Domain 9 - Exam Feedback Flashcards

Question 1

Q

What are the elements of the Process for Attack Simulation and Threat Analysis (PASTA), a seven-step threat modeling methodology?

Answer

A

The seven steps of PASTA are:

Definition the Objectives (DO) for the Analysis of Risks,
Definition of the Technical Scope (DTS),
Application Decomposition and Analysis (ADA),
Threat Analysis (TA),
Weakness and Vulnerability Analysis (WVA),
Attack Modeling and Simulation (AMS), and
Risk Analysis and Management (RAM).

Note – Containment and Eradication (CE) is not a step of PASTA. Instead, these are two elements of a typical incident response policy.

Question 2

Q

UDP is a connectionless protocol that operates at the Transport layer of the OSI model and uses ports to manage simultaneous connections. Which of the following terms also is related to UDP?

Answer

A

Simplex

UDP is a simplex protocol at the Transport layer.

Question 3

Q

What is the client source port of a secured web communication?

Answer

A

Note – IT is NOT port 443!

A dynamic port

Client source ports are dynamic ports (i.e., randomly selected port number between 1024–65,535) for most Application layer protocols, including secure web communications (i.e., HTTPS).

Question 4

Q

What’s the difference between a Type I and Type II Hypervisor?

Answer

A

A Type I hypervisor is a native or bare-metal hypervisor. In this configuration, there is no host OS; instead, the hypervisor installs directly onto the hardware where the host OS would normally reside. Type 1 hypervisors are often used to support server virtualization.

A Type II hypervisor is a hosted hypervisor. In this configuration, a standard regular OS is present on the hardware, and then the hypervisor is installed as another software application. Type II hypervisors are often used in relation to desktop deployments, where the guest OSs offer safe sandbox areas to test new code, allow the execution of legacy applications, support apps from alternate OSs, and provide the user with access to the capabilities of a host OS.

Question 5

Q

In object-oriented programming, what term describes a collection of the common methods from a set of objects that defines the behavior of those objects?

Answer

A

A class is a collection of the common methods from a set of objects that defines the behavior of those objects.

Question 6

Q

Is it a good idea to power down a compromised system in the detection phase of an incident response?

Answer

A

NO

You should never power down a compromised system during the early stages of incident response because this may destroy valuable evidence stored in volatile memory. The other answers include steps that will isolate a system without destroying evidence in typical scenarios.

Question 7

Q

What is a primary goal within the detection phase of incident response?

Answer

A

Identification of incidents

A primary goal within the detection phase of incident response is identification of an incident. Restoration of normal activity occurs during the recovery phase. Lessons learned is the final phase of incident response.

Question 8

Q

What is an access control list (ACL) based on? Subject or Object?

Answer

A

Object

An ACL is based on an object and includes a list of subjects that are granted access. A capability table is focused on a subject and includes a list of objects the subject can access. Roles and accounts are examples of subjects and may be included in an ACL, but they aren’t the focus.

Question 9

Q

What is the weakest method of authentication?

Answer

A

Strong static passwords

Strong passwords are the weakest form of authentication from the given answers. One-time passwords are stronger than static passwords. Biometric methods such as retina scans are stronger than passwords.

Question 10

Q

Which security protocol automatically performs reauthentication of the client system throughout the connected session in order to detect session hijacking?

Answer

A

CHAP

CHAP is a security protocol that automatically performs reauthentication of the client system throughout the connected session in order to detect session hijacking.

Question 11

Q

What term describes the processor mode used to run the system tools used by administrators seeking to make configuration changes to a machine?

User Mode or Supervisory Mode?

Answer

A

User Mode

All user applications, regardless of the security permissions assigned to the user, execute in user mode. Supervisory mode, kernel mode, and privileged mode are all terms that describe the mode used by the processor to execute instructions that originate from the operating system.

Question 12

Q

What law amended the Health Insurance Portability and Accountability Act to include data breach notification requirements?

Answer

A

HITECH

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA to include new regulations related to data breach notification and the compliance requirements of covered entity business associates.

Question 13

Q

What regulation formalizes the prudent man rule that requires senior executives to take personal responsibility for their actions?

Answer

A

Federal Sentencing Guidelines

Question 14

Q

Which of the following provides the best protection against mishandling media that contains sensitive information?

Marking

Purging

Sanitizing

Retaining?

Answer

A

Marking

Marking (or labeling) media is the best choice of the available answers to protect against mishandling media. When properly marked, personnel are more likely to handle media properly. Purging and sanitizing methods remove sensitive information but do not protect against mishandling. Data retention refers to how long an organization keeps the data, not how it handles the data.

Question 15

Q

Which one of the following individuals is most likely to cause serious intentional damage to a business’s computing resources?

Malicious insider or Terrorist?

Answer

A

malicious insider

The malicious insider poses the greatest risk to your organization because they might already have access to your systems and a working knowledge of your infrastructure.

Question 16

Q

Which federal government agency is responsible for ensuring the security of government computer systems that are used to process sensitive and/or classified information?

Answer

A

National Security Agency

The National Security Agency is responsible for managing the security of computer systems that process sensitive and/or classified information. The security of all other federal government systems is entrusted to the National Institute of Standards and Technology.

Question 17

Q

Once a system is compromised, _______________ is deployed to restore it to its previous known-good state.

Answer

A

Corrective access control

Corrective access control is deployed to restore systems to normal after an unwanted or unauthorized activity has occurred.

Question 18

Q

What is the biggest problem with computer-based information when used as evidence?

Answer

A

The biggest problem with computer evidence is that some of it may be volatile, meaning it can be lost with the loss of power. Finding and preserving volatile evidence from memory is the most challenging aspect of gathering computer evidence. Although computer evidence is usually considered hearsay, there is an exception to the hearsay rule that makes it admissible (specifically if it was created by a normal business operation and supported by a witness).

Question 19

Q

_______________ is the process by which a subject provides a username, logon ID, personal identification number, and so on.

Answer

A

Identification, not Authentication

Identification is the process by which a subject professes an identity and accountability is initiated.

Question 20

Q

Flo and Ricky are sending messages to each other using an asymmetric encryption algorithm. Flo wants to send Ricky a private message. What key should she use to encrypt it?

Answer

A

Ricky’s public key

Question 21

Q

What is split-DNS?

Answer

A

Dividing internal DNS from external DNS

Question 22

Q

Which type of control provides extended options to existing controls and aids or supports administrative security policy?

Answer

A

Compensation access control

Compensation access control is deployed to provide various options to existing controls to help enforce and support a security policy.

Question 23

Q

Subjects can be held accountable for their actions toward other subjects and objects while they are authenticated to a system. What process facilitates this accountability?

Answer

A

Monitoring

Monitoring the activities of subjects and objects, as well as of core system functions that maintain the operating environment and the security mechanisms, helps establish accountability on the system.

Question 24

Q

What is a directive control?

Answer

A

A directive control is a security tool used to guide the security implementation of an organization.

Question 25

Q

Among the following choices, what kind of IDS is considered an expert system?

Behavior based or Knowledge based?

