Security Program Administrative & Operational Services - Part 1
C is the correct answer. Justification The requirement of confidentiality is not relevant to the certificate authority (CA) other than to provide an authenticated user's public key. Challenge/response authentication is not a process used in a public key infrastructure (PKI). The role of the CA is not needed in implementations such as Pretty Good Privacy, where the authenticity of the users' public keys are attested to by others in a "circle of trust." If the role-based access control is PKI-based, either a CA is required or other trusted parties will have to attest to the validity of users.
A certificate authority is required for a public key infrastructure: in cases where confidentiality is an issue. when challenge/response authentication is used. except where users attest to each other's identity. in role-based access control deployments.
B is the correct answer. Justification Multilevel policies are based on classifications and clearances. A role-based policy will associate data access with the role performed by an individual, thus restricting access to data required to perform the individual's tasks. Discretionary policies leave access decisions to be made by the information resource managers. Mandatory access control requires a clearance equal to or greater than the classification level of the asset. It generally also includes the need to know.
An organization has adopted a practice of regular staff rotation to minimize the risk of fraud and encourage cross-training. Which type of authorization policy would BEST address this practice? Multilevel Role-based Discretionary Mandatory
C is the correct answer. Justification An IPS placed in front of the firewall will almost certainly continuously detect potential attacks, creating endless false positives and directing the firewall to block many sites needlessly. Most of actual attacks would be intercepted by the firewall in any case. All connected devices do not need to see the IPS. For intrusion prevention system (IPS) to detect attacks, the data cannot be encrypted; therefore, all encryption should be terminated to allow all traffic to be viewed by the IPS. The encryption should be terminated at a hardware Secure Sockets Layer accelerator or virtual private network server to allow all traffic to be monitored. Traffic to all devices is not mirrored to the IPS.
An organization is implementing intrusion protection in their demilitarized zone (DMZ). Which of the following steps is necessary to make sure that the intrusion prevention system (IPS) can view all traffic in the DMZ? Ensure that intrusion prevention is placed in front of the firewall. Ensure that all devices that are connected can easily see the IPS in the network. Ensure that all encrypted traffic is decrypted prior to being processed by the IPS. Ensure that traffic to all devices is mirrored to the IPS.
D is the correct answer. Justification External audit may assess and advise on the program, and testers may be used by the program; however, they are not appropriate steering committee members. The steering committee needs to have practitioner-level executive representation. It may report to the board, but board members would not generally be part of the steering committee, except for its executive sponsor. Regulators would not participate in this committee. External trade union representatives and key security vendors are entities that may need to be consulted as part of program activities, but they would not be members of the steering committee. Leaders from IT, human resources and sales are some of the key individuals who must support an information security program. Domain
An organization's information security manager is planning the structure of the information security steering committee. Which of the following groups should the manager invite? External audit and network penetration testers Board of directors and the organization's regulators External trade union representatives and key security vendors Leadership from IT, human resources and the sales department
C is the correct answer. Justification Metrics for network backups is not an awareness issue. Training software simulating security incidents is suitable for incident response teams but not for general awareness training. An organization's security awareness program should focus on employee behavior and the consequences of both compliance and noncompliance with the security policy. Access levels are specific issues, not generally the content of awareness training.
An organization's security awareness program should focus on which of the following? Establishing metrics for network backups Installing training software which simulates security incidents Communicating what employees should or should not do in the context of their job responsibilities Access levels within the organization for applications and the Internet
D is the correct answer. Justification While biometrics provides unique authentication, it is not strong by itself, unless a personal identification number (PIN) or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks. A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. This private key could still be compromised. Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. If SSL is used with a client certificate and a password, it would be a two-factor authentication. Two-factor authentication requires more than one type of user authentication, typically something you know and something you have, such as a PIN and smart card.
For virtual private network access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure? Biometrics Symmetric encryption keys Secure Sockets Layer based authentication Two-factor authentication
A is the correct answer. Justification To preserve confidentiality of a message while in transit, encryption should be implemented. Strong authentication ensures the identity of the participants but does not secure the message in transit. Digital signatures only authenticate the sender, the receiver and the integrity of the message but do not prevent interception. A hashing algorithm ensures integrity.
