ensures that attributes in a table depend only on the primary key? A. Referential integrity B. The database management system (DBMS) C. Data Normalization D. Entity integrity

C

What is a PRIMARY reason for designing the security kernel to be as small as possible? A. The operating system cannot be easily penetrated by users. B. Changes to the kernel are not required as frequently. C. Due to its compactness, the kernel is easier to formally verify. D. System performance and execution are enhanced.

C

What is a security requirement that is unique to Compartmented Mode Workstations (CMW)? A. Sensitivity Labels B. Object Labels C. Information Labels D. Reference Monitors

C

What is called a type of access control where a central authority determines what subjects can have access to certain objects, based on the organizational security policy? A. Mandatory Access Control B. Discretionary Access Control C. Non-discretionary Access Control D. Rule-based access control

C

What is called the access protection system that limits connections by calling back the number of a previously authorized location? A. Sendback system B. Callback forward systems C. Callback systems D. Sendback forward systems

C

What is called the formal acceptance of the adequacy of a system's overall security by the management? A. Certification B. Acceptance C. Accreditation D. Evaluation

C

What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values? A. Mandatory model B. Discretionary model C. Lattice model D. Rule model

C

What is the FIRST step that should be considered in a penetration test? A. The approval of change control management. B. The development of a detailed test plan. C. The formulation of specific management objectives. D. The communication process among team members.

C

Which of the following is not a valid reason to use external penetration service firms rather than corporate resources? A. They are more cost-effective B. They offer a lack of corporate bias C. They use highly talented ex-hackers D. They insure a more complete reporting

C

Which of the following is not an Orange Book-defined operational assurance requirement? A. System architecture B. Trusted facility management C. Configuration management D. Covert channel analysis

C

Which of the following is not an Orange book-defined operational assurance requirement? A. System architecture B. Trusted facility management C. Configuration management D. Covert channel analysis

C

Which of the following is not used as a cost estimating technique during the project planning stage? A. Delphi technique B. Expert Judgment C. Program Evaluation Review Technique (PERT) charts D. Function points (FP)

C

Which of the following is true about Kerberos? A. It utilized public key cryptography B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text C. It depends upon symmetric ciphers D. It is a second party authentication system

C

Which of the following is true about Kerberos? A. It utilizes public key cryptography B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text. C. It depends upon symmetric ciphers D. It is a second party authentication system

C

Which of the following phases of a system development life-cycle is most concerned with authenticating users and processes to ensure appropriate access control decisions? A. Development/acquisition B. Implementation C. Operation/Maintenance

C

Which of the following provide network redundancy in a local network environment? A. Mirroring B. Shadowing C. Dual backbones D. Duplexing

C

Why must senior management endorse a security policy? A. So that they will accept ownership for security within the organization. B. So that employees will follow the policy directives. C. So that external bodies will recognize the organizations commitment to security. D. So that they can be held legally accountable.

A

Why would a 16 characters password not desirable? A. Hard to remember B. Offers numerous characters. C. Difficult to crack using brute force. D. All of the choices.

A

With MAC, who may NOT make decisions that derive from policy? A. All users except the administrator. B. The administrator. C. The power users. D. The guests.

A

With RBAC, each user can be assigned: A. One or more roles. B. Only one role. C. A token role. D. A security token.

A

With Rule Based Security Policy, a security policy is based on: A. Global rules imposed for all users. B. Local rules imposed for some users. C. Global rules imposed for no body. D. Global rules imposed for only the local users.

A

With non-continuous backup systems, data that was entered after the last backup prior to a system crash will have to be: A. recreated B. created C. updated D. deleted

A

With regard to databases, which of the following has characteristics of ease of reusing code and analysis and reduced maintenance? A. Object-Oriented Data Bases (OODB) B. Object-Relational Data Bases (ORDB) C. Relational Data Bases D. Data Base management systems (DBMS)

A

Which of the following would be the most serious risk where a systems development life cycle methodology is inadequate? A. The project will be completed late B. The project will exceed the cost estimates C. The project will be incompatible with existing systems D. The project will fail to meet business and user needs

D

One of the differences between Kerberos and KryptoKnight is that there is: A. a mapped relationship among the parties takes place B. there is a peer-to-peer relationship among the parties with themselves. C. there is no peer-to-peer relationship among the parties and the KDC D. a peer-to-peer relationship among the parties and the KDC

D

Open box testing, in the Flaw Hypothesis Methodology of Penetration Testing applies to the analysis of A. Routers and firewalls B. Host-based IDS systems C. Network-based IDS systems D. General purpose operating systems

D

Operations Security seeks to primarily protect against which of the following? A. object reuse B. facility disaster C. compromising emanations D. asset threats

D

SQL commands do not include which of the following? A. Select, Update B. Grant, Revoke C. Delete, Insert D. Add, Replace

D

The default level of security established for access controls should be A. All access B. Update access C. Read access D. No access

D

The quality of finger prints is crucial to maintain the necessary: A. FRR B. ERR and FAR C. FAR D. FRR and FAR

D

The word "smart card" has meanings of: A. Personal identity token containing IC-s. B. Processor IC card. C. IC card with ISO 7816 interface. D. All of the choices.

D

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to fulfill. What best describes this scenario? A. Excessive Rights B. Excessive Access C. Excessive Permissions D. Excessive Privileges

D

In terms of the order of acceptance, which of the following technologies is the LEAST accepted? A. Fingerprint B. Iris C. Handprint D. Retina patterns

D

In the Information Flow Model, what acts as a type of dependency? A. State B. Successive points C. Transformation D. Flow

D

In which state must a computer system operate to process input/output instructions? A. User mode B. Stateful inspection C. Interprocess communication D. Supervisor mode

D

Which of the following is a type of mandatory access control? A. Rule-based access control B. Role-based access control C. User-directed access control D. Lattice-based access control

A

Which type of attack will most likely provide an attacker with multiple passwords to authenticate to a system? A. Password sniffing B. Dictionary attack C. Dumpster diving D. Social engineering

A

Who is responsible for setting user clearances to computer-based information? A. Security administrators B. Operators C. Data owners D. Data custodians

A

Primarily run when time and tape space permits, and is used for the system archive or baselined tape sets is the: A. full backup method B. Incremental backup method C. differential backup method D. tape backup method

A

Who should determine the appropriate access control of information? A. Owner B. User C. Administrator D. Server

A

QUESTION 335 Which one of the following addresses the protection of computers and components from electromagnetic emissions? A. TEMPEST B. ISO 9000 C. Hardening D. IEEE 802.2

A

Making sure that the data is accessible when and where it is needed is which of the following? A. Confidentiality B. integrity C. acceptability D. availability

D

Qualitative loss resulting from the business interruption does not include: A. Loss of revenue B. Loss of competitive advantage or market share C. Loss of public confidence and credibility D. Public embarrassment

A

RAID levels 3 and 5 run: A. faster on hardware B. slower on hardware C. faster on software D. at the same speed on software and hardware Correct Answer:

A

Memory only cards work based on: A. Something you have. B. Something you know. C. None of the choices. D. Something you know and something you have.

D

Removing unnecessary processes, segregating inter-process communications, and reducing executing privileges to increase system security is commonly called A. Hardening B. Segmenting C. Aggregating D. Kerneling

A

Retinal scans check for: A. Something you are. B. Something you have. C. Something you know.

A

Risk analysis is MOST useful when applied during which phase of the system development process? A. Project identification B. Requirements definition C. System construction D. Implementation planning

A

SQL security issues include which of the following? A. The granularity of authorizations B. The size of databases C. The complexity of key structures D. The number of candidate key elements

A

Security is a process that is: A. Continuous B. Indicative C. Examined D. Abnormal

A

Signature identification systems analyze what areas of an individual's signature? A. All of the choices EXCEPT the signing rate. B. The specific features of the signature. C. The specific features of the process of signing one's signature. D. The signature rate.

A

Software generated passwords have what drawbacks? A. Passwords are not easy to remember. B. Password are too secure. C. None of the choices. D. Passwords are unbreakable.

A

The 8mm tape format is commonly used in Helical Scan tape drives, but was superseded by: A. Digital Linear Tape (DLT) B. Analog Linear Tape (ALT) C. Digital Signal Tape (DST) D. Digital Coded Tape (DCT)

A

The Common Criteria (CC) represents requirements for IT security of a product or system under which distinct categories? A. Functional and assurance B. Protocol Profile (PP) and Security Target (ST) C. Targets of Evaluation (TOE) and Protection Profile (PP) D. Integrity and control

A

The Common Criteria construct which allows prospective consumers or developers to create standardized sets of security requirements to meet there needs is A. a Protection Profile (PP). B. a Security Target (ST). C. an evaluation Assurance Level (EAL).

A

Which of the following focuses on the basic features and architecture of a system? A. operational assurance B. life cycle assurance C. covert channel assurance D. level A1

A

Which of the following is NOT a system-sensing wireless proximity card? A. magnetically striped card B. passive device C. field-powered device D. transponder

A

Which of the following is a 5th Generation Language? A. LISP B. BASIC C. NATURAL D. Assembly Language

A

Which of the following is a communication mechanism that enables direct conversation between two applications? A. DDE B. OLE C. ODBC D. DCOM

A

A confidential number to verify a user's identity is called a: A. PIN B. userid C. password D. challenge

A

LOMAC is a security enhancement for what operating system? A. Linux B. Netware C. Solaris

A

MAC is used for: A. Defining imposed access control level. B. Defining user preferences. C. None of the choices.