Answer

A

Behavior based

A behavior-based intrusion detection system (IDS) can be labeled an expert system or a pseudo-artificial intelligence system because it can learn and make assumptions about events. In other words, the IDS can act like a human expert by evaluating current events against known events.

Question 26

Q

What attack involves an interruptive malicious user positioned between a client and server attempting to take over?

Man in the middle or Hijacking?

Answer

A

Hijacking

In a hijack attack, which is an offshoot of a man-in-the-middle attack, a malicious user is positioned between a client and server and then interrupts the session and takes it over.

Question 27

Q

Which is the most common form of perimeter security device or mechanism for any given business?

Fences or lighting?

Answer

A

Lighting

Lighting is by far the most pervasive and basic element of security because it illuminates areas and makes signs of hidden danger visible to all.

Question 28

Q

John is configuring a router that will stand between the network 10.8.6.0/24 and the Internet. He would like to configure egress filtering rules to minimize the potential of crackers originating a DDoS attack from his network. What type of traffic should be filtered out to help achieve this goal?

Answer

A

Outbound traffic with an address outside the range 10.8.6.0/24

Although it is true that John would probably want to filter out all of these types of traffic for various reasons, he would be specifically interested in filtering out outbound traffic with an address not belonging to his network to achieve his stated goal.

Question 29

Q

Which of the following is not a benefit of tunneling?

Answer

A

Each encapsulated protocol includes its own error detection, error handling, acknowledgment, and session management features.

Tunneling is generally an inefficient means of communicating because all protocols include their own error detection, error handling, acknowledgment, and session management features, and using more than one protocol at a time just compounds the overhead required to communicate a single message.

Question 30

Q

Which IPsec mode provides for encryption of complete packets, including header information?

Authentication Header (AH) or Tunnel?

Answer

A

Tunnel

When IPsec is used in tunnel mode, entire packets, rather than just the payload, are encrypted. This mode is designed for use in gateway-to-gateway communications.

Question 31

Q

Is Daily Workstation change a thing?

Answer

A

Yes

Daily workstation change (i.e., when workers do not have a designated, assigned, or consistent workstation but operate any one that is available) is an effective means of preventing and detecting the presence of unapproved software.

Question 32

Q

Which of the following can be used to verify the integrity of a received message?

Answer

A

A hash total is a checksum used to verify the integrity of a transmission.

Question 33

Q

Does data classification provide for non-repudiation?

Answer

A

No

Providing for nonrepudiation is not a reason for data classification.

Question 34

Q

What is the Delphi technique?

Answer

A

The Delphi technique is a form of qualitative risk analysis that uses an anonymous feedback-and-response process to arrive at a group consensus.

Question 35

Q

What is confidentiality dependent on?

Availability or integrity?

Answer

A

Integrity

Without object integrity, confidentiality cannot be maintained. In fact, integrity and confidentiality depend on one another.

Question 36

Q

You are implementing AES encryption for files that your organization plans to store in a cloud storage service and wish to have the strongest encryption possible. What key length should you choose?

Answer

A

256 bits

The strongest keys supported by the Advanced Encryption Standard are 256 bits. The valid AES key lengths are 128, 192, and 256 bits.

Question 37

Q

Identification is the first step toward what ultimate goal?

A. Accountability

B. Authorization

C. Auditing

D. Nonrepudiation

Answer

A

Accountability, not authorization

Accountability is the ultimate goal of a process started by identification.

Question 38

Q

A _______________ contains levels with various compartments that are isolated from the rest of the security domain.

Answer

A

Hybrid environment

Hybrid environments combine both hierarchical and compartmentalized environments so that security levels have subcompartments.

Question 39

Q

What element of security control includes access controls, alarms, CCTV, and monitoring?

Answer

A

Technical physical security control (not just physical security controls)

Technical physical security controls include access controls; intrusion detection; alarms; closed-circuit television (CCTV); monitoring; heating, ventilating, and air conditioning (HVAC); power supplies; and fire detection and suppression.

Question 40

Q

Abnormal or unauthorized activities detectable to an IDS include which of the following? (Choose all that apply.)

Answer

A

A. External connection attempts

B. Execution of malicious code

C. Access to controlled objects

Question 41

Q

What are the well-known ports?

Answer

A

0 to 1,023

Question 42

Q

NIST SP800-53 discusses a set of security controls as what type of security tool?

Answer

A

A baseline

NIST SP 800-53 discusses security control baselines as a list of security controls. CIS releases security baselines, and a baseline is a useful part of a threat management strategy and may contain a list of acceptable configuration items.

Question 43

Q

What are the four functions of a forensic disk controller?

Answer

A

A forensic disk controller performs four functions.

One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device.
The other three functions include returning data requested by a read operation,
returning access-significant information from the device, and
reporting errors from the device back to the forensic host. The controller should not prevent read commands from being sent to the device because those commands may return crucial information.

Question 44

Q

Which Kerberos service generates a new ticket and session keys and sends them to the client?

Answer

A

TGS

The TGS, or Ticket-Granting Service (which is usually on the same server as the KDC), receives a TGT from the client. It validates the TGT and the user’s rights to access the service they are requesting to use. The TGS then issues a ticket and session keys to the client. The AS serves as the authentication server, which forwards the username to the KDC. It’s worth noting that the client doesn’t communicate with the KDC directly. Instead, it will communicate with the TGT and the AS, which means KDC isn’t an appropriate answer here.

Question 45

Q

What type of motion detector uses high microwave frequency signal transmissions to identify potential intruders?

Answer

A

Wave pattern

Wave pattern motion detectors transmit ultrasonic or microwave signals into the monitor area, watching for changes in the returned signals bouncing off objects.

Question 46

Q

Susan sets up a firewall that keeps track of the status of the communication between two systems and allows a remote system to respond to a local system after the local system starts communication. What type of firewall is Susan using?

Answer

A

A stateful packet inspection firewall

Stateful packet inspection firewalls, also known as dynamic packet filtering firewalls, track the state of a conversation and can allow a response from a remote system based on an internal system being allowed to start the communication. Static packet filtering and circuit level gateways only filter based on source, destination, and ports, whereas application-level gateway firewalls proxy traffic for specific applications.

Question 47

Q

What are the five modes of DES?

Answer

A

The DES modes of operation are :

Electronic Codebook (ECB),
Cipher Block Chaining (CBC),
Cipher Feedback (CFB),
Output Feedback (OFB), and
Counter (CTR).

Question 48

Q

Between the following protocols, which are proprietary AAA packages and which are not?

RADIUS

XTACACS

TACACS+

Answer

A

RADIUS is not proprietary

XTACACS and TACACS+ are both Cisco proprietary protocols.

Question 49

Q

Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection. What type of malware is Kim likely dealing with?

Answer

A

A worm, because:

Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access.
Viruses and Trojan horses typically require user interaction to spread.
Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

Question 50

Q

What problem drives the recommendation to physically destroy SSD drives to prevent data leaks when they are retired?

Answer

A

The built-in erase commands are not completely effective on some SSDs.

Question 51

Q

What are the 7 principles of the EU-U.S. Privacy Shield Framework?