In the process of deploying a new email system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new email system implementation? Encryption Strong authentication Digital signature Hashing algorithm
C is the correct answer. Justification Two firewalls in parallel provide two concurrent paths for compromise and, therefore, do not provide defense in depth. If they were connected in series one behind the other, they would provide defense in depth. As both entry points connect to the Internet and to the same demilitarized zone, such an arrangement is not practical for separating test from production. Having two entry points, each guarded by a separate firewall, is desirable to permit traffic load balancing. Firewalls are not effective at preventing denial-of-service attacks.
The BEST reason for an organization to implement two discrete firewalls connected directly to the Internet and to the same demilitarized zone would be to: provide in-depth defense. separate test and production. permit traffic load balancing. prevent a denial-of-service attack.
C is the correct answer. Justification Due to the nature of statistical anomaly-based stat IDS operations (i.e., they must constantly attempt to match patterns of activity to the baseline parameters), a stat IDS requires much more overhead and processing than signature-based versions. However, this is not the most important reason. Due to the nature of a stat IDS—based on statistics and comparing data with baseline parameters—this type of IDS may not detect minor changes to system variables and may generate many false positives. However, this is not the most important reason. A intrusion detection system (stat IDS) collects data from normal traffic and establishes a baseline. It then periodically samples the network activity based on statistical methods and compares samples to the baseline. When the activity is outside the baseline parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a host's memory or central processing unit usage, network packet types and packet quantities. If actions of the users or the systems on the network vary widely with periods of low activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic swing from one level to another almost certainly will generate false alarms. This weakness will have the largest impact on the operation of the IT systems. Because the stat IDS can monitor multiple system variables, it can detect new types of variables by tracing for abnormal activity of any kind.
The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs is that stat IDSs: create more overhead than signature-based IDSs. cause false positives from minor changes to system variables. generate false alarms from varying user or system actions. cannot detect new types of attacks.
B is the correct answer. Justification Public key encryption is computationally intensive due to the long key lengths required. Symmetrical or secret key encryption requires a key for each pair of individuals who wish to have confidential communications resulting in an exponential increase in the number of keys resulting in intractable distribution and storage problems. Public key infrastructure is more costly for small groups but less costly to maintain as the numbers of participants increases beyond a certain size. It is the only manageable option for large groups, which is why it is preferable. Secret key encryption requires much shorter key lengths to achieve equivalent strength.
The use of public key encryption for the purpose of providing encryption keys between a large number of individuals is preferred PRIMARILY because: public key encryption is computationally more efficient. scaling is less of a problem than using a symmetrical key. public key encryption is less costly to maintain than symmetric key approaches for small groups. public key encryption provides greater encryption strength than secret key options.
D is the correct answer. Justification Packet filtering does not focus on virus detection. Intrusion detection does not address virus detection. Software upgrades are related to the periodic updating of the program code, which would not be as critical. The effectiveness of virus detection software depends on virus signatures, which are stored in virus definition files.
What does the effectiveness of virus detection software MOST depend on? Packet filtering Intrusion detection Software upgrades Definition files
A is the correct answer. Justification Biometric access control systems are not infallible. When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (FRR) (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing access to an invalid user. The preferable setting will be in the FRR region of sensitivity. A high false acceptance rate (FAR) will marginalize security by allowing too much unauthorized access. In systems where the possibility of false rejects is a problem, it may be necessary to reduce sensitivity and thereby increase the number of false accepts. As the sensitivity of the biometric system is adjusted, the FRR and FAR change inversely. At one point, the two values intersect and are equal. This condition creates the crossover error rate, which is a measure of the system accuracy. Lower than the crossover error rate will create too high a FAR for a high-security data center. The crossover rate is sometimes referred to as equal error rate. In a very sensitive system, it may be desirable to minimize the number of false accepts—the number of unauthorized persons allowed access. To do this, the system is tuned to be more sensitive with a lower FAR, which causes the FRR—the number of authorized persons disallowed access—to increase.