A

A "critical application" is one that MUST A. Remain operational for the organization to survive. B. Be subject to continual program maintenance. C. Undergo continual risk assessments. D. Be constantly monitored by operations management.

A

A 'Pseudo flaw' is which of the following? A. An apparent loophole deliberately implanted in an operating system B. An omission when generating Pseudo-code C. Used for testing for bounds violations in application programming D. A Normally generated page fault causing the system halt

A

A 'Psuedo flaw' is which of the following? A. An apparent loophole deliberately implanted in an operating system program as a trap for intruders B. An omission when generating Psuedo-code C. Used for testing for bounds violations in application programming D. A normally generated page fault causing the system to halt

A

A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide which of the following? A. content-dependent access control B. context-dependent access control C. least privileges access control D. ownership-based access control

A

A persistent collection of interrelated data items can be defined as which of the following? A. database B. database management system C. database security D. database shadowing

A

A server farm is an example of: A. Server clustering B. Redundant servers C. Multiple servers D. Server fault tolerance

A

A smart card represents: A. Something you are. B. Something you know. C. Something you have. D. All of the choices.

A

A storage information architecture does not address which of the following? A. archiving of data B. collection of data C. management of data D. use of data

A

Access Control techniques do not include which of the following choices? A. Relevant Access Controls B. Discretionary Access Control C. Mandatory Access Control D. Lattice Based Access Controls

A

Access control techniques do not include which of the following choices? A. Relevant Access Controls B. Discretionary Access Controls C. Mandatory Access Controls D. Lattice Based Access Controls

A

According to the Orange Book, trusted facility management is not required for which of the following security levels? A. B1 B. B2 C. B3 D. A1

A

Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. To have a valid measure of the system performance: A. The CER is used. B. the FRR is used C. the FAR is used D. none of the above choices is correct

A

At which temperature does damage start occurring to magnetic media? A. 100 degrees B. 125 degrees C. 150 degrees D. 175 degrees

A

Biometric performance is most commonly measured in terms of: A. FRR and FAR B. FAC and ERR C. IER and FAR D. FRR and GIC

A

By far, the largest security exposure in application system development relates to A. Maintenance and debugging hooks. B. Deliberate compromise. C. Change control. D. Errors and lack of training

A

Compact Disc (CD) optical media types is used more often for: A. very small data sets B. very small files data sets C. larger data sets

A

Complex applications involving multimedia, computer aided design, video, graphics, and expert systems are more suited to which of the following? A. Object-Oriented Data Bases (OODB) B. Object-Relational Data Bases C. Relational Data Bases D. Data base management systems (DBMS)

A

Controlled Security Mode is also known as: A. Multilevel Security Mode B. Partitioned Security Mode C. Dedicated Security Mode D. System-high Security Mode

A

Cryptography does not concern itself with: A. Availability B. Integrity C. Confidentiality D. Authenticity

A

DAC are characterized by many organizations as: A. Need-to-know controls B. Preventive controls C. Mandatory adjustable controls D. None of the choices

A

Data inference violations can be reduced using A. Polyinstantiation technique. B. Rules based meditation. C. Multi-level data classification. D. Correct-state transformation.

A

Depending upon the volume of data that needs to be copied, full backups to tape can take: A. an incredible amount of time B. a credible amount of time C. an ideal amount of time D. an exclusive amount of time

A

How is polyinstantiation used to secure a multilevel database? A. It prevents low-level database users from inferring the existence of higher level data. B. It confirms that all constrained data items within the system conform to integrity specifications. C. It ensures that all mechanism in a system are responsible for enforcing the database security policy. D. Two operations at the same layer will conflict if they operate on the same data item and at least one of them is an update.

A

Identification and authentication are the keystones of most access control systems. Identification establishes: A. user accountability for the actions on the system B. top management accountability for the actions on the system C. EDP department accountability for the actions of users on the system D. authentication for actions on the system

A

Identification usually takes the form of: A. Login ID. B. User password. C. None of the choices. D. Passphrase

A

In a RADIUS architecture, which of the following acts as a client? A. A network Access Server. B. None of the choices. C. The end user. D. The authentication server.

A

In developing a security awareness program, it is MOST important to A. Understand the corporate culture and how it will affect security. B. Understand employees preferences for information security. C. Know what security awareness products are available. D. Identify weakness in line management support.

A

In order to avoid mishandling of media or information, which of the following should be labeled? A. All of the choices. B. Printed copies C. Tape D. Floppy disks

A

In order to avoid mishandling of media or information, you should consider using: A. Labeling B. Token C. Ticket D. SLL

A

In the Information Flow Model, what relates two versions of the same object? A. Flow B. State C. Transformation D. Successive points

A

In the process of facial identification, the basic underlying recognition technology of facial identification involves: A. Eigenfeatures of eigenfaces. B. Scanning and recognition. C. Detection and scanning. D. None of the choices.

A

In the world of keystroke dynamics, what represents the amount of time you hold down in a particular key? A. Dwell time B. Flight time C. Dynamic time D. Systems time

A

The Structures, transmission methods, transport formats, and security measures that are used to provide integrity, availability, and authentication, and confidentiality for transmissions over private and public communications networks and media includes: A. The Telecommunications and Network Security domain B. The Telecommunications and Netware Security domain C. The Technical communications and Network Security domain D. The Telnet and Security domain

A

The Trusted Computer Security Evaluation Criteria (TBSEC) provides A. a basis for assessing the effectiveness of security controls built into automatic data-processing system products B. a system analysis and penetration technique where specifications and document for the system are analyzed. C. a formal static transition model of computer security policy that describes a set of access control rules. D. a means of restricting access to objects based on the identity of subjects and groups to which they belong.

A

The absence or weakness in a system that may possibly be exploited is called a(n)? A. Threat B. Exposure C. Vulnerability D. Risk

A

The access matrix model has which of the following common implementations? A. Access control lists and capabilities. B. Access control lists. C. Capabilities. D. Access control list and availability.

A

The spare drives that replace the failed drives are usually hot swappable, meaning they can be replaced on the server in which of the following scenarios? A. system is up and running B. system is quiesced but operational C. system is idle but operational D. system is up and in single-user-mode

A

The type of discretionary access control that is based on an individual's identity is called: A. Identity-based access control B. Rule-based access control C. Non-Discretionary access control D. Lattice-based access control

A

The unauthorized mixing of data of one sensitivity level and need-to-know with data of a lower sensitivity level, or different need-to-know, is called data A. Contamination B. Seepage C. Aggregation

A

This backup method makes a complete backup of every file on the server every time it is run by: A. full backup method B. incremental backup method C. differential backup method D. tape backup method

A

Type II errors occur when which of the following biometric system rates is high? A. False accept rate B. False reject rate C. Crossover error rate D. Speed and throughput rate

A

Under MAC, classification reflects: A. Sensitivity B. Subject C. Privilege D. Object

A

Under MAC, who may grant a right of access that is explicitly forbidden in the access control policy? A. None of the choices. B. All users. C. Administrators only. D. All managers.

A

Under the Lattice Based Access Control model, a container of information is a(n): A. Object B. Model C. Label

A

What Access Control model was developed to deal mainly with information flow in computer systems? A. Lattice Based B. Integrity Based C. Flow Based

A

What Distributed Computing Environment (DCE) component provides a mechanism to ensure that services are made available only to properly designated parties? A. Directory Service B. Remote Procedure Call Service C. Distributed File Service D. Authentication and Control Service

A

What access control methodology facilitates frequent changes to data permissions? A. Rule-based B. List-based C. Role-based D. Ticket-based

A

What are edit controls? A. Preventive controls B. Detective controls C. Corrective controls D. Compensating controls

A

What are the advantages to using voice identification? A. All of the choices. B. Timesaving C. Reliability D. Flexibility

A

What are the assurance designators used in the Common Criteria (CC)? A. EAL 1, EAL 2, EAL 3, EAL 4, EAL 5, EAL 6, and EAL 7 B. A1, B1, B2, B3, C2, C1, and D C. E0, E1, E2, E3, E4, E5, and E6 D. AD0, AD1, AD2, AD3, AD4, AD5, and AD6

A

What are the valid types of one time password generator? A. All of the choices. B. Transaction synchronous C. Synchronous/PIN synchronous D. Asynchronous/PIN asynchronous

A

What can be defined as a formal security model for the integrity of subjects and objects in a system? A. Biba B. Bell LaPadulaLattice C. Lattice D. Info Flow

A

What defines an imposed access control level? A. MAC B. DAC C. SAC D. CAC

A

What is an effective countermeasure against Trojan horse attack that targets smart cards? A. Singe-access device driver architecture. B. Handprint driver architecture. C. Fingerprint driver architecture. D. All of the choices.

A

What is an important factor affecting the time required to perpetrate a manual trial and error attack to gain access to a target computer system? A. Keyspace for the password. B. Expertise of the person performing the attack. C. Processing speed of the system executing the attack. D. Encryption algorithm used for password transfer.