Answer

A

Notice,
Choice,
Accountability for onward transfer,
Security,
Data integrity and purpose limitation,
Access,
Recourse, Enforcement and Liability

Question 52

Q

Alex works for the U.S. federal government and is required to ensure that the devices and components he acquires are not compromised. What program will he participate in to help ensure this?

Answer

A

Trusted foundry

The U.S. Trusted Foundry program helps to protect the supply chain for components and devices by ensuring that the companies that produce and supply them are secure. TEMPEST is the name for a program aimed at capturing data from electronic emissions, GovBuy is not a government program or supplier, and MITRE conducts research and development for the U.S. government.

Question 53

Q

When evaluating biometric devices, what is another term used to describe the equal error rate?

Answer

A

CER

The crossover error rate (CER) is the point where both the false acceptance rate and the false rejection rate cross. CER and ERR, or equal error rate, mean the same thing and are used interchangeably.

Question 54

Q

What principle states that an individual should make every effort to complete his or her responsibilities in an accurate and timely manner?

Answer

A

Due Diligence

The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Question 55

Q

When Ben records data and then replays it against his test website to verify how it performs based on a real production workload, what type of performance monitoring is he undertaking?

Answer

A

Proactive

Proactive monitoring, aka synthetic monitoring, uses recorded or generated traffic to test systems and software. Passive monitoring uses a network span, tap, or other device to capture traffic to be analyzed. Reactive and replay are not industry terms for types of monitoring.

Question 56

Q

What’s wrong with Hand geometry scanners?

Answer

A

Hand geometry scanners assess the physical dimensions of an individual’s hand but do not verify other unique factors about the individual, or even verify if they are alive.

This means that hand geometry scanners should not be implemented as the sole authentication factor for secure environments. Hand geometry scanners do not have an abnormally high FRR and do not stand out as a particular issue from an accessibility standpoint compared to other biometric systems.

Question 57

Q

Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense?

Answer

A

Parol evidence rule

The parol evidence rule states that when an agreement between two parties is put into written form, it is assumed to be the entire agreement unless amended in writing. The best evidence rule says that a copy of a document is not admissible if the original document is available. Real evidence and testimonial evidence are evidence types, not rules of evidence.

Question 58

Q

The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they do. Which type of controls best describes this?

Answer

A

Directive

Notifications and procedures like the signs posted at the company Chris works for are examples of directive access controls.

Question 59

Q

If Alex hires a new employee and the employee’s account is provisioned after HR manually inputs information into the provisioning system based on data Alex provides via a series of forms, what type of provisioning has occurred?

Answer

A

Workflow-based account provisioning

Provisioning that occurs through an established workflow, such as through an HR process, is workflow-based account provisioning.

Question 60

Q

Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users?

Answer

A

Cat 5e and Cat 6

Category 5e and Category 6 UTP cable are both rated to 1000 Mbps. Cat 5 (not Cat 5e) is only rated to 100 Mbps, whereas Cat 7 is rated to 10 Gbps. There is no Cat 4e.

Question 61

Q

What’s the difference between network latency and jitter?

Answer

A

Latency is a delay in the delivery of packets from their source to their destination.
Jitter is a variation in the latency for different packets.

Question 62

Q

Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower?

Answer

A

Fire suppression systems do not stop a fire from occurring but do reduce the damage that fires cause. This is an example of reducing risk by lowering the impact of an event.

Question 63

Q

Alan’s Wrenches recently developed a new manufacturing process for its product. They plan to use this technology internally and not share it with others. They would like it to remain protected for as long as possible. What type of intellectual property protection is best suited for this situation?

Answer

A

Trade secret

Patents and trade secrets can both protect intellectual property in the form of a process. Patents require public disclosure and have expiration dates while trade secrets remain in force for as long as they remain secret. Therefore, trade secret protection most closely aligns with the company’s goals.

Question 64

Q

Ben wants to interface with the National Vulnerability Database using a standardized protocol. What option should he use to ensure that the tools he builds work with the data contained in the NVD?

Answer

A

SCAP

The Security Content Automation Protocol (SCAP) is a suite of specifications used to handle vulnerability and security configuration information.

The National Vulnerability Database (NVD) provided by NIST uses SCAP. XACML is the eXtensible Access Control Markup Language, an OASIS standard used for access control decisions, and neither VSML nor SCML are industry terms.

Answer 65

A

A NAC system

Network Access Control (NAC) systems can be used to authenticate users and then validate their system’s compliance with a security standard before they are allowed to connect to the network. Enforcing security profiles can help reduce zero-day attacks, making NAC a useful solution. A firewall can’t enforce system security policies, whereas an IDS can only monitor for attacks and alarm when they happen. Thus, neither a firewall nor an IDS meets Kolin’s needs. Finally, port security is a MAC address–based security feature that can only restrict which systems or devices can connect to a given port.

Answer 66

A

Whois

During the information gathering and discovery phase of a penetration test, testers will gather information about the target. Whois can provide information about an organization, including IP ranges, physical addresses, and staff contacts. Nessus would be useful during a vulnerability detection phase, and Metasploit would be useful during exploitation. zzuf is a fuzzing tool and is less likely to be used during a penetration test.

Answer 67

A

Directory indexing may not initially seem like an issue during a penetration test, but simply knowing the name and location of files can provide an attacker with quite a bit of information about an organization, as well as a list of potentially accessible files. XDRF is not a type of attack, and indexing is not a denial-of-service attack vector. Directory indexing being turned on is typically either due to misconfiguration or design, or because the server was not properly configured at setup, rather than being a sign of attack.

Answer 68

A

Steal a user’s cookies.

Cross-site tracing (XST) leverages the HTTP TRACE or TRACK methods and could be used to steal a user’s cookies via cross-site scripting (XSS). The other options are not industry terms for web application or web server attacks or vulnerabilities.

Answer 69

A

APIPA addresses are assigned between 169.254.0.01 and 169.254.255.254,

Automatic Private IP Addressing (APIPA) is Microsoft’s terminology for address autoconfiguration in the Windows 98, ME, 2000 and XP OSs. APIPA allows a local area network (LAN) computer to give itself a unique IP address when Dynamic Host Configuration Protocol (DHCP) is unavailable. APIPA is sometimes known as auto-IP.

Answer 70

A

Crystal box penetration testing, which is also sometimes called white box penetration testing

Answer 71

A

Discovery

The discovery phase includes activities like gathering IP addresses, network ranges, and hostnames, as well as gathering information about employees, locations, systems, and of course, the services those systems provide. Banner information is typically gathered as part of discovery to provide information about what version and type of service is being provided.

Banner grabbing is the act of capturing the information provided by banners, configurable text-based welcome screens from network hosts that generally display system information. Banners are intended for network administration.

Answer 72

A

Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.

Answer 73

A

DoS and OS attacks

Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial-of-service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the Internet or exchange data files; buffer overflows are usually aimed at specific applications or services.

Answer 74

A

Type 1 error

Type 1 errors occur when a valid subject is not authenticated.

Type 2 errors occur when an invalid subject is incorrectly authenticated.

Type 3 and Type 4 errors are not associated with biometric authentication.

Answer 75

A

The hearsay rule

The hearsay rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.