What is a desirable sensitivity setting for a biometric access control system that protects a high-security data center? A high false reject rate A high false acceptance rate Lower than the crossover error rate Exactly to the crossover error rate
D is the correct answer. Justification Patches should not be delayed to coincide with other scheduled rollouts. Patches should not be delayed to coincide with other scheduled maintenance. Due to the possibility of creating a system outage, patches should not be deployed during critical periods of application activity such as month-end or quarter-end closing. Patches should be applied whenever important security updates are released after being tested to ensure compatibility.
What is an appropriate frequency for updating operating system patches on production servers? During scheduled rollouts of new applications According to a fixed security patch management schedule Concurrently with quarterly hardware maintenance Whenever important security patches are released
D is the correct answer. Justification Regularly updated signature files are unrelated to an SQL attack and would fail to prevent it. A properly configured firewall would fail to prevent such an attack. An intrusion detection system would fail to prevent such an attack. Structured query language (SQL) injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. The best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses.
What is the BEST defense against a Structured Query Language injection attack? Regularly updated signature files A properly configured firewall An intrusion detection system Strict controls on input fields
B is the correct answer. Justification Authentication protects access to the data but does not protect the data once the authentication is compromised. Encryption provides the most effective protection of data on mobile devices. Prohibiting employees from copying data to universal serial bus (USB) devices does not prevent copying data and offers minimal protection. Limiting the use of USB devices does not secure the data on them.
What is the BEST policy for securing data on mobile universal serial bus (USB) drives? Authentication Encryption Prohibit employees from copying data to USB devices Limit the use of USB devices
B is the correct answer. Justification Distributing printed copies will not motivate individuals as much as the consequences of being found in noncompliance. The best way to ensure that information security policies are followed is to periodically review levels of compliance. Escalating penalties will first require a compliance review. Establishing an abuse hotline will not motivate individuals as much as the consequences of being found in noncompliance.
What is the BEST way to ensure that information security policies are followed? Distribute printed copies to all employees. Perform periodic reviews for compliance. Include escalating penalties for noncompliance. Establish an anonymous hotline to report policy abuses.
B is the correct answer. Justification Penetration testing will not be as effective and can only be performed periodically. Security baselines will provide the best assurance that each platform meets minimum security criteria. Vendor default settings will not necessarily meet the criteria set by the security policies. Linking policies to an independent standard will not provide assurance that the platforms meet these levels of security.
What is the BEST way to ensure that security settings on each platform are in compliance with information security policies and procedures? Perform penetration testing. Establish security baselines. Implement vendor default settings. Link policies to an independent standard.
A is the correct answer. Justification Automated password synchronization reduces the overall administrative workload of resetting passwords. Automated password synchronization does not increase security between multi-tier systems. Automated password synchronization does not allow passwords to be changed less frequently. Automated password synchronization does not reduce the need for two-factor authentication.
What is the MAIN advantage of implementing automated password synchronization? It reduces overall administrative workload. It increases security between multi-tier systems. It allows passwords to be changed less frequently. It reduces the need for two-factor authentication.
A is the correct answer. Justification Logon banners would appear every time the user logs on, and the user would be required to read and agree to the same before using the resources. Also, as the message is conveyed in writing and appears consistently, it can be easily enforceable in any organization. Security-related email messages are frequently considered as spam by network users and do not, by themselves, ensure that the user agrees to comply with security requirements. The existence of an Intranet web site does not force users to access it and read the information. Circulating the information security policy alone does not confirm that an individual user has read, understood and agreed to comply with its requirements unless it is associated with formal acknowledgment, such as a user's signature of acceptance.
What is the MOST effective way to ensure network users are aware of their responsibilities to comply with an organization's security requirements? Logon banners displayed at every logon Periodic security-related email messages An Intranet web site for information security Circulating the information security policy
A is the correct answer. Justification People are the weakest link in security implementation, and awareness would reduce this risk. Maintaining evidence of training is useful but far from the most important reason for conducting awareness training. Informing business units about the security strategy is best done through steering committee meetings or other forums. Security awareness training is not generally for security incident response.