A

What is an indirect way to transmit information with no explicit reading of confidential information? A. Covert channels B. Backdoor C. Timing channels D. Overt channels

A

What is called an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics? A. Biometrics B. Micrometrics C. Macrometrics D. MicroBiometrics

A

What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time? A. Authentication B. Identification C. Integrity D. Confidentiality

A

What is it called when a computer uses more than one CPU in parallel to execute instructions? A. Multiprocessing B. Multitasking C. Multithreading D. Parallel running

A

What is known as decoy system designed to lure a potential attacker away from critical systems? A. Honey Pots B. Vulnerability Analysis Systems C. File Integrity Checker D. Padded Cells

A

Which of the following is a feature of the Rule based access control? A. The use of profile. B. The use of information flow label. C. The use of data flow diagram. D. The use of token.

A

Which of the following is a straightforward approach that provides access rights to subjects for objects? A. Access Matrix model B. Take-Grant Model C. Bell-LaPadula Model D. Biba Model

A

Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT? A. Kerberos B. SESAME C. KryptoKnight D. NetSP

A

What is necessary for a subject to have write access to an object in a Multi-Level Security Policy? A. The subject's sensitivity label must dominate the object's sensitivity label B. The subject's sensitivity label subordinates the object's sensitivity label C. The subject's sensitivity label is subordinated by the object's sensitivity label D. The subject's sensitivity label is dominated by the object's sensitivity label

A

What is one disadvantage of content-dependent protection of information? A. It increases processing overhead B. It requires additional password entry C. It exposes the system to data locking D. It limits the user's individual address space

A

What is the act of willfully changing data, using fraudulent input or removal of controls called? A. Data diddling B. Data contaminating C. Data capturing D. Data trashing

A

What is the main concern with single sign-on? A. Maximum unauthorized access would be possible if a password is disclosed B. The security administrator's workload would increase C. The users' password would be to hard to remember D. User access rights would be increased

A

What is the main responsibility of the information owner? A. making the determination to decide what level of classification the information requires B. running regular backups C. audit the users when they require access to the information D. periodically checking the validity and accuracy for all data in the information system

A

What type of attacks occurs when normal physical conditions are altered in order to gain access to sensitive information on the smartcard? A. Physical attacks B. Logical attacks C. Trojan Horse attacks D. Social Engineering attacks

A

What type of wiretapping involves injecting something into the communications? A. Aggressive B. Captive C. Passive D. Active

A

When conducting a risk assessment, which one of the following is NOT an acceptable social engineering practice? A. Shoulder surfing B. Misrepresentation C. Subversion D. Dumpster diving

A

Which Orange Book evaluation level is described as "Verified Design"? A. A1 B. B3 C. B2 D. B1

A

Which access control model enables the owner of the resource to specify what subjects can access specific resources? A. Discretionary Access Control B. Mandatory Access Control C. Sensitive Access Control D. Role-based Access Control

A

Which access control would a lattice-based access control be an example of? A. Mandatory access control B. Discretionary access control C. Non-discretionary access control D. Rule-based access control

A

Which factor is critical in all systems to protect data integrity? A. Data classification B. Information ownership

A

Which level of "least privilege" enables operators the right to modify data directly in it's original location, in addition to data copied from the original location? A. Access Change B. Read/Write C. Access Rewrite D. Access modify

A

Which level(s) must protect against both covert storage and covert timing channels? A. B3 and A1 B. B2, B3 and A1 C. A1 D. B1, B2, B3 and A1

A

Which of the following addresses cumbersome situations where users need to log on multiple times to access different resources? A. Single Sign-On (SSO) systems B. Dual Sign-On (DSO) systems C. Double Sign-On (DS0) systems D. Triple Sign-On (TSO) systems

A

Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server? A. Bind variables B. Assimilation variables C. Reduction variables D. Resolution variables

A

Which of the following biometric parameters are better suited for authentication use over a long period of time? A. Iris pattern B. Voice pattern C. Signature dynamics D. Retina pattern

A

Which of the following can be defined as the set of allowable values that an attribute can take? A. domain of a relation B. domain name service of a relation C. domain analysis of a relation D. domains, in database of a relation

A

Which of the following classes is defined in the TCSEC (Orange Book) as mandatory protection? A. B B. A C. C D. D

A

Which of the following correctly describe the features of SSO? A. More efficient log-on. B. More costly to administer. C. More costly to setup. D. More key exchanging involved.

A

Which of the following defines the intent of a system security policy? A. A definition of the particular settings that have been determined to provide optimum security. B. A brief, high-level statement defining what is and is not permitted during the operation of the system. C. A definition of those items that must be excluded on the system. D. A listing of tools and applications that will be used to protect the system.

A

Which of the following defines the software that maintains and provides access to the database? A. database management system (DBMS) B. relational database management systems (RDBMS) C. database identification system (DBIS) D. Interface Definition Language system (IDLS)

A

Which of the following describes elements that create reliability and stability in networks and systems and which assures that connectivity is accessible when needed? A. Availability B. Acceptability C. Confidentiality D. Integrity

A

Which of the following describes the major disadvantage of many SSO implementations? A. Once a user obtains access to the system through the initial log-on they can freely roam the network resources without any restrictions B. The initial logon process is cumbersome to discourage potential intruders C. Once a user obtains access to the system through the initial log-on, they only need to logon to some applications. D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems

A

Which of the following enables the drive array to continue to operate if any disk or any path to any disk fails? A. RAID Level 7 B. RAID Level 1 C. RAID Level 2 D. RAID Level 5

A

Which of the following ensures that security is not breached when a system crash or other system failure occurs? A. trusted recovery B. hot swappable C. redundancy

A

Which one of the following is an important characteristic of an information security policy? A. Identifies major functional areas of information. B. Quantifies the effect of the loss of the information. C. Requires the identification of information owners. D. Lists applications that support the business function.

A

Which of the following is an advantage of a qualitative over quantitative risk analysis? A. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. B. It provides specific quantifiable measurements of the magnitude of the impacts C. It makes cost-benefit analysis of recommended controls easier

A

Which of the following is an advantage of using a high-level programming language? A. It decreases the total amount of code writers B. It allows programmers to define syntax C. It requires programmer-controlled storage management D. It enforces coding standards

A

Which of the following is an effective measure against a certain type of brute force password attack? A. Password used must not be a word found in a dictionary. B. Password history is used. C. Password reuse is not allowed. D. None of the choices.

A

Which of the following is an important part of database design that ensures that attributes in a table depend only on the primary key? A. Normalization B. Assimilation C. Reduction D. Compaction

A

Which of the following is commonly used for retrofitting multilevel security to a database management system? A. trusted front-end B. trusted back-end C. controller D. kernel

A

Which of the following is most relevant to determining the maximum effective cost of access control? A. the value of information that is protected B. management's perceptions regarding data importance C. budget planning related to base versus incremental spending. D. the cost to replace lost data

A

Which of the following is the MOST secure network access control procedure to adopt when using a callback device? A. The user enters a userid and PIN, and the device calls back the telephone number that corresponds to the userid. B. The user enters a userid, PIN, and telephone number, and the device calls back the telephone number entered. C. The user enters the telephone number, and the device verifies that the number exists in its database before calling back. D. The user enters the telephone number, and the device responds with a challenge.

A

Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles? A. B2 B. B1 C. A1 D. A2

A

Which of the following is the marriage of object-oriented and relational technologies combining the attributes of both? A. object-relational database B. object-oriented database C. object-linking database D. object-management database

A

Which of the following methodologies is appropriate for planning and controlling activities and resources in a system project? A. Gantt charts B. Program evaluation review technique (PERT) C. Critical path methodology (CPM) D. Function point analysis (FP)

A

Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, and faster resource access? A. Smart cards B. Single Sign-on (SSO) C. Kerberos D. Public Key Infrastructure (PKI)

A

Which of the following prevents, detects, and corrects errors so that the integrity, availability, and confidentiality of transactions over networks may be maintained? A. Communications security management and techniques B. Networks security management and techniques C. Clients security management and techniques D. Servers security management and techniques

A

Which of the following refers to the number of columns in a relation? A. degree B. cardinality C. depth D. breadth

A

Which of the following refers to the number of rows in a relation? A. cardinality B. degree C. depth D. breadth

A

Which of the following refers to the work product satisfying the real-world requirements and concepts? A. validation B. verification C. concurrence D. accuracy

A

Which of the following statements pertaining to the Trusted Computer System Evaluation Criteria (TCSEC) is incorrect? A. With TCSEC, functionality and assurance are evaluated separately. B. TCSEC provides a means to evaluate the trustworthiness of an information system C. The Orange Book does not cover networks and communications D. Database management systems are not covered by the TCSEC

A

Which of the following statements pertaining to the trusted computing base (TCB) is false? A. It addresses the level of security a system provides B. It originates from the Orange Book C. It includes hardware, firmware, and software D. A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity

A

Which of the following takes the concept of RAID 1 (mirroring) and applies it to a pair of servers? A. A redundant server implementation B. A redundant client implementation C. A redundant guest implementation D. A redundant host implementation

A

Which of the following was developed by the National Computer Security Center (NCSC)? A. TCSEC B. ITSEC C. DITSCAP D. NIACAP

A

Which of the following will you consider as the MOST secure way of authentication? A. Biometric B. Password C. Token D. Ticket Granting

A

Which one of the following authentication mechanisms creates a problem for mobile users? A. address-based mechanism B. reusable password mechanism C. one-time password mechanism D. challenge response mechanism

A

Which one of the following control steps is usually NOT performed in data warehousing applications? A. Monitor summary tables for regular use. B. Control meta data from being used interactively. C. Monitor the data purging plan. D. Reconcile data moved between the operations environment and data warehouse.