Answer 76

A

Worm

Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.

Answer 77

A

In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of infrastructure as a service (IaaS).

Answer 78

A

Integrity verification

Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.

Answer 79

A

Data diddling is a type of cybercrime in which data is altered as it is entered into a computer system, most often by a data entry clerk or a computer virus. Computerized processing of the altered data results in a fraudulent benefit.

Answer 80

A

MAC

Bell-LaPadula uses security labels on objects and clearances for subjects, and is therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-based access control.

Answer 81

A

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students in any educational institution that accepts any form of federal funding.

Answer 82

A

Attackers may use algorithmic complexity as a tool to exploit a TOC/TOU race condition. By varying the workload on the CPU, attackers may exploit the amount of time required to process requests and use that variance to effectively schedule the exploit’s execution. File locking, exception handling, and concurrency controls are all methods used to defend against TOC/TOU attacks.

Answer 83

A

Application-level gateway firewall

An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.

Answer 84

A

Multitasking

Multitasking handles multiple processes on a single processor by switching between them using the operating system. Multiprocessing uses multiple processors to perform multiple processes simultaneously. Multiprogramming requires modifications to the underlying applications. Multithreading runs multiple threads within a single process.

Answer 85

A

Scoping

Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Tailoring is the process of matching a list of security controls to the mission of an organization. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.

Answer 86

A

Processing

During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.

Answer 87

A

Secret

Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the U.S. government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.

Answer 88

A

Likelihood

Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.

Answer 89

A

Sanitization

Sanitization includes steps like removing the hard drive and other local storage from PCs before they are sold as surplus. Degaussing uses magnetic fields to wipe media; purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media; and removing does not necessarily imply destruction of the drive.

Answer 90

A

While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application based attacks and unwanted access to devices, but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or wifi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for re-sale.

Answer 91

A

Open Relay

SMTP servers that don’t authenticate users before relaying their messages are known as open relays. Open relays that are Internet exposed are typically quickly exploited to send email for spammers.

Answer 92

A

Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address. IPsec is a security protocol suite, software-defined networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol.

Q - Ed’s organization has 5 IP addresses allocated to them by their ISP but needs to connect over 100 computers and network devices to the Internet. What technology can he use to connect his entire network via the limited set of IP addresses he can use?

A - PAT

Answer 93

A

L2TP is the only one of the four common VPN protocols that can natively support non-IP protocols. PPTP, L2F, and IPsec are all IP-only protocols.

Answer 94

A

Remnant data is data that is left after attempts have been made to remove or erase it. Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover data is not an industry term.

Answer 95

A

Maintain compentent records of all investigations and assessments.

The four canons of the (ISC)2 code of ethics are

To protect society, the common good, necessary public trust and confidence, and the infrastructure;
Act honorably, honestly, justly, responsibly, and legally;
Provide diligent and competent service to principals; and
Advance and protect the profession.

Answer 96

A

Annually

Individuals with specific business continuity roles should receive training on at least an annual basis.

Answer 97

A

2

Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.

Answer 98

A

APIPA addresses are assigned between 169.254.0.01 and 169.254.255.254,

APIPA. (Automatic Private IP Addressing) The Windows function that provides DHCP autoconfiguration addressing. APIPA assigns a class B IP address from 169.254. 0.0 to 169.254. 255.255 to the client when a DHCP server is either permanently or temporarily unavailable.

Answer 99

A

Passive

Since Lauren wants to monitor her production server, she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both replay and real time are not common industry terms used to describe types of monitoring.

Answer 100

A

Set up a virtual span port and capture data using a VM IDS

Using a virtual machine to monitor a virtual span port allows the same type of visibility that it would in a physical network if implemented properly. Installing Wireshark would allow monitoring on each system but doesn’t scale well. A physical appliance would require all traffic to be sent out of the VM environment, losing many of the benefits of the design. Finally, netcat is a network tool used to send or receive data, but it isn’t a tool that allows packet capture of traffic between systems.

Answer 101

A

SPAN [Switch Port Analyzer]

Port Mirroring also known as SPAN (Switched Port Analyzer), sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.

Answer 102

A

Compensating

A mantrap, which is composed of a pair of doors with an access mechanism that allows only one door to open at a time, is an example of a preventive access control because it can stop unwanted access by keeping intruders from accessing a facility due to an opened door or following legitimate staff in. It can serve as a deterrent by discouraging intruders who would be trapped in it without proper access, and of course, doors with locks are an example of a physical control. A compensating control attempts to make up for problems with an existing control or to add additional controls to improve a primary control.

Answer 103

A

In a land attack, the attacker sends a packet that has identical source and destination IP addresses in an attempt to crash systems that are not able to handle this out-of-specification traffic.

Answer 104

A

QualysGuard: Network vulnerability scanning.

Nikto: Web vulnerability scanning.

Answer 105

A

create rule

The create rule allows a subject to create new objects and also creates an edge from the subject to that object, granting rights on the new object.

Answer 106

A

Metasploit can only test vulnerabilities it has plug-ins for

Metasploit provides an extensible framework, allowing penetration testers to create their own exploits in addition to those that are built into the tool. Unfortunately, penetration testing can only cover the point in time when it is conducted. When conducting a penetration test, the potential to cause a denial of service due to a fragile service always exists, but it can test process and policy through social engineering and operational testing that validates how those processes and policies work.

Answer 107

A

The Children’s Online Privacy Protection Act (COPPA) regulates websites that cater to children or knowingly collect information from children under the age of 13.

Answer 108

A

Extensible Authentication Protocol (EAP) was originally intended to be used on physically isolated network channels and did not include encryption.

Fortunately, it was designed to be extensible, and PEAP (Protected Extensible Authentication Protocol) can provide TLS encryption. EAP isn’t limited to PEAP as an option as EAP-TLS also exists, providing an EAP TLS implementation, and the same extensibility allows a multitude of other authentication methods.

Answer 109

A

Key Distribution Center The key distribution center (KDC) is the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the KDC, and it maintains the secret keys for all network members.

Kerberos Authentication Server The authentication server hosts the functions of the KDC: a ticket-granting service (TGS) and an authentication service (AS). However, it is possible to host the ticket-granting service on another server. The authentication service verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC.

Ticket-Granting Ticket A ticket-granting ticket (TGT) provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects. A TGT is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present the TGT when requesting tickets to access objects.

Ticket A ticket is an encrypted message that provides proof that a subject is authorized to access an object. It is sometimes called a service ticket (ST). Subjects request tickets to access objects, and if they have authenticated and are authorized to access the object, Kerberos issues them a ticket. Kerberos tickets have specific lifetimes and usage parameters. Once a ticket expires, a client must request a renewal or a new ticket to continue communications with any server.

Answer 110

A

Strengths - Kerberos is a versatile authentication mechanism that works over local LANs, remote access, and client-server resource requests.

Weaknesses - Kerberos presents a single point of failure—the KDC. If the KDC is compromised, the secret key for every system on the network is also compromised. Also, if a KDC goes offline, no subject authentication can occur.