What is the MOST important reason for conducting security awareness programs throughout an organization? Reducing the human risk Maintaining evidence of training records to ensure compliance Informing business units about the security strategy Training personnel in security incident response
A is the correct answer. Justification Awareness training can only be effective if it is customized to the expectations and needs of attendees. Needs will be quite different depending on the target audience and will vary between business managers, end users and IT staff; program content and the level of detail communicated will, therefore, be different. Representation of senior management is important; however, the customization of content is the most important factor. Training of staff across all hierarchical levels is important; however, the customization of content is the most important factor. Replacing technical jargon with concrete examples is a good practice; however, the customization of content is the most important factor.
What is the MOST important success factor to design an effective IT security awareness program? Customization of content to target audience Representation of senior management Training of staff across all hierarchical levels Replacing technical jargon with concrete examples
A is the correct answer. Justification External resources that can contribute cost-effective expertise that are not available internally represent the primary driver for the information security manager to make use of external resources. The information security manager will continue to be responsible for meeting the security program requirements despite using the services of external resources. The external resources should never completely replace the role of internal resources from a strategic perspective. The external resources cannot have a better knowledge of the business of the information security manager's organization than do the internal resources.
What is the PRIMARY driver for obtaining external resources to execute the information security program? External resources can contribute cost-effective expertise not available internally. External resources can be made responsible for meeting the security program requirements. External resources can replace the dependence on internal resources. External resources can deliver more effectively on account of their knowledge.
A is the correct answer. Justification Virtual private network (VPN) tunneling for remote users provides an encrypted link that helps ensure secure communications. VPN tunneling does not affect security within the internal network. VPN tunneling does not affect password change frequency. VPN tunneling does not eliminate the need for secondary authentication.
What is the advantage of virtual private network tunneling for remote users? It helps ensure that communications are secure. It increases security between multi-tier systems. It allows passwords to be changed less frequently. It eliminates the need for secondary authentication.
D is the correct answer. Justification Budget considerations are more of an accounting function. Recruiting IT-savvy staff may bring in new employees with better awareness of information security, but that is not a replacement for the training requirements of the other employees. Periodic risk assessments may or may not involve the human resources department function. An information security manager has to impress upon the human resources department the need for security awareness training for all employees. The human resources department would become involved once they are convinced of the need of security awareness training.
What should an information security manager focus on when speaking to an organization's human resources department about information security? An adequate budget for the security program Recruitment of technical IT employees Periodic risk assessments Security awareness training for employees
D is the correct answer. Justification Internet Protocol spoofing will not work because the IP is not used as an authentication mechanism. Man-in-the-middle attacks are not possible if using Secure Sockets Layer with client-side certificates. Repudiation is unlikely because client-side certificates authenticate the user. A Trojan is a program that can give the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user.
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer, confidentiality is MOST vulnerable to which of the following? Internet Protocol spoofing Man-in-the-middle attack Repudiation Trojan
C is the correct answer. Justification Placing the IDS on the Internet side of the firewall is not advised because the system will generate alerts on all malicious traffic—even though 99 percent will be stopped by the firewall and never reach the internal network. Because firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to install the IDS on the same physical device. An the intrusion detection system (IDS) should be placed on a screened subnet, which is a demilitarized zone. Placing the IDS on the external server, if such a thing were feasible, is not advised because the system will generate alerts on all malicious traffic—even though 99 percent will be stopped by the firewall and never reach the internal network.
When designing an intrusion detection system, the information security manager should recommend that it be placed: outside the firewall. on the firewall server. on a screened subnet. on the external router.
C is the correct answer. Justification Placing the extranet server on the Internet side of the firewall would leave it defenseless. Because firewalls should be installed on hardened servers with minimal services enabled, it would be inappropriate to store the extranet on the same physical device. An extranet server should be placed on a screened subnet, which is a demilitarized zone. Placing the extranet server on the external router, although not be possible, would leave it defenseless.