A

Which one of the following describes a reference monitor? A. Access control concept that refers to an abstract machine that mediates all accesses to objects by subjects. B. Audit concept that refers to monitoring and recording of all accesses to objects by subjects. C. Identification concept that refers to the comparison of material supplied by a user with its reference profile. D. Network control concept that distributes the authorization of subject accesses to objects.

A

Within the Open Systems Interconnection (OSI) Reference Model, authentication addresses the need for a network entity to verify both A. The identity of a remote communicating entity and the authenticity of the source of the data that are received. B. The authenticity of a remote communicating entity and the path through which communications are received. C. The location of a remote communicating entity and the path through which communications are received. D. The identity of a remote communicating entity and the level of security of the path through which data are received.

A

You are comparing biometric systems. Security is the top priority. A low ________ is most important in this regard. A. FAR B. FRR C. MTBF D. ERR

A

Zip/Jaz drives are frequently used for the individual backups of small data sets of: A. specific application data B. sacrificial application data C. static application data D. dynamic application data

A

The access matrix model consists of which of the following parts? (Choose all that apply) A. A function that returns an objects type. B. A list of subjects. C. A list of objects.

ABC

Covert channel is a communication channel that can be used for: A. Hardening the system. B. Violating the security policy. C. Protecting the DMZ. D. Strengthening the security policy.

B

DAC and MAC policies can be effectively replaced by: A. Rule based access control. B. Role based access control. C. Server based access control. D. Token based access control

B

DSV as an identification method check against users: A. Fingerprints B. Signature C. Keystrokes D. Facial expression

B

Enforcing minimum privileges for general system users can be easily achieved through the use of: A. TSTEC B. RBAC C. TBAC D. IPSEC

B

For what reason would a network administrator leverage promiscuous mode? A. To screen out all network errors that affect network statistical information. B. To monitor the network to gain a complete statistical picture of activity. C. To monitor only unauthorized activity and use. D. To capture only unauthorized internal/external use.

B

How is Annualized Loss Expectancy (ALE) derived from a threat? A. ARO x (SLE ?EF) B. SLE x ARO C. SLE/EF D. AV x EF

B

A channel within a computer system or network that is designed for the authorized transfer of information is identified as a(n)? A. Covert channel B. Overt channel C. Opened channel D. Closed channel

B

A firewall can be classified as a: A. Directory based access control. B. Rule based access control. C. Lattice based access control. D. ID based access control.

B

A new worm has been released on the Internet. After investigation, you have not been able to determine if you are at risk of exposure. Management is concerned as they have heard that a number of their counterparts are being affected by the worm. How could you determine if you are at risk? A. Evaluate evolving environment. B. Contact your anti-virus vendor. C. Discuss threat with a peer in another organization. D. Wait for notification from an anti-virus vendor.

B

A password represents: A. Something you have. B. Something you know. C. All of the choices. D. Something you are.

B

A security policy would include all of the following EXCEPT A. Background B. Scope statement C. Audit requirements D. Enforcement

B

A system uses a numeric password with 1-4 digits. How many passwords need to be tried before it is cracked? A. 1024 B. 10000 C. 100000 D. 1000000

B

According to the Orange Book, which security level is the first to require a system to protect against covert timing channels? A. A1 B. B3 C. B2 D. B1

B

An area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability can be defined as: A. Netware availability B. Network availability C. Network acceptability D. Network accountability

B

At what Trusted Computer Security Evaluation Criteria (TCSEC) or Information Technology Security Evaluation Criteria (ITSEC) security level are database elements FIRST required to have security labels? A. A1/E6 B. B1/E3 C. B2/E4 D. C2/E2

B

Covert channel analysis is required for A. Systems processing Top Secret or classified information. B. A Trusted Computer Base with a level of trust B2 or above. C. A system that can be monitored in a supervisor state. D. Systems that use exposed communication links.

B

Which of the following is being considered as the most reliable kind of personal identification? A. Token B. Finger print C. Password D. Ticket Granting

B

Which of the following is not a form of a passive attack? A. Scavenging B. Data diddling C. Shoulder surfing D. Sniffing

B

Which of the following is the correct account policy you should follow? A. All of the choices. B. All active accounts must have a password. C. All active accounts must have a long and complex pass phrase. D. All inactive accounts must have a password.

B

Which of the following is the most reliable authentication device? A. Variable callback system B. Smart card system C. fixed callback system D. Combination of variable and fixed callback system

B

Which of the following is the most secure way to distribute password? A. Employees must send in an email before obtaining a password. B. Employees must show up in person and present proper identification before obtaining a password. C. Employees must send in a signed email before obtaining a password. D. None of the choices.

B

Which of the following is the weakest authentication mechanism? A. Passphrases B. Passwords C. One-time passwords D. Token devices

B

Which of the following is true about MAC? A. It is more flexible than DAC. B. It is more secure than DAC. C. It is less secure than DAC.

B

What should be the size of a Trusted Computer Base? A. Small ?in order to permit it to be implemented in all critical system components without using excessive resources. B. Small ?in order to facilitate the detailed analysis necessary to prove that it meets design requirements. C. Large ?in order to accommodate the implementation of future updates without incurring the time and expense of recertification. D. Large ?in order to enable it to protect the potentially large number of resources in a typical commercial system environment.

B

What should you do immediately if the root password is compromised? A. Change the root password. B. Change all passwords. C. Increase the value of password age. D. Decrease the value of password history.

B

What tool do you use to determine whether a host is vulnerable to known attacks? A. Padded Cells B. Vulnerability analysis C. Honey Pots D. IDS

B

What was introduced for circumventing difficulties in classic approaches to computer security by limiting damages produced by malicious programs? A. Integrity-preserving B. Reference Monitor C. Integrity-monitoring D. Non-Interference

B

When continuous availability (24 hours-a-day processing) is required, which one of the following provides a good alternative to tape backups? A. Disk mirroring B. Backup to jukebox C. Optical disk backup

B

When developing an information security policy, what is the FIRST step that should be taken? A. Obtain copies of mandatory regulations. B. Gain management approval. C. Seek acceptance from other departments. D. Ensure policy is compliant with current working practices.

B

Which must bear the primary responsibility for determining the level of protection needed for information systems resources? A. IS security specialists B. Senior Management C. Seniors security analysts D. system auditors

B

Which of the following actions can increase the cost of an exhaustive attack? A. Increase the age of a password. B. Increase the length of a password. C. None of the choices. D. Increase the history of a password.

B

Which of the following are the components of the Chinese wall model? A. Conflict of interest. B. All of the choices. C. Subject D. Company Datasets.

B

Which of the following are the correct guidelines of password deployment? A. Passwords must be masked. B. All of the choices. C. Password must have a minimum of 8 characters. D. Password must contain a mix of both alphabetic and non-alphabetic characters.

B

Which of the following are the limitations of the Bell-LaPadula model? A. No policies for changing access data control. B. All of the choices. C. Contains covert channels. D. Static in nature.

B

Which of the following are the two most well known access control models? A. Lattice and Biba B. Bell LaPadula and Biba C. Bell LaPadula and Chinese war D. Bell LaPadula and Info Flow

B

Which of the following are the types of eye scan in use today? A. Retinal scans and body scans. B. Retinal scans and iris scans. C. Retinal scans and reflective scans. D. Reflective scans and iris scans.

B

Which of the following are the valid categories of hand geometry scanning? A. Electrical and image-edge detection. B. Mechanical and image-edge detection. C. Logical and image-edge detection. D. Mechanical and image-ridge detection.

B

Which of the following biometric devices has the lowest user acceptance level? A. Voice recognition B. Fingerprint scan C. Hand geometry D. Signature recognition

B

Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector? A. Using TACACS+ server B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall. C. Setting modem ring count to at least 5 D. Only attaching modems to non-networked hosts.

B

Which of the following centralized access control mechanisms is not appropriate for mobile workers access the corporate network over analog lines? A. TACACS B. Call-back C. CHAP D. RADIUS

B

Which of the following correctly describe Role based access control? A. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your user profile groups. B. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your organizations structure. C. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your ticketing system. D. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your ACL.

B

Which of the following could illegally capture network user passwords? A. Data diddling B. Sniffing C. Spoofing D. Smurfing

B

Which of the following eye scan methods is considered to be more intrusive? A. Iris scans B. Retinal scans C. Body scans D. Reflective scans

B

Which of the following forms of authentication would most likely apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier? A. Dynamic authentication B. Continuous authentication C. Encrypted authentication D. Robust authentication

B

Which of the following functions is less likely to be performed by a typical security administrator? A. Setting user clearances and initial passwords B. Adding and removing system users C. Setting or changing file sensitivity labels D. Reviewing audit data

B

Which of the following is a characteristic of a decision support system (DSS)? A. DSS is aimed at solving highly structured problems B. DSS emphasizes flexibility in the decision making approach of users C. DSS supports only structured decision-making tasks

B

Which of the following is a state machine model capturing confidentiality aspects of access control? A. Clarke Wilson B. Bell-LaPadula C. Chinese Wall D. Lattice

B

Which of the following is an example of an active attack? Select one. A. Traffic analysis B. Masquerading C. Eavesdropping D. Shoulder surfing

B

Which of the following questions is less likely to help in assessing controls over hardware and software maintenance? A. Is access to all program libraries restricted and controlled? B. Are integrity verification programs used by applications to look for evidences of data tampering, errors, and omissions? C. Is there version control? D. Are system components tested, documented, and approved prior to promotion to production?