It also has strict time requirements and the default configuration requires that all systems be time-synchronized within five minutes of each other. If a system is not synchronized or the time is changed, a previously issued TGT will no longer be valid and the system will not be able receive any new tickets. In effect, the client will be denied access to any protected network resources.

Answer 111

A

Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other problems. It performs generic and server type specific checks. It also captures and prints any cookies received.

Answer 112

A

CGI stands for Common Gateway Interface, which is a standard for a gateway, or interface, between clients and web servers.

CGI scripts are potential security holes even though you run your server as “nobody”. A subverted CGI script running as “nobody” still has enough privileges to mail out the system password file, examine the network information maps, or launch a log-in session on a high numbered port (it just needs to execute a few commands in Perl to accomplish this).

Answer 113

A

e-Discovery of electronically stored information (ESI) is the process of producing for a court or external attorney all ESI pertinent to a legal proceeding. The Electronic Discovery Reference Model identifies 8 steps:

Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation

Answer 114

A

The formula for determining the number of encryption keys required by a symmetric algorithm is ((n*(n-1))/2). With six users, you will need ((6*5)/2), or 15 keys

Answer 115

A

TKIP

Temporal Key Integrity Protocol (TKIP) was designed as the replacement for WEP without requiring replacement of legacy wireless hardware. TKIP was implemented into 802.11 wireless networking under the name WPA (Wi-Fi Protected Access). TKIP improvements include a key-mixing function that combines the initialization vector (IV) (i.e., a random number) with the secret root key before using that key with RC4 to perform encryption; a sequence counter is used to prevent packet replay attacks; and a strong integrity check named Michael is used.

TKIP and WPA were officially replaced by WPA2 in 2004. Additionally, attacks specific to WPA and TKIP (i.e., coWPAtty and a GPU-based cracking tool) have rendered WPA’s security unreliable.

Answer 116

A

Discovery - Footprinting and gathering information about the target
Enumeration - Performaing port scans and resource identification methods
Vulnerability mapping – Identifying vulnerabiliites in identified systems and resources
Exploitation - Attempting to gain unauthorized access by exploiting vulnerabilities
Report to management - Delivering to management documentation test findings along with suggested countermeasures

Answer 117

A

The SOC1 audit focuses on a description of security mechanisms to assess their suitability.

The SOC2 audit focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality.

Answer 118

A

With a SOC2 / Type 1 report, your organization’s controls are assessed at a specific point in time. This report acts as a snapshot of your environment to determine and demonstrate if the controls are suitably designed and in place. For example, we will take an example terminated employee and confirm that their access was properly revoked and documented via a ticketing system.

A Type 1 report has the following characteristics:

Description of your organization’s system as a whole

Assesses the design of your organization’s internal controls

Tests a specific point in time

Answer 119

A

Type 2 Report

For a Type 2 report, your organization’s controls are assessed over a period of time, typically a twelve-month review period. Unlike a Type 1 report, Type 2 acts as a historical review of your environment to determine and demonstrate if the controls are suitably designed and in place, as well as operating effectively over time. The audit process will include sample testing within the review period to determine if your organization’s controls are operating effectively. For instance, we will take a sample of employees from the population of terminated personnel and confirm that their access was properly revoked and documented via ticketing system during the agreed-upon review period.

A Type 2 report has the following characteristics:

Description of your organization’s system as a whole

Assesses the design of your organization’s controls, as well as their operating effectiveness

Focuses on a period of time in which the controls are operating

Features detailed descriptions of the auditor’s tests and test results of the controls

Since a Type 2 report is more granular and comprehensive than a Type 1 report, it often provides your clients with a higher level of assurance.

Answer 120

A

ESP’s Transport mode encrypts IP packet data but leaves the packet header unencrypted.

ESP Tunnel mode encrypts the entire packet and adds a new header to support transmission through the tunnel.

Answer 121

A

It’s part of level 2 - Repeatable

Answer 122

A

Key risk indicators (KRIs) are often used to monitor risk for organizations that establish an ongoing risk management program. Using automated data gathering and tools that allow data to be digested and summarized can provide predictive information about how organizational risks are changing.

KPIs are key performance indicators, which are used to assess how an organization is performing. Quantitative risk assessments are good for point-in-time views with detailed valuation and measurement-based risk assessments, whereas a penetration test would provide details of how well an organization’s security controls are working.

Answer 123

A

The commercial classification scheme discussed by (ISC)2 includes four primary classification levels:

confidential,
private,
sensitive,
public.

Secret is a part of the military classification scheme.

Answer 124

A

Use Case Testing

Testing for desired functionality is use case testing. Dynamic testing is used to determine how code handles variables that change over time. Misuse testing focuses on how code handles examples of misuse, and fuzzing feeds unexpected data as an input to see how the code responds.

Answer 125

A

Class A: 10.0.0.0 to 10.255.255.255,
Class B: 172.16.0.0 to 172.31.255.255,
Class C: 192.168.0.0 to 196.168.255.255

These should never be routable on the public Internet.

Microsoft APIPA address between 169.254.0.1 and 169.254.255.254

Answer 126

A

2

Organizations should train at least two individuals on every business continuity plan task. This provides a backup in the event the primary responder is not available.

Answer 127

A

Typically:

Permissions include both the access and actions that you can take on an object.
Rights usually refer to the ability to take action on an object, and don’t include the access to it.
Privileges combine rights and permissions,
Roles describe sets of privileges based on job tasks or other organizational artifacts.

Answer 128

A

CWR and ECE

Congestion Window Reduced (CWR) and ECN-Echo (ECE) are used to manage transmission over congested links, and are rarely seen in modern TCP networks.

Answer 129

A

Fault is a momentary loss of power.
Blackouts are sustained complete losses of power.
Sags and Brownouts are not complete power disruptions but rather periods of low voltage conditions.

Answer 130

A

Lauren’s team would benefit from a credential management system. Credential management systems offer features like password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. Single sign-on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher sensitivity systems.

Answer 131

A

The business or mission owner’s role is responsible for making sure systems provide value. When controls decrease the value that an organization gets, the business owner bears responsibility for championing the issue to those involved. There is not a business manager or information security analyst role in the list of NIST-defined data security roles. A data processor is defined but acts as a third-party data handler and would not have to represent this issue in Olivia’s organization.

Answer 132

A

Ring 0 The kernel lies within the central ring, Ring 0.
Ring 1 contains other operating system components.
Ring 2 is used for drivers and protocols.
Ring 3 - User-level programs and applications run at Ring 3.

Rings 0–2 run in privileged mode whereas Ring 3 runs in user mode.

Answer 133

A

CVSS

CVSS - The Common Vulnerability Scoring System (CVSS) uses measures such as attack vector, complexity, exploit maturity, and how much user interaction is required as well as measures suited to local concerns.
CVE is the Common Vulnerabilities and Exposures dictionary,
CNA is the CVE Numbering Authority, and
NVD is the National Vulnerability Database.

Answer 134

A

An individual does not have a reasonable expectation of privacy when any communication takes place using employer-owned communications equipment or accounts.

Answer 135

A

Checklist review - the checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes.
TableTop exercise - During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
Parallel Test During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational.
Full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive.