When designing information security standards for an enterprise, the information security manager should require that an extranet server be placed: outside the firewall. on the firewall server. on a screened subnet. on the external router.
D is the correct answer. Justification Placing it on a web server, which is a demilitarized zone (DMZ), does not provide any protection. Because firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to have the firewall and the intrusion detection system on the same physical device. Placing it on a screened subnet, which is a DMZ, does not provide any protection. A firewall should be placed on a (security) domain boundary.
Where should a firewall be placed? On the web server On the intrusion detection system server On the screened subnet On the domain boundary
A is the correct answer. Justification An intranet server should be placed on the internal network. An intranet server should stay in the internal network because external people do not need to access it. This reduces the risk of unauthorized access. Because firewalls should be installed on hardened servers with minimal services enabled, it is inappropriate to store the intranet server on the same physical device as the firewall. Placing the intranet server on an external router leaves it exposed. Primary domain controllers should not share the same physical device as the intranet server.
Where should an intranet server generally be placed? On the internal network On the firewall server On the external router On the primary domain controller
D is the correct answer. Justification Strong passwords only ensure authentication to the system and cannot be used for nonrepudiation involving two or more parties. A digital hash in itself helps in ensuring integrity of the contents, but not nonrepudiation. Symmetric encryption would not help in nonrepudiation because the keys are always shared between parties. Digital signatures use a private and public key pair, authenticating both parties. The integrity of the contents exchanged is controlled through the hashing mechanism that is signed by the private key of the exchanging party.
Which of the following BEST ensures nonrepudiation? Strong passwords A digital hash Symmetric encryption Digital signatures
A is the correct answer. Justification Encryption of data in a virtual private network ensures that transmitted information is not readable, even if intercepted. Firewalls and routers protect access to data resources inside the network and do not protect traffic in the public network. Biometric authentication alone would not prevent a message from being intercepted and read. Two-factor authentication alone would not prevent a message from being intercepted and read.
Which of the following BEST ensures that information transmitted over the Internet will remain confidential? A virtual private network Firewalls and routers Biometric authentication Two-factor authentication
B is the correct answer. Justification Redundant power supplies would not prevent an individual from powering down a device. Protective switch covers would reduce the possibility of an individual accidentally pressing the power button on a device, thereby turning off the device. Shutdown alarms would be after the fact. Biometric readers would be used to control access to the systems.
Which of the following controls would BEST prevent accidental system shutdown from the console or operations area? Redundant power supplies Protective switch covers Shutdown alarms Biometric readers
A is the correct answer. Justification Structured query language (SQL) injection attacks occur at the application layer. Most intrusion prevention systems will detect at least basic sets of SQL injection and will be able to stop them. Intrusion detection systems will detect but not prevent. Host-based intrusion detection systems will be unaware of SQL injection problems. A host-based firewall, be it on the web server or the database server, will allow the connection because firewalls do not check packets at an application layer.
Which of the following devices could potentially stop a structured query language injection attack? An intrusion prevention system An intrusion detection system A host-based intrusion detection system A host-based firewall
B is the correct answer. Justification Switches may bridge a demilitarized zone (DMZ) to another network but do not technically reside within the DMZ network segment. A web server should normally be placed within a DMZ to shield the internal network. Database servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise. File/print servers may contain confidential or valuable data and should always be placed on the internal network, never on a DMZ that is subject to compromise.
Which of the following devices should be placed within a demilitarized zone? Network switch Web server Database server File/print server
D is the correct answer. Justification The modified date can be modified to reflect any date. Encrypting the file will make it difficult to modify but does not ensure it has not been corrupted. Access control cannot ensure that file data has not been changed. A hashing algorithm can be used to mathematically ensure that data have not been changed by hashing a file and comparing the hashes after a suspected change.
Which of the following guarantees that data in a file have not changed? Inspecting the modified date of the file Encrypting the file with symmetric encryption Using stringent access control to prevent unauthorized access Creating a hash of the file, then comparing the file hashes
B is the correct answer. Justification Boundary routers would do little to secure wireless networks. Strong encryption is the most effective means of protecting wireless networks. Internet facing firewall would offer no protection from a local attack on a wireless network. Compromise of weak encryption would not be detected by an intrusion detection system.
Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network? Boundary router Strong encryption Internet-facing firewall Intrusion detection system
B is the correct answer. Justification Patch management corrects discovered weaknesses by applying a correction to the original program code. Change management controls the process of introducing changes to systems. Failure to have good change management may introduce new weaknesses into otherwise secure systems. Security metrics provide a means for measuring effectiveness. Version control is a subset of change management.
Which of the following is MOST effective in preventing the introduction of a code modification that may reduce the security of a critical business application? Patch management Change management Security metrics Version control
C is the correct answer. Justification Firewall rules are unsuccessful at blocking this kind of attack. Signature files are unrelated to this kind of attack. Phishing relies on social engineering techniques. Providing good security awareness training will best reduce the likelihood of such an attack being successful. Intrusion detection system monitoring is unsuccessful at blocking this kind of attack.
Which of the following is MOST effective in protecting against the attack technique known as phishing? Firewall blocking rules Up-to-date signature files Security awareness training Intrusion detection monitoring
B is the correct answer. Justification Standards may provide metrics for deployment but would not provide significant management tools. Deploying complex security initiatives and integrating a range of diverse projects and activities would be more easily managed with the overview and relationships provided by a security architecture. Policies would guide direction but would not provide significant management tools. Management support is always helpful and may assist in providing resources, but it would be of little direct benefit in managing complex security deployments.
Which of the following is MOST useful in managing increasingly complex security deployments? A standards-based approach A security architecture Policy development Senior management support
D is the correct answer. Justification Authentication does not ensure the authenticity of the data, just the identity of the sender. Steganography is a form of encryption that may ensure integrity but not identity. Authentication does not ensure the authenticity of the data, just the identity of the sender. Digital signature ensures both the identity and the integrity of the data.
Which of the following is generally used to ensure that information transmitted over the Internet is authentic and actually transmitted by the named sender? Biometric authentication Embedded steganographic Two-factor authentication Embedded digital signature
B is the correct answer. Justification Password resets may or may not have anything to do with awareness levels. Reported incidents will provide an indicator of the awareness level of staff. An increase in reported incidents could indicate that the staff is paying more attention to security. The number of incidents resolved may not correlate to staff awareness. Access rule violations may or may not have anything to do with awareness levels.
Which of the following is the BEST metric for evaluating the effectiveness of security awareness training? The number of password resets The number of reported incidents The number of incidents resolved The number of access rule violations
A is the correct answer. Justification New viruses are being introduced almost daily. The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur. Weekly updates may potentially allow new viruses to infect the system. Operating system updates are too infrequent for virus updates. Change control updates are sporadic and not the basis for virus updates.
Which of the following is the MOST appropriate frequency for updating antivirus signature files for antivirus software on production servers? Daily Weekly Concurrently with operating system patch updates During scheduled change control updates
B is the correct answer. Justification Centralized access control is not a type of access control but a form of administration. Role-based access control allows users to be grouped into job-related categories, which significantly eases the required administrative overhead because in most organizations there are fewer roles than employees, and roles change far less frequently. Decentralized access control is not a typed of access control but an administration approach. Discretionary access control would require a greater degree of administrative overhead because it is based on each individual rather than groups of individuals.
Which of the following is the MOST cost-effective type of access control? Centralized Role-based Decentralized Discretionary
B is the correct answer. Justification Biometric access control limits access but does not protect stored data once access has been breached. Encryption of stored data will help ensure that the actual data cannot be recovered without the encryption key. Power-on passwords do not protect data effectively. Protecting data stored on mobile computing devices does not relate to protecting data in transmission.
Which of the following is the MOST effective security measure to protect data held on mobile computing devices? Biometric access control Encryption of stored data Power-on passwords Protection of data being transmitted
A is the correct answer. Justification Screened subnets are demilitarized zones and are oriented toward preventing attacks on an internal network by external users. The policies and procedures to classify information will ultimately result in better protection, but they will not prevent actual modification. Role-based access controls would help ensure that users only had access to files and systems appropriate for their job role. Intrusion detection systems are useful to detect invalid attempts, but they will not prevent attempts.