B

Which of the following represent the rows of the table in a relational database? A. attributes B. records or tuples C. record retention D. relation

B

Which of the following security modes of operation involved the highest risk? A. Compartmented Security Mode B. Multilevel Security Mode C. System-High Security Mode D. Dedicated Security Mode

B

Which of the following tools can you use to assess your networks vulnerability? A. ISS B. All of the choices. C. SATAN D. Ballista

B

Which of the following will you consider as a program that monitors data traveling over a network? A. Smurfer B. Sniffer C. Fragmenter D. Spoofer

B

Which of the following will you consider as most secure? A. Password B. One time password C. Login phrase D. Login ID

B

Which of the following would provide the best stress testing environment? A. Test environment using test data B. Test environment using live workloads C. Production environment using test data D. Production environment using live workloads

B

Which one of the following entails immediately transmitting copies of on-line transactions to a remote computer facility for backup? A. Archival storage management (ASM) B. Electronic vaulting C. Hierarchical storage management (HSM) D. Data compression

B

Which one of the following is a KEY responsibility for the "Custodian of Data"? A. Data content and backup B. Integrity and security of data C. Authentication of user access D. Classification of data elements

B

Which one of the following is a security issue related to aggregation in a database? A. Polyinstantiation B. Inference C. Partitioning D. Data swapping

B

Which one of the following is the MAIN goal of a security awareness program when addressing senior management? A. Provide a vehicle for communicating security procedures. B. Provide a clear understanding of potential risk and exposure. C. Provide a forum for disclosing exposure and risk analysis. D. Provide a forum to communicate user responsibilities.

B

Which one of the following is the MOST critical characteristic of a biometrics system? A. Acceptability B. Accuracy C. Throughput

B

Which one of the following is the MOST solid defense against interception of a network transmission? A. Frequency hopping B. Optical fiber C. Alternate routing

B

Which one of the following should NOT be contained within a computer policy? A. Definition of management expectations. B. Responsibilities of individuals and groups for protected information. C. Statement of senior executive support. D. Definition of legal and regulatory controls.

B

Which one of the following tests determines whether the content of data within an application program falls within predetermined limits? A. Parity check B. Reasonableness check C. Mathematical accuracy check D. Check digit verification

B

Which risk management methodology uses the exposure factor multiplied by the asset value to determine its outcome? A. Annualized Loss Expectancy B. Single Loss Expectancy C. Annualized Rate of Occurrence D. Information Risk Management

B

Which security program exists if a user accessing low-level data is able to draw conclusions about high-level information? A. Interference B. Inference C. Polyinstatiation D. Under-classification

B

Why would an information security policy require that communications test equipment be controlled? A. The equipment is susceptible to damage B. The equipment can be used to browse information passing on a network C. The equipment must always be available for replacement if necessary D. The equipment can be used to reconfigure the network multiplexers

B

With the BLP model, security policies prevent information flowing downwards from a: A. Low security level B. High security level C. Medium security level D. Neutral security level

B

With the Lattice Based Access Control model, a security class is also called a: A. Control factor B. Security label C. Mandatory number D. Serial ID

B

You may describe MAC as: A. Opportunistic B. Prohibitive C. None of the choices. D. Permissive

B

going to and from the smartcard? A. Physical attacks. B. Logical attacks. C. Trojan Horse attacks. D. Social Engineering attacks.

B

person. This raised the necessicity of answering 2 questions: A. What was the sex of a person and his age B. what part of body to be used and how to accomplish identification to be viable C. what was the age of a person and his income level D. what was the tone of the voice of a person and his habits

B

some common data for all users in the group, and protects the data from improper access by users in the group? A. Prevented subsystem B. Protected subsystem C. File subsystem D. Directory subsystem

B

topology? A. IEEE 802.5 protocol for Ethernet cannot support encryption. B. Ethernet is a broadcast technology. C. Hub and spoke connections are highly multiplexed. D. TCP/IP is an insecure protocol.

B

Which of the following is a communication path that is not protected by the system's normal security mechanisms? A. A trusted path B. A protection domain C. A covert channel D. A maintenance hook

C

A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: A. Mandatory Access Control B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access Control

C

A common Limitation of information classification systems is the INABILITY to A. Limit the number of classifications. B. Generate internal labels on diskettes. C. Declassify information when appropriate. D. Establish information ownership.

C

A computer program used to process the weekly payroll contains an instruction that the amount of the gross pay cannot exceed $2,500 for any one employee. This instruction is an example of a control that is referred to as a: A. sequence check B. check digit C. limit check D. record check

C

A feature deliberately implemented in an operating system as a trap for intruders is called a: A. Trap door B. Trojan horse C. Pseudo flaw D. Logic bomb

C

A method for a user to identify and present credentials only once to a system is known as: A. SEC B. IPSec C. SSO D. SSL

C

A periodic review of user account management should not determine: A. Conformity with the concept of least privilege B. Whether active accounts are still being used C. Strength of user-chosen passwords D. Whether management authorizations are up-to-date

C

A system using Discretionary Access Control (DAC) is vulnerable to which one of the following attacks? A. Trojan horse B. Phreaking C. Spoofing D. SYN flood

C

A. The software of the system has been implemented as designed. B. Users can't tamper with processes they do not own C. Hardware and firmware have undergone periodic testing to verify that they are functioning properly D. Design specifications have been verified against the formal top-level specification

C

Access controls that are not based on the policy are characterized as: A. Secret controls B. Mandatory controls C. Discretionary controls D. Corrective controls

C

According to Common Criteria, what can be described as an intermediate combination of security requirement components? A. Protection profile (PP) B. Security target (ST) C. Package D. The Target of Evaluation (TOE)

C

According to the Orange Book, which security level is the first to require a system to support separate operator and system administrator rules? A. A1 B. B1 C. B2 D. B3

C

According to the Orange Book, which security level is the first to require trusted recovery? A. A1 B. B2 C. B3 D. B1

C

By requiring the user to use more than one finger to authenticate, you can: A. Provide statistical improvements in EAR. B. Provide statistical improvements in MTBF. C. Provide statistical improvements in FRR. D. Provide statistical improvements in ERR.

C

Development staff should: A. Implement systems B. Support production data C. Perform unit testing D. Perform acceptance testing

C

FIPS-140 is a standard for the security of: A. Cryptographic service providers B. Smartcards C. Hardware and software cryptographic modules D. Hardware security modules

C

Fault tolerance countermeasures are designed to combat threats to A. an uninterruptible power supply B. backup and retention capability C. design reliability D. data integrity

C

How are memory cards and smart cards different? A. Memory cards normally hold more memory than smart cards B. Smart cards provide a two-factor authentication whereas memory cards don't C. Memory cards have no processing power D. Only smart cards can be used for ATM cards

C

How should a risk be handled when the cost of the countermeasures outweighs the cost of the risk? A. Reject the risk B. Perform another risk analysis C. Accept the risk D. Reduce the risk

C

In SSL/TLS protocol, what kind of authentication is supported? A. Peer-to-peer authentication B. Only server authentication (optional) C. Server authentication (mandatory) and client authentication (optional) D. Role based authentication scheme

C

In a RADIUS architecture, which of the following can act as a proxy client? A. The end user. B. A Network Access Server. C. The RADIUS authentication server. D. None of the choices.

C

In a change control environment, which one of the following REDUCES the assurance of proper changes to source programs in production status? A. Authorization of the change. B. Testing of the change. C. Programmer access. D. Documentation of the change.

C

In addition to the accuracy of the biometric systems, there are other factors that must also be considered: A. These factors include the enrollment time and the throughput rate, but not acceptability. B. These factors do not include the enrollment time, the throughput rate, and acceptability. C. These factors include the enrollment time, the throughput rate, and acceptability. D. These factors include the enrollment time, but not the throughput rate, neither the acceptability.

C

In an organization, an Information Technology security function should: A. Be a function within the information systems functions of an organization B. Report directly to a specialized business unit such as legal, corporate security or insurance C. Be lead by a Chief Security Officer and report directly to the CEO D. Be independent but report to the Information Systems function

C

In terms of the order of effectiveness, which of the following technologies is the least effective? A. Voice pattern B. Signature C. Keystroke pattern D. Hand geometry

C

In the Bell-LaPadula model, the Star-property is also called: A. The simple security property B. The confidentiality property C. The confinement property D. The tranquility property

C

In the context of computer security, "scavenging" refers to searching A. A user list to find a name. B. Through storage to acquire information. C. Through data for information content. D. Through log files for trusted path information.