Answer 136

A

1Category 5e: B. 300 feet.

Coaxial (RG-58): A. 500 feet.

Fiber optic: C. 1+ Kilometers.

Answer 137

A

Unclassified

Sensitive, but unclassified
Confidential data could be expected to cause damage.
Secret - The U.S. government classifies data that could reasonably be expected to cause damage to national security if disclosed, and for which the damage can be identified or described, as Secret. The U.S. government does not use Classified in its formal four levels of classification.
Top Secret - Top Secret data could cause exceptionally grave damage,

Answer 138

A

Public
Sensitive
Private
Confidential

Answer 139

A

The purpose of a digital certificate is to provide the general public with an authenticated copy of the certificate subject’s public key.

Answer 140

A

CA’s private key

The last step of the certificate creation process is the digital signature. During this step, the certificate authority signs the certificate using its own private key.

Answer 141

A

CA’s public key

When an individual receives a copy of a digital certificate, he or she verifies the authenticity of that certificate by using the CA’s public key to validate the digital signature contained on the certificate.

Answer 142

A

Certificates may only be added to a Certificate Revocation List by the certificate authority that created the digital certificate.

Answer 143

A

Remote journaling transfers transaction logs to a remote site on a more frequent basis than electronic vaulting, typically hourly.
Transaction logging is not a recovery technique alone; it is a process for generating the logs used in remote journaling.
Electronic valuting - in an electronic vaulting approach, automated technology moves database backups from the primary database server to a remote site on a scheduled basis, typically daily.
Remote mirroring maintains a live database server at the backup site and mirrors all transactions at the primary site on the server at the backup site.

Answer 144

A

SOC 1, Type 1 - A report that provides the auditor’s opinions of financial statements about controls at the service organization and that includes a report on the opinion on the presentation of the service organization’s system as well as suitability of the controls.
SOC 1, Type 2 - A report that provides an assessment of the risk of material misstatement of financial statement assertions affected by the service organization’s processing and that includes a description of the service auditor’s tests of the controls and the results of the tests and their effectiveness.
SOC 2 - A report that provides predefined, standard benchmarks for controls involving confidentiality, availability, integrity, and privacy of a system and the information it contains, generally for restricted use.
SOC 3 - A general use report that reports on controls related to compliance and/or operations.

Answer 145

A

Jim must comply with the informatin in this document

Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional.

Answer 146

A

Purge

The three categories of data destruction are clear (overwriting with nonsensitive data), purge (removing all data), and destroy (physical destruction of the media). Degaussing is an example of a purging technique.

Answer 147

A

PSH is a TCP flag used to clear the buffer, resulting in immediately sending data, and URG is the TCP urgent flag. These flags are not present in UDP headers.

Answer 148

A

Business Logic Errors

How CISSP exam thinks:

Business logic errors are most likely to be missed by automated functional testing. If a complete coverage code test was conducted, runtime, input validation, and error handling issues are likely to have been discovered by automated testing. Any automated system is more likely to miss business logic errors, because humans are typically necessary to understand business logic issues.

Answer 149

A

Warm Site - assume about a week after the disaster

Linda should choose a warm site. This approach balances cost and recovery time. Cold sites take a very long time to activate, measured in weeks or months. Hot sites activate immediately but are quite expensive. Mutual assistance agreements depend on the support of another organization.

Answer 150

A

Test coverage is computed using the formula test coverage = number of use cases tested/total number of use cases.

Code coverage is assessed by the other formulas, including function, conditional, and total code coverage.

Answer 151

A

Automated recovery

Automated recovery - In an automated recovery, the system can recover itself against one or more failure types.

Manual Recovery - In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations.

In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss.

In function recovery, the system can restore functional processes automatically.

Answer 152

A

California Online Privacy Protection Act (CalOPPA) requires a conspicuously posted privacy policy for any commercial websites or online services that collect personal information on California residents.

Answer 153

A

Irises don’t change as much as other factors.

Iris scans have a longer useful life than many other types of biometric factors because they don’t change throughout a person’s lifespan (unless the eye itself is damaged). Iris scanners can be fooled in some cases by high-resolution images of an eye, and iris scanners are not significantly cheaper than other scanners.

Answer 154

A

Civil law

Answer 155

A

This is an encrypted email message.

The S/MIME secure email format uses the P7S format for encrypted email messages. If the recipient does not have a mail reader that supports S/MIME, the message will appear with an attachment named smime.p7s.

Answer 156

A

Aggregation - is a security issue that arises when a collection of facts has a higher classification than the classification of any of those facts standing alone.

An inference problem occurs when an attacker can pull together pieces of less sensitive information from multiple sources and use them to derive information of greater sensitivity.

In cases where only a single source was used, it will be an aggregation issue.

Answer 157

A

Candidate Key - Super key is a set of one or multiple attributes which can uniquely identify a record in a table. A candidate key is a key selected from the set of super keys. Furthermore, the candidate key should not have any redundant attributes.

Primary Key - A primary key is a candidate key. It is considered as the main key for any table. It helps to uniquely identify each row or a record of the table.

Note - Any primary key is, by definition, also a candidate key.

Answer 158

A

A Specification

Specifications are document-based artifacts like policies or designs.
Activities are actions that support an information system that involves people.
Mechanisms are the hardware-, software-, or firmware-based controls or systems in an information system, and an
Individual is one or more people applying specifications, mechanisms, or activities.

Answer 159

A

Gray box

In a gray box test, the tester evaluates the software from a user perspective but has access to the source code as the test is conducted. White box tests also have access to the source code but perform testing from a developer’s perspective. Black box tests work from a user’s perspective but do not have access to source code. Blue boxes are a telephone hacking tool and not a software testing technique.

Answer 160

A

Implement a SIEM

A Security Information and Event Management (SIEM) tool is designed to centralize logs from many locations in many formats and to ensure that logs are read and analyzed despite differences between different systems and devices.

Answer 161

A

Watermarking

Watermarking alters a digital object to embed information about the source, either in a visible or hidden form. Digital signatures may identify the source of a document but they are easily removed. Hashing would not provide any indication of the document source, since anyone could compute a hash value. Document staining is not a security control.

Answer 162

A

Second floor

Data centers should be located in the core of a building. Locating it on lower floors makes it susceptible to flooding and physical break-ins. Locating it on the top floor makes it vulnerable to wind and roof damage.

Answer 163

A

Differential backups do not alter the archive bit on a file,

whereas incremental and full backups reset the archive bit to 0 after the backup completes.

Partial backups are not a backup type.

Answer 164

A

Link State

OSPF is a link state protocol. Link state protocols maintain a topographical map of all connected networks and preferentially select the shortest path to remote networks for traffic. A distance vector protocol would map the direction and distance in hops to a remote network, whereas shortest path first and link mapping are not types of routing protocols.

Answer 165

A

Digital Signature

Fred’s company needs to protect integrity, which can be accomplished by digitally signing messages. Any change will cause the signature to be invalid. Encrypting isn’t necessary because the company does not want to protect confidentiality. TLS can provide in-transit protection but won’t protect integrity of the messages, and of course a hash used without a way to verify that the hash wasn’t changed won’t ensure integrity either.