Which of the following is the MOST effective solution for preventing individuals external to the organization from modifying sensitive information on a corporate database? Screened subnets Information classification policies and procedures Role-based access controls Intrusion detection system
A is the correct answer. Justification If an intrusion detection system is not properly tuned it will generate an unacceptable number of false positives and/or fail to sound an alarm when an actual attack is underway. Patching is more related to operating system hardening. Encryption would not be as relevant as tuning. Packet filtering would not be as relevant as tuning.
Which of the following is the MOST important consideration when implementing an intrusion detection system? Tuning Patching Encryption Packet filtering
C is the correct answer. Justification Authentication of the point-of-sale terminal will not prevent unauthorized reading of the data. Hardening will protect the point-of-sale but will not prevent unauthorized reading of the data. Cardholder data should be encrypted using strong encryption techniques. Nonrepudiation is not relevant to credit card data protection.
Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale cash register? Authentication Hardening Encryption Nonrepudiation
D is the correct answer. Justification Open source tools are an excellent resource for performing scans. Scans should focus on both the test and production environments because, if compromised, the test environment could be used as a platform from which to attack production servers. The process of scanning for exposures is more of a spiral process than a linear process. The first rule of scanning for security exposures is to not break anything. This includes the interruption of any running production processes.
Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network? Never use open source tools Focus only on production servers Follow a linear process for attacks Do not interrupt production processes
C is the correct answer. Justification Server patching is not affected by the presence of middleware. System backups are not affected. The major risk associated with middleware in a client-server environment is that data integrity may be adversely affected if middleware were to fail or become corrupted. Hijacked end-user sessions can occur but can be detected by implementing security checks in the middleware.
Which of the following is the MOST important risk associated with middleware in a client-server environment? Server patching may be prevented System backups may be incomplete Data integrity may be affected End-user sessions may be hijacked
D is the correct answer. Justification Adequate policies and procedures will have little effect on changing security culture. Compliance reviews can have a minor impact on an organization's security culture. Steering committees that have high-level management representation can affect the security culture. Of these options, security awareness campaigns are likely to be the most effective at improving security consciousness.
Which of the following is the MOST likely to change an organization's culture to one that is more security conscious? Adequate security policies and procedures Periodic compliance reviews Security steering committees Security awareness campaigns
B is the correct answer. Justification Media access control (MAC) address filtering by itself is not a good security mechanism because allowed MAC addresses can be easily sniffed and then spoofed to get into the network. Wi-Fi Protected Access (WPA2) protocol is currently one of the most secure authentication and encryption protocols for mainstream wireless products. Wired Equivalent Privacy (WEP) is no longer a secure encryption mechanism for wireless communications. The WEP key can be easily broken within minutes using widely available software. Once the WEP key is obtained, all communications of every other wireless client are exposed. A web-based authentication mechanism can be used to prevent unauthorized user access to a network, but it will not solve the wireless network's main security issues, such as preventing network sniffing.
Which of the following mechanisms is the MOST secure way to implement a secure wireless network? Filter media access control addresses Use a Wi-Fi Protected Access protocol Use a Wired Equivalent Privacy key Web-based authentication
B is the correct answer. Justification Using token-based authentication does not prevent a man-in-the-middle attack; however, it may help eliminate reusability of stolen cleartext credentials. IP Security v6 effectively prevents man-in-the-middle attacks by including source and destination Internet Protocols within the encrypted portion of the packet. The protocol is resilient to man-in-the-middle attacks. A Hypertext Transfer Protocol Secure session can be intercepted through domain name system (DNS) or Address Resolution Protocol (ARP) poisoning. ARP poisoning—a specific kind of man-in-the-middle attack—may be prevented by setting static media access control addresses. Nevertheless, DNS and NetBIOS resolution can still be attacked to deviate traffic.