C

In which one of the following documents is the assignment of individual roles and responsibilities MOST appropriately defined? A. Security policy B. Enforcement guidelines C. Acceptable use policy D. Program manual

C

Management can expect penetration tests to provide all of the following EXCEPT A. identification of security flaws B. demonstration of the effects of the flaws C. a method to correct the security flaws. D. verification of the levels of existing infiltration resistance

C

Network Security is a A. Product B. protocols C. ever evolving process D. quick-fix solution

C

Penetration testing will typically include A. Generally accepted auditing practices. B. Review of Public Key Infrastructure (PKI) digital certificate, and encryption. C. Social engineering, configuration review, and vulnerability assessment. D. Computer Emergency Response Team (CERT) procedures.

C

Processor card contains which of the following components? A. Memory and hard drive. B. Memory and flash. C. Memory and processor. D. Cache and processor.

C

RADIUS is defined by which RFC? A. 2168 B. 2148 C. 2138 D. 2158

C

Risk is commonly expressed as a function of the A. Systems vulnerabilities and the cost to mitigate. B. Types of countermeasures needed and the system's vulnerabilities. C. Likelihood that the harm will occur and its potential impact. D. Computer system-related assets and their costs.

C

TEMPEST addresses A. The vulnerability of time-dependent transmissions. B. Health hazards of electronic equipment. C. Signal emanations from electronic equipment. D. The protection of data from high energy attacks.

C

The INITIAL phase of the system development life cycle would normally include A. Cost-benefit analysis B. System design review C. Executive project approval D. Project status summary

C

The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address? A. integrity and confidentiality B. confidentiality and availability C. integrity and availability D. none of the above

C

The Lattice Based Access Control model was developed MAINLY to deal with: A. Affinity B. None of the choices. C. Confidentiality D. Integrity

C

The PRIMARY purpose of operations security is A. Protect the system hardware from environment damage. B. Monitor the actions of vendor service personnel. C. Safeguard information assets that are resident in the system. D. Establish thresholds for violation detection and logging.

C

The alternate processing strategy in a business continuity plan can provide for required backup computing capacity through a hot site, a cold site, or A. A dial-up services program. B. An off-site storage replacement. C. An online backup program. D. A crate and ship replacement.

C

The concept that all accesses must be meditated, protected from modification, and verifiable as correct is the concept of A. Secure model B. Security locking C. Security kernel D. Secure state

C

The design phase in a system development life cycle includes all of the following EXCEPT A. Determining sufficient security controls. B. Conducting a detailed design review. C. Developing an operations and maintenance manual. D. Developing a validation, verification, and testing plan.

C

The intent of least privilege is to enforce the most restrictive user rights required A. To execute system processes. B. By their job description. C. To execute authorized tasks. D. By their security role.

C

The lattice-based model aims at protecting against: A. Illegal attributes. B. None of the choices. C. Illegal information flow among the entities. D. Illegal access rights

C

The primary service provided by Kerberos is which of the following? A. non-repudiation B. confidentiality C. authentication D. authorization

C

To ensure that integrity is attainted through the Clark and Wilson model, certain rules are needed.These rules are: A. Processing rules and enforcement rules. B. Integrity-bouncing rules. C. Certification rules and enforcement rules. D. Certification rules and general rules.

C

Tokens, as a way to identify users are subject to what type of error? A. Token error B. Decrypt error C. Human error D. Encrypt error

C

Under MAC, a clearance is a: A. Sensitivity B. Subject C. Privilege D. Object

C

Under Role based access control, access rights are grouped by: A. Policy name B. Rules C. Role name D. Sensitivity label

C

Which of the following is a facial feature identification product that can employ artificial intelligence and can require the system to learn from experience? A. All of the choices. B. Digital nervous system. C. Neural networking D. DSV

C

Which of the following is a means of restricting access to objects based on the identity of the subject to which they belong? A. Mandatory access control B. Group access control C. Discretionary access control D. User access control

C

Which of the following is best defined as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in the system? A. Fail proof B. Fail soft C. Fail safe D. Fail resilient

C

What is the PRIMARY advantage of using a separate authentication server (e.g., Remote Access Dial-In User System, Terminal Access Controller Access Control System) to authenticate dial-in users? A. Single user logons are easier to manage and audit. B. Each session has a unique (one-time) password assigned to it. C. Audit and access information are not kept on the access server. D. Call-back is very difficult to defeat.

C

What is the PRIMARY use of a password? A. Allow access to files B. Identify the user C. Authenticate the user D. Segregate various user's accesses

C

What is the essential difference between a self-audit and an independent audit? A. Tools used B. Results C. Objectivity D. Competence

C

What is the main concern of the Bell-LaPadula security model? A. Accountability B. Integrity C. Confidentiality D. Availability

C

What is the most critical characteristic of a biometric identifying system? A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Reliability

C

What is the window of time for recovery of information processing capabilities based on? A. Quality of the data to be processed B. Nature of the disaster C. Criticality of the operations affected D. Applications that are mainframe based

C

What scheme includes the requirement that the system maintain the separation of duty requirement expressed in the access control triples? A. Bella B. Lattice C. Clark-Wilson D. Bell-LaPadula

C

What type of password makes use of two totally unrelated words? A. Login phrase B. One time password C. Composition D. Login ID

C

When considering the IT Development Life-Cycle, security should be: A. Mostly considered during the initiation phase. B. Mostly considered during the development phase. C. Treated as an integral part of the overall system design. D. Add once the design is completed.

C

Which Orange Book security rating requires that formal techniques are used to prove the equivalence between the TCB specifications and the security policy model? A. B2 B. B3 C. A1

C

Which access control model states that for integrity to be maintained data must not flow from a receptacle of given integrity to a receptacle of higher integrity? A. Lattice Model B. Bell-LaPadula Model C. Biba Model D. Take-Grant Model

C

Which of the following access control types gives "UPDATE" privileges on Structured Query Language (SQL) database objects to specific users or groups? A. Supplemental B. Discretionary C. Mandatory D. System

C

Which of the following are objectives of an information systems security program? A. Threats, vulnerabilities, and risks B. Security, information value, and threats C. Integrity, confidentiality, and availability. D. Authenticity, vulnerabilities, and costs.

C

Which of the following are proprietarily implemented by CISCO? A. RADIUS+ B. TACACS C. XTACACS and TACACS+ D. RADIUS

C

Which of the following attacks could be the most successful when the security technology is properly implemented and configured? A. Logical attacks B. Physical attacks C. Social Engineering attacks D. Trojan Horse attacks

C

Which of the following best explains why computerized information systems frequently fail to meet the needs of users? A. Inadequate quality assurance (QA) tools B. Constantly changing user needs C. Inadequate user participation in defining the system's requirements D. Inadequate project management.

C

Which of the following biometrics devices has the highs Crossover Error Rate (CER)? A. Iris scan B. Hang Geometry C. Voice pattern D. Fingerprints

C

Which of the following can be used to protect your system against brute force password attack? A. Decrease the value of password history. B. Employees must send in a signed email before obtaining a password. C. After three unsuccessful attempts to enter a password, the account will be locked. D. Increase the value of password age.

C

Which of the following computer crime is more often associated with insiders? A. IP spoofing B. Password sniffing C. Data diddling D. Denial of Service (DOS)

C

Which of the following computer design approaches is based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle? A. Pipelining B. Reduced Instruction Set Computers (RISC) C. Complex Instruction Set Computers (CISC) D. Scolar processors

C

Which of the following correctly describe DAC? A. It is the most secure method. B. It is of the B2 class. C. It can extend beyond limiting which subjects can gain what type of access to which objects. D. It is of the B1 class.

C

Which of the following does not address Database Management Systems (DBMS) Security? A. Perturbation B. Cell suppression C. Padded Cells D. Partitioning

C

Which of the following does not apply to system-generated passwords? A. Passwords are harder to remember for users B. If the password-generating algorithm gets to be known, the entire system is in jeopardy C. Passwords are more vulnerable to brute force and dictionary attacks. D. Passwords are harder to guess for attackers

C

Which of the following embodies all the detailed actions that personnel are required to follow? A. Standards B. Guidelines C. Procedures D. Baselines

C

Which of the following factors may render a token based solution unusable? A. Token length B. Card size C. Battery lifespan D. None of the choices.

C

Which of the following implements the authorized access relationship between subjects and objects of a system? A. Security model B. Reference kernel C. Security kernel D. Information flow model

C

Which of the following is NOT a good password deployment guideline? A. Passwords must not be he same as user id or login id. B. Password aging must be enforced on all systems. C. Password must be easy to memorize. D. Passwords must be changed at least once every 60 days, depending on your environment.

C

Which of the following questions is less likely to help in assessing physical and environmental protection? A. Are entry codes changed periodically? B. Are appropriate fire suppression and prevention devices installed and working? C. Are there processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic information? D. Is physical access to data transmission lines controlled?