Answer 166

A

Set the Secure attribute for the cookies, thus forcing TLS.

Setting the Secure cookie will only allow cookies to be sent via HTTPS TLS or SSL sessions, preventing man-in-the-middle attacks that target cookies. The rest of the settings are problematic: Cookies are vulnerable to DNS spoofing. Domain cookies should usually have the narrowest possible scope, which is actually accomplished by not setting the Domain cookie. This allows only the originating server to access the cookie. Cookies without the Expires or Max-age attributes are ephemeral and will only be kept for the session, making them less vulnerable than stored cookies. Normally, the HTTPOnly attribute is a good idea, but it prevents scripting rather than requiring unencrypted HTTP sessions.

Answer 167

A

TCP; none—TACACS+ encrypts the full session

TACACS+ uses TCP, and encrypts the entire session, unlike RADIUS, which only encrypts the password and operates via UDP.

Answer 168

A

The client workstation supplies it in the form of a client-to-server ticket and an authenticator.

When a client connects to a service server (SS), it sends the following two messages:

The client-to-server ticket, encrypted using service’s secret key
A new authenticator, including the client ID and timestamp that is encrypted using the Client/Server session key.

The server or service that is being accessed receives all of the data it needs in the service ticket. To do so, the client uses a client-to-server ticket received from the Ticket Granting Service.

Answer 169

A

2G

2G Technologies - CDMA, GSM, and IDEN are all 2G technologies.
3G Technologies - EDGE, DECT, and UTMS
4G technologies include WiMax, LTE, and IEE 802.20 mobile broadband.

Answer 170

A

Closed Head

Dry pipe, deluge, and preaction systems all use pipes that remain empty until the system detects signs of a fire. Closed-head systems use pipes filled with water that may damage equipment if there is damage to a pipe.

Answer 171

A

She has to make sure that appropriate security controls are in place to protect the data.

System owners have to ensure that the systems they are responsible for are properly labeled based on the highest level of data that their system processes, and they have to ensure that appropriate security controls are in place on those systems.
Data owners own the classification process.

Answer 172

A

ST

Vendors complete security targets (STs) to describe the controls that exist within their product. During the review process, reviewers compare those STs to the entity’s

Protection Profile (PP) to determine whether the product meets the required security controls.

Answer 173

A

Automated recovery without undue data loss

In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically. In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations.

Answer 174

A

Antenna placement, antenna type, and antenna power levels

Antenna placement, antenna design, and power level control are the three important factors in determining where a signal can be accessed and how usable it is. A captive portal can be used to control user logins, and antenna design is part of antenna types. The FCC does provide maximum broadcast power guidelines but does not require a minimum power level.

Answer 175

A

RTO

The recovery time objective (RTO) is the amount of time that it may take to restore a service after a disaster without unacceptable impact on the business. The RTO for each service is identified during a business impact assessment.

Answer 176

A

OCSP

The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.

Answer 177

A

It uses a handshake.
TCP’s use of a handshake process to establish communications makes it a connection-oriented protocol. TCP does not monitor for dropped connections nor does the fact that it works via network connections make it connection-oriented.

Answer 178

A

The waterfall methodology is compatible with the SDLC.

SDLC approaches include steps to provide operational training for support staff as well as end-user training. The SDLC may use one of many development models, including the waterfall and spiral models. The SDLC does not mandate the use of an iterative or sequential approach; it allows for either approach.

Answer 179

A

TCP headers can be 20 to 60 bytes long depending on options that are set.

Answer 180

A

They should use the same requirements as data over any public network.

Cellular networks have the same issues that any public network does. Encryption requirements should match those that the organization selects for other public networks like hotels, conference Wi-Fi, and similar scenarios. Encrypting all data is difficult, and adds overhead, so it should not be the default answer unless the company specifically requires it. WAP is a dated wireless application protocol and is not in broad use; requiring it would be difficult. WAP does provide TLS, which would help when in use.

Answer 181

A

Connect to his company’s encrypted VPN service.

Answer 182

A

Depth

NIST Special Publication 800-53 describes depth and coverage. Depth is the level of detail, rigor, and formality of artifacts produced during design and development. Coverage is the breadth and scope of the assessment conducted. If you encounter a question like this and are not familiar with the details of a standard like NIST 800-53, or may not remember them, focus on the meanings of each word and the details of the question. We can easily rule out affirmation, which isn’t a measure. Suitability is a possibility, but depth fits better than suitability or coverage.

Answer 183

A

BAA

HIPAA requires that anyone working with personal health information on behalf of a HIPAA-covered entity be subject to the terms of a business associates agreement (BAA).

Answer 184

A

When data reaches the Transport layer, it depends on whether it’s TCP or UDP.

TCP sends segments
UDP sends datgrams

Above the Transport layer, data becomes a data stream, while below the Transport layer they are converted to packets at the Network layer, frames at the Data Link layer, and bits at the Physical layer.

Answer 185

A

PGP stands for pretty good privacy

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

The PGP email system, invented by Phil Zimmerman, uses the “web of trust” approach to secure email. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adams/Stafford Tavares (CAST) encryption/decryption, and SHA hashing.

Answer 186

A

Dynamic Host Configuration Protocol (DHCP) uses port 68 for client request broadcast and port 67 for server point-to-point response.

Answer 187

A

Bluetooth

Answer 188

A

Internet email must comply with the X.400 standard.

Answer 189

A

Hosts and networks

Tunnel mode VPNs are used to connect networks to networks or networks to hosts. Transport mode is used to connect hosts to hosts. Host, server, client, terminal, and domain controller are all synonyms.

Answer 190

A

IPSec

IPsec is a VPN protocol that can be implemented as the payload encryption mechanism when L2TP is used to craft the VPN connection for an IP communication.

Answer 191

A

Permanent virtual circuit

A PVC reestablishes a link using the same basic parameters or virtual pathway each time it connects. SVCs use unique settings each time. Bandwidth on demand links can be either PVCs or SVCs.

Answer 192

A

To allow management to review all changes

The primary purpose of change management is to allow management to review all changes. However, it is true that the overall goal of change management is to prevent unwanted reductions to security.

Answer 193

A

Availability

Availability has the most avenues or vectors of attack and compromise. Availability can be affected by damaging the resource, compromising the resource host, interfering with communications, or attacking the client.

Answer 194

A

The first step toward granting a user access is for them to claim an identity (identification). That is followed by verifying credentials (authentication), then by granting authority (authorization), and finally by monitoring activity (auditing).

Answer 195

A

Legal defense/support of authentication

To effectively hold users accountable, your security must be legally defensible. Primarily, you must be able to prove in a court that your authentication process cannot be easily compromised. Thus, your audit trails of actions can then be tied to a human.

Answer 196

A

Integrity protection is not about stopping all change but preventing unwanted, unintended, and malicious change as well as ensuring the retention of correct information.

Answer 197

A

Policies, standards, baselines, guidelines, and procedures can be combined in a single document.

Avoid combining policies, standards, baselines, guidelines, and procedures in a single document. Each of these structures must exist as a separate entity because each performs a different specialized function.