Which of the following practices completely prevents a man-in-the-middle attack between two hosts? Use security tokens for authentication Connect through an IP Security v6 virtual private network Use Hypertext Transfer Protocol Secure with a server-side certificate Enforce static media access control addresses
D is the correct answer. Justification Firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted. Even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used. The application "front door" controls may be bypassed by accessing data directly. Key management is the weakest link in encryption. If keys are in the wrong hands, documents will be able to be read regardless of where they are on the network.
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization's network? Configuration of firewalls Strength of encryption algorithms Authentication within application Safeguards over keys
C is the correct answer. Justification Blocking traffic would be overly restrictive to the conduct of business. Blocking new logins would be overly restrictive to the conduct of business. The best mechanism is for the system to fall back to the original process of logging on individually to each system. Recording all user activity would add little value.
Which of the following should automatically occur FIRST when a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning? The firewall should block all inbound traffic during the outage. All systems should block new logins until the problem is corrected. Access control should fall back to nonsynchronized mode. System logs should record all user activity for later analysis.
A is the correct answer. Justification Strong authentication will provide adequate assurance on the identity of the users. Internet Protocol antispoofing is aimed at the device rather than the user. Encryption protocol ensures data confidentiality and authenticity. Access lists of trusted devices are easily exploited by spoofed identity of the clients.
Which of the following should the information security manager implement to protect a network against unauthorized external connections to corporate systems? Strong authentication Internet Protocol antispoofing filtering Network encryption protocol Access lists of trusted devices
C is the correct answer. Justification An intrusion detection system can be used to detect an external attack but would not help in authenticating a user attempting to connect. IP address packet filtering would protect against spoofing an internal address but would not provide strong authentication. Two-factor authentication provides an additional security mechanism over and above that provided by passwords alone. This is frequently used by mobile users needing to establish connectivity to a corporate network. Digital signatures ensure that transmitted information can be attributed to the named sender.
Which of the following technologies is utilized to ensure that an individual connecting to a corporate internal network over the Internet is not an intruder masquerading as an authorized user? Intrusion detection system IP address packet filtering Two-factor authentication Embedded digital signature
C is the correct answer. Justification IT security staff will require technical inputs, and having a separate training program would not be considered a challenge. Evaluating training program effectiveness is not a problem when developing a standard training program. In fact, the evaluation of training program effectiveness will be easier for a standard training program delivered across the organization. A diverse culture and differences in the levels of IT knowledge and IT exposure pose the most difficulties when developing a standard training program because the learning needs of employees vary. Availability of users on weekends or beyond office hours has no impact on the development of a standard training program.
Which of the following would be the GREATEST challenge when developing a standard awareness training program for a global organization? Technical input requirements for IT security staff Evaluating training program effectiveness A diverse culture and varied technical abilities of end users Availability of users either on weekends or after office hours
C is the correct answer. Justification An internal auditor is a good advocate but is secondary to the influence of senior management. The chief operating officer will be a member of the steering committee. Senior management represented in the security steering committee is in the best position to advocate the establishment of, and continued support for, an information security program. IT management has a lesser degree of influence and would also be part of the steering committee.
Who can BEST advocate the development of and ensure the success of an information security program? Internal auditor Chief operating officer Steering committee IT management
D is the correct answer. Justification The system developer will have specific knowledge on limited areas but will not have full knowledge of the business issues that affect the level of security required. The security manager's responsibility is to ensure that the level of protection required by the data owner is provided. The custodian provides the level of protection required by the owner. Data owners are the most knowledgeable of the security needs of the business application for which they are responsible.
Who is in the BEST position to determine the level of information security needed for a specific business application? The system developer The information security manager The system custodian The data owner
C is the correct answer. Justification Before determining the security baseline, an information security manager must identify criticality levels of the organization's information resources. The security policy helps define the security baseline. Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality/classification levels. The security baseline defines the control objectives but not the specific controls required.
Why is it important to develop an information security baseline? The security baseline helps define: critical information resources needing protection. a security policy for the entire organization. define the minimum acceptable security to be implemented. define required physical and logical access controls.