C

Which of the following refers to the number of columns in a table? A. Schema B. Relation C. Degree D. Cardinality

C

Which of the following represents the best programming? A. Low cohesion, low coupling B. Low cohesion, high coupling C. High cohesion, low coupling D. High cohesion, high coupling

C

Which of the following statements is incorrect? A. Since the early days of mankind humans have struggled with the problems of protecting assets B. The addition of a PIN keypad to the card reader was a solution to unreported card or lost cards problems C. There has never been a problem of lost keys D. Human guard is an inefficient and sometimes ineffective method of protecting resources

C

Which of the following statements pertaining to software testing approaches is correct? A. A bottom-up approach allows interface errors to be detected earlier B. A top-down approach allows errors in critical modules to be detected earlier C. The test plan and results should be retained as part of the system's permanent documentation D. Black box testing is predicated on a close examination of procedural detail

C

Which of the following was the first mathematical model of multilevel security policy? A. Biba B. Take-Grant C. Bell-La Padula D. Clark Wilson

C

Which of the following will you consider as a "role" under a role based access control system? A. Bank rules B. Bank computer C. Bank teller D. Bank network

C

Which of the following would be best suited to provide information during a review of the controls over the process of defining IT service levels? A. Systems programmer B. Legal stuff C. Business unit manager D. Programmer

C

Which of the following would best describe the difference between white-box testing and black-box testing? A. White-box testing is performed by an independent programmer team B. Black-box testing uses the bottom-up approach C. White-box testing examines the program internal logical structure D. Black-box testing involves the business units

C

Which of the following yellow-book defined types of system recovery happens after a system fails in an uncrontrolled manner in response to a TCB or media failure and the system cannot be brought to a consistent state? A. Recovery restart B. System reboot C. Emergency system restart D. System Cold start

C

Which one of the following BEST describes a password cracker? A. A program that can locate and read a password file. B. A program that provides software registration passwords or keys. C. A program that performs comparative analysis. D. A program that obtains privileged access to the system.

C

Which one of the following access control models associates every resource and every user of a resource with one of an ordered set of classes? A. Take-Grant model B. Biba model C. Lattice model D. Clark-Wilson model

C

Which one of the following are examples of security and controls that would be found in a "trusted" application system? A. Data validation and reliability B. Correction routines and reliability C. File integrity routines and audit trail D. Reconciliation routines and data labels

C

Which one of the following conditions is NOT necessary for a long dictionary attack to succeed? A. The attacker must have access to the target system. B. The attacker must have read access to the password file. C. The attacker must have write access to the password file. D. The attacker must know the password encryption mechanism and key variable.

C

Which one of the following is NOT a fundamental component of a Regulatory Security Policy? A. What is to be done. B. When it is to be done. C. Who is to do it. D. Why is it to be done

C

Which one of the following is a characteristic of a penetration testing project? A. The project is open-ended until all known vulnerabilities are identified. B. The project schedule is plotted to produce a critical path. C. The project tasks are to break into a targeted system. D. The project plan is reviewed with the target audience.

C

Which one of the following is an example of electronic piggybacking? A. Attaching to a communications line and substituting data. B. Abruptly terminating a dial-up or direct-connect session. C. Following an authorized user into the computer room. D. Recording and playing back computer transactions.

C

Which one of the following is not one of the outcomes of a vulnerability analysis? A. Quantative loss assessment B. Qualitative loss assessment C. Formal approval of BCP scope and initiation document D. Defining critical support areas

C

Which one of the following is the MOST crucial link in the computer security chain? A. Access controls B. People C. Management D. Awareness programs

C

Which one of the following is the PRIMARY objective of penetration testing? A. Assessment B. Correction C. Detection D. Protection

C

Which one of the following is true about information that is designated with the highest of confidentiality in a private sector organization? A. It is limited to named individuals and creates an audit trail. B. It is restricted to those in the department of origin for the information. C. It is available to anyone in the organization whose work relates to the subject and requires authorization for each access. D. It is classified only by the information security officer and restricted to those who have made formal requests for access.

C

Which one of the following risk analysis terms characterizes the absence or weakness of a risk- reducing safegaurd? A. Threat B. Probability C. Vulnerability D. Loss expectancy

C

Which one of the following statements describes management controls that are instituted to implement a security policy? A. They prevent users from accessing any control function. B. They eliminate the need for most auditing functions. C. They may be administrative, procedural, or technical. D. They are generally inexpensive to implement.

C

Which security model allows the data custodian to grant access privileges to other users? A. Mandatory B. Bell-LaPadula C. Discretionary D. Clark-Wilson

C

Which security model introduces access to objects only through programs? A. The Biba model B. The Bell-LaPadula model C. The Clark-Wilson model D. The information flow model

C

Who developed one of the first mathematical models of a multilevel-security computer system? A. Diffie Hillman B. Clark and Wilson C. Bell and LaPadula D. Gasser and Lipner

C

Why should batch files and scripts be stored in a protected area? A. Because of the least privilege concept B. Because they cannot be accessed by operators C. Because they may contain credentials D. Because of the need-to-know concept

C

With Discretionary access controls, who determines who has access and what privilege they have? A. End users. B. None of the choices. C. Resource owners. D. Only the administrators.

C

With MAC, who may make decisions that bear on policy? A. None of the choices. B. All users. C. Only the administrator. D. All users except guests.

C

With RBAC, roles are: A. Based on labels. B. All equal C. Hierarchical D. Based on flows.

C

With Rule Based Security Policy, global rules usually rely on comparison of the _______ of the resource being accessed. A. A group of users. B. Users C. Sensitivity D. Entities

C

With __________, access decisions are based on the roles that individual users have as part of an organization. A. Server based access control. B. Rule based access control. C. Role based access control. D. Token based access control.

C

With the BLP model, access permissions are defined through: A. Filter rules B. Security labels C. Access Control matrix D. Profiles

C

maintenance processes, introduced five levels with which the maturity of an organization involved in the software process is evaluated? A. The total Quality Model (TQM) B. The IDEAL Model C. The Software Capability Maturity Model D. The Spiral Model

C

In a very large environment, which of the following is an administrative burden? A. Rule based access control. B. Directory based access control. C. Lattice based access control D. ID bases access control

D

A significant action has a state that enables actions on an ADP system to be traced to individuals who may then be held responsible. The action does NOT include: A. Violations of security policy. B. Attempted violations of security policy. C. Non-violations of security policy. D. Attempted violations of allowed actions.

D

Access control techniques do not include: A. Rule-Based Access Controls B. Role-Based Access Controls C. Mandatory Access Controls D. Random Number Based Access Control

D

Access to the _________ account on a Unix server must be limited to only the system administrators that must absolutely have this level of access. A. Superuser of inetd. B. Manager or root. C. Fsf or root D. Superuser or root.

D

All of the following are basic components of a security policy EXCEPT the A. definition of the issue and statement of relevant terms. B. statement of roles and responsibilities C. statement of applicability and compliance requirements. D. statement of performance of characteristics and requirements.

D

An access control policy for a bank teller is an example of the implementation of which of the following? A. rule-based policy B. identity-based policy C. user-based policy D. role-based policy

D

An example of an individual point of verification in a computerized application is A. An inference check. B. A boundary protection. C. A sensitive transaction. D. A check digit.

D

Annualized Loss Expectancy (ALE) value is derived from an algorithm of the product of annual rate of occurrence and A. Cost of all losses expected. B. Previous year's actual loss. C. Average of previous losses. D. Single loss expectancy.

D

Attacks on smartcards generally fall into what categories? A. Physical attacks. B. Trojan Horse attacks. C. Logical attacks. D. All of the choices, plus Social Engineering attacks.

D

Authentication is typically based upon: A. Something you have. B. Something you know. C. Something you are. D. All of the choices.

D

Buffer overflow and boundary condition errors are subsets of: A. Race condition errors B. Access validation errors C. Exceptional condition handling errors D. Input validation errors

D

Identification establishes: A. Authentication B. Accountability C. Authorization D. None of the choices.

D

If your property insurance has Actual Cost Evaluation (ACV) clause your damaged property will be compensated: A. Based on the value of the item on the date of loss B. Based on new item for old regardless of condition of lost item C. Based on value of item one month before loss D. Based on value of item on the date of loss plus 10 percent

D

In a discretionary mode, which of the following entities is authorized to grant information access to other people? A. manager B. group leader C. security manager D. user

D

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges that what is required for the tasks the user needs to fulfill. What best describes this scenario? A. Excessive Rights B. Excessive Access C. Excessive Permissions D. Excessive Privileges

D

To ensure integrity, a payroll application program may record transactions in the appropriate accounting period by using A. Application checkpoints B. Time and date stamps C. Accrual journal entries D. End of period journals

D

Under MAC, a file is a(n): A. Privilege B. Subject C. Sensitivity D. Object

D

Valuable paper insurance coverage does not cover damage to which of the following? A. Inscribed, printed and written documents B. Manuscripts C. Records D. Money and Securities

D

What attack involves actions to mimic one's identity? A. Brute force B. Exhaustive C. Social engineering D. Spoofing

D

What control is based on a specific profile for each user? A. Lattice based access control. B. Directory based access control. C. Rule based access control. D. ID based access control.

D

What does * (star) integrity axiom mean in the Biba model? A. No read up B. No write down C. No read down D. No write up

D

What is one advantage of deploying Role based access control in large networked applications? A. Higher security B. Higher bandwidth C. User friendliness D. Lower cost

D

What is the Maximum Tolerable Downtime (MTD): A. Maximum elapsed time required to complete recovery of application data B. Minimum elapsed time required to complete recovery of application data C. Maximum elapsed time required to move back to primary site a major disruption D. It is maximum delay businesses that can tolerate and still remain viable

D

What is the PRIMARY component of a Trusted Computer Base? A. The computer hardware B. The security subsystem C. The operating system software D. The reference monitor

D

What name is given to the study and control of signal emanations from electrical and electromagnetic equipment? A. EMI B. Cross Talk C. EMP D. TEMPEST

D

What physical characteristics does a retinal scan biometric device measure? A. The amount of light reaching the retina B. The amount of light reflected by the retina C. The size, curvature, and shape of the retina D. The pattern of blood vessels at the back of the eye

D

What principle requires that a user be given no more privilege then necessary to perform a job? A. Principle of aggregate privilege. B. Principle of most privilege. C. Principle of effective privilege. D. Principle of least privilege.

D

What security model implies a central authority that determines what subjects can have access to what objects? A. Centralized access control B. Discretionary access control C. Mandatory access control D. Non-discretionary access control

D

What type of authentication takes advantage of an individuals unique physical characteristics in order to authenticate that persons identity? A. Password B. Token C. Ticket Granting D. Biometric

D

When will BLP consider the information flow that occurs? A. When a subject alters on object. B. When a subject accesses an object. C. When a subject observer an object. D. All of the choices.

D

Which TCSEC (Orange Book) level requires the system to clearly identify functions of security administrator to perform security-related functions? A. C2 B. B1 C. B2 D. B3

D

Which expert system operating mode allows determining if a given hypothesis is valid? A. Vertical chaining B. Lateral chaining C. Forward chaining D. Backward chaining

D

Which of the following RAID levels functions as a single virtual disk? A. RAID Level 7 B. RAID Level 5 C. RAID Level 10 D. RAID Level 2

D

Which of the following RFC talks about Rule Based Security Policy? A. 1316 B. 1989 C. 2717 D. 2828

D

Which of the following are authentication server systems with operational modes that can implement SSO? A. Kerberos, SESAME and KryptoKnight B. SESAME, KryptoKnight and NetSP C. Kerberos and SESAME

D

Which of the following are measures against password sniffing? A. Passwords must not be sent through email in plain text. B. Passwords must not be stored in plain text on any electronic media. C. You may store passwords electronically if it is encrypted. D. All of the choices.

D

Which of the following are the advantages of using passphrase? A. Difficult to crack using brute force. B. Offers numerous characters. C. Easier to remember. D. All of the choices.

D

Which of the following are the benefits of Keystroke dynamics? A. Low cost B. Unintrusive device C. Transparent D. All of the choices.

D

Which of the following attacks focus on cracking passwords? A. SMURF B. Spamming C. Teardrop D. Dictionary

D

Which of the following biometric characteristics cannot be used to uniquely authenticate an individual's identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans

D

Which of the following choices is NOT part of a security policy? A. definition of overall steps of information security and the importance of security B. statement of management intend, supporting the goals and principles of information security C. definition of general and specific responsibilities for information security management D. description of specific technologies used in the field of information security

D

Which of the following correctly describe "good" security practice? A. Accounts should be monitored regularly. B. You should have a procedure in place to verify password strength. C. You should ensure that there are no accounts without passwords. D. All of the choices.

D

Which of the following correctly describe the difference between identification and authentication? A. Authentication is a means to verify who you are, while identification is what you are authorized to perform. B. Identification is a means to verify who you are, while authentication is what you are authorized to perform. C. Identification is another name of authentication. D. Identification is the child process of authentication.

D

Which of the following files should the security administrator be restricted to READ only access? A. Security parameters B. User passwords C. User profiles D. System log

D

Which of the following is a disadvantage of a memory only card? A. High cost to develop. B. High cost to operate. C. Physically infeasible. D. Easy to counterfeit.

D

Which of the following is an operating system security architecture that provides flexible support for security policies? A. OSKit B. LOMAC C. SE Linux D. Flask

D

Which of the following is best known for capturing security requirements of commercial applications? A. Lattice B. Biba C. Bell LaPadula D. Clark and Wilson

D

Which of the following is least likely to be found in the Orange Book? A. Security policy B. Documentation C. Accountability D. Networks and network components

D

Which of the following is not a common integrity goal? A. Prevent unauthorized users from making modifications B. Maintain internal and external consistency C. Prevent authorized users from making improper modifications D. Prevent paths that could lead to inappropriate disclosure

D

Which of the following is not a compensating measure for access violations? A. Backups B. Business continuity planning C. Insurance D. Security awareness

D

Which of the following is not a component of a Operations Security "triples"? A. Asset B. Threat C. Vulnerability D. Risk

D

Which of the following is not a part of risk analysis? A. Identify risks B. Quantify the impact of potential threats C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasures D. Choose the best countermeasure

D

Which of the following is not a responsibility of a database administrator? A. Maintaining databases B. Implementing access rules to databases C. Reorganizing databases D. Providing access authorization to databases

D

Which of the following is not an Orange book-defined life cycle assurance requirement? A. Security testing B. Design specification and testing C. Trusted distribution D. System integrity

D

Which of the following is the most commonly used check on something you know? A. One time password B. Login phrase C. Retinal D. Password

D

Which of the following is true of two-factor authentication? A. It uses the RSA public-key signature based algorithm on integers with large prime factors B. It requires two measurements of hand geometry C. It does not use single sign-on technology D. It relies on two independent proofs of identity

D

Which of the following measures would be the BEST deterrent to the theft of corporate information from a laptop which was left in a hotel room? A. Store all data on disks and lock them in an in-room safe B. Remove the batteries and power supply from the laptop and store them separately from the computer C. Install a cable lock on the laptop when it is unattended D. Encrypt the data on the hard drive

D

Which of the following media is MOST resistant to tapping? A. Microwave B. Twisted pair C. Coaxial cable D. Fiber optic

D

Which of the following methods is more microscopic and will analyze the direction of the ridges of the fingerprints for matching? A. None of the choices. B. Flow direct C. Ridge matching D. Minutia matching

D

Which of the following rules is less likely to support the concept of least privilege? A. The number of administrative accounts should be kept to a minimum B. Administrators should use regular accounts when performing routing operations like reading mail C. Permissions on tools that are likely to be used by hackers should be as restrictive as possible D. Only data to and from critical systems and applications should be allowed through the firewall

D

Which of the following statements pertaining to RADIUS is incorrect? A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains. B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy C. Most RADIUS servers have built-in database connectivity for billing and reporting purposes D. Most RADIUS servers can work with DIAMETER servers.

D

Which of the following statements pertaining to air conditioning for an information processing facility is correct? A. The AC units must be controllable from outside the area B. The AC units must keep negative pressure in the room so that smoke and other gases are forced out of the room C. The AC units must be on the same power source as the equipment in the room to allow for easier shutdown D. The AC units must be dedicated to the information processing facilities

D

Which of the following statements pertaining to ethical hacking is incorrect? A. An organization should use ethical hackers who do not sell auditing, consulting, hardware, software, firewall, hosting, and/or networking services B. Testing should be done remotely C. Ethical hacking should not involve writing to or modifying the target systems D. Ethical hackers should never use tools that have potential of exploiting vulnerabilities in the organizations IT system.

D

Which of the following statements pertaining to the security kernel is incorrect? A. It is made up of mechanisms that fall under the TCB and implements and enforces the reference monitor concept. B. It must provide isolation for the processes carrying out the reference monitor concept and they must be tamperproof C. It must be small enough to be able to be tested and verified in a complete and comprehensive manner D. Is an access control concept, not an actual physical component

D

Which of the following uses protection profiles and security targets? A. ITSEC B. TCSEC C. CTCPEC D. International Standard 15408

D

Which one of the following describes a covert timing channel? A. Modulated to carry an unintended information signal that can only be detected by special, sensitive receivers. B. Used by a supervisor to monitor the productivity of a user without their knowledge. C. Provides the timing trigger to activate a malicious program disguised as a legitimate function. D. Allows one process to signal information to another by modulating its own use of system resources.

D

Which one of the following is commonly used for retrofitting multilevel security to a Database Management System? A. Trusted kernel B. Kernel controller C. Front end controller D. Trusted front-end

D

Which one of the following should be employed to protect data against undetected corruption? A. Non-repudiation B. Encryption C. Authentication D. Integrity

D

Which option is NOT a benefit derived from the use of neural networks? A. Linearity B. Input-Output Mapping C. Adaptivity D. Fault Tolerance

D

Which question is NOT true concerning Application Control? A. It limits end users use of applications in such a way that only particular screens are visible B. Only specific records can be requested choice C. Particular uses of application can be recorded for audit purposes D. Is non-transparent to the endpoint applications so changes are needed to the applications involved

D

Who is the individual permitted to add users or install trusted programs? A. Database Administrator B. Computer Manager C. Security Administrator D. Operations Manager

D


Related study sets

Poli Sci 150 CH 12 BY THE NUMBERS: Women, African Americans, and Latinos in the U.S. Congress

View Set

Cmartin73 Wireless Networking Ch 1

View Set

BIOLÓGIA 1. / DIFFÚZIÓ, OZMÓZIS /

View Set

AP Comparative Government: Iran Vocabulary

View Set

Servsafe Manager Test Chapters 1-5

View Set

California Real Estate Law Fair Housing Laws 1

View Set