Answer 198

A

Complete and detailed valuation of all assets

Answer 199

A

Prescribe tasks to roles

As a general rule of thumb, security policies (as well as standards, guidelines, and procedures) should not address specific individuals. Instead of assigning tasks and responsibilities to a person, they should be defined for a role. Then these defined roles are assigned to individuals as a job description or an assigned work task. The assignment of a role to a person is not part of the security policy documentation. Rather, that activity is a function of administrative control or personnel management. Thus, a security policy does not define who is to do what but rather what must be done by the various roles within the security infrastructure.

Answer 200

A

(ALE1 – ALE2) – CM cost

Answer 201

A

Job descriptions

Job descriptions are essential to user and personnel security. Only when it’s based on a job description does a background check have true meaning. Without a job description, auditing and monitoring cannot determine when a user performs tasks outside of their assigned work. Without a job description, administrators do not know what level of access to assign via DAC.

Answer 202

A

Determining priority

The risk analysis equations—specifically, the ALE and the cost/benefit equation—produce results that are primarily used to prioritize security efforts. The largest values should be addressed and resolved first. The values are not directly used to obtain insurance or assign responsibility, and they’re not realistic enough to be used as actual cost/loss expectations.

Answer 203

A

SELECT()

SELECT() is not an aggregate function but an SQL command. MAX() is an aggregate function that selects the maximum value from a set. SUM() is an aggregate function that adds values together. AVG() is an aggregate function that determines the mathematical average of a series of values.

Answer 204

A

DNS uses a hierarchical model to organize data, with root name servers representing the top-level domains and authority distributed hierarchically to child servers.

Answer 205

A

Traverse mode noise

Traverse mode noise is generated by the difference in power between the hot and neutral wires of a power source or operating electrical equipment.

Answer 206

A

There are two types of electromagnetic interference (EMI): common mode and traverse mode.

Common mode noise is generated by a difference in power between the hot and ground wires of a power source or operating electrical equipment.

Traverse mode noise is generated by a difference in power between the hot and neutral wires of a power source or operating electrical equipment.

Answer 207

A

.NET Framework

The .NET Framework includes the Common Language Interface to support multiple programming languages.

Answer 208

A

The risk remaining after a countermeasure is installed

Answer 209

A

10 years

Trademarks are protected for an initial 10-year period and may be renewed for unlimited successive 10-year periods.

Answer 210

A

Removal

Removal removes the malicious code but does not repair the damage caused by it.

Cleaning not only removes the code, but it also repairs any damage the code has caused.

Answer 211

A

Creating botnets

Most malware is designed to add systems to botnets, where they are later used for other nefarious purposes, such as sending spam or participating in distributed denial-of-service attacks.

Answer 212

A

Receiver’s name

The receiver’s name is not a necessary component of a digital certificate.

Answer 213

A

Secure Shell (SSH) provides secure replacements for a number of common Internet utilities, such as converting FTP to SFTP, and internal network utilities, such as converting rexec to sexec.

Answer 214

A

ISAKMP

The Internet Security Association and Key Management Protocol (ISAKMP) provides background security support services for IPsec, including managing security associations.

Answer 215

A

AH

The Authentication Header (AH) provides assurances of message integrity and nonrepudiation.

Answer 216

A

Goguen-Meseguer

The Goguen-Meseguer model is based on predetermining the set or domain of objects that a subject can access. The set or domain is a list of those objects that a subject can access. This model is based on automation theory and domain separation. This means subjects are able to perform only predetermined actions against predetermined objects.

Answer 217

A

Trusted subject

A trusted subject can violate the star property of “no write down” in the act of declassification, which is not an actual violation of security.

Answer 218

A

Bounds

The bounds of a process consist of limits set on the memory addresses and resources it can access. The bounds state or define the area within which a process is confined.

Answer 219

A

XML exploitation

XML exploitation is a form of programming attack that is used to either falsify information being sent to a visitor or cause their system to give up information without authorization.

Answer 220

A

Quality of service management

Failing to provide data flow control means failing to provide quality of service management as well.

Answer 221

A

Security target

Security targets (STs) specify the claims of security from the vendor that are built into a TOE.

Answer 222

A

Graham-Denning

The Graham-Denning model is focused on the secure creation and deletion of both subjects and objects. Ultimately, Graham-Denning is a collection of eight primary protection rules or actions (listed in the question) that define the boundaries of certain secure actions.

Answer 223

A

Source or origin

The source or origin of a resource is rarely a serious criterion in the assignment of a classification label. The other options are just a few of the important criteria of classification assignment.

Answer 224

A

Data custodian

The security role of data custodian is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.

Answer 225

A

AV -

The asset value (AV) is a monetary measure of an asset’s worth to the organization.

Answer 226

A

Qualitative decision-making

Qualitative decision-making takes non-numerical factors, such as emotional impact, into consideration.

Answer 227

A

Future events that might warrant reconsideration

Answer 228

A

Vital records program

Answer 229

A

Electronic vaulting automatically backs up data to a secure site where storage professionals at the vaulting company’s site handle the details.

Answer 230

A

Remote journaling

Remote journaling data transfers are performed expeditiously on a frequent (usually hourly) basis through copies of the transaction logs.

Answer 231

A

Transitive trust is the concept that if A trusts B and B trusts C, then A inherits trust of C through the transitive property—which works like it would in a mathematical equation: if a = b, and b = c, then a = c. In the previous example, when A requests data from B and then B requests data from C, the data that A receives is essentially from C. Transitive trust is a serious security concern because it may enable bypassing of restrictions or limitations between A and C, especially if A and C both support interaction with B

Answer 232

A

A credential management system provides a storage space for users to keep their credentials when SSO isn’t available. Users can store credentials for websites and network resources that require a different set of credentials. The management system secures the credentials with encryption to prevent unauthorized access.

As an example, Windows systems include the Credential Manager tool. Users enter their credentials into the Credential Manager and when necessary, the operating system retrieves the user’s credentials and automatically submits them. When using this for a website, users enter the URL, username, and password. Later, when the user accesses the website, the Credential Manager automatically recognizes the URL and provides the credentials.

Answer 233

A

SLE stands for Single Loss Expectancy

SLE = Asset Value x Exposure Factor (EF)

Answer 234

A

The Exposure Factor represents the percentage of loss a realized threat could have on a certain asset.

If a data warehouse was valued at $150K and the EF was 25%, then the SLE would be ($150K x 25%) = $37.5K

Answer 235

A

ALE stands for Annual Loss Expectancy.

ALE = SLE x Annualized Rate of Occurrence (ARO)

ARO stands for Annual Rate of Occurence and it is the estimated frequency of a specific threat taking place within a 12-month timeframe

Key point – Never spend more per year than the ALE to protect something.

Answer 236

A

(ALE before implementing safeguard)

-

(ALE after implementing safeguard) -

-

(Annual cost of safeguard)

=Value of Safeguard to company

Answer 237

A

Kerberos
Security Domains
Directory Services
Thin Clients

Answer 238

A

A CA is a trusted organization (or server) that maintains and issues digital certificates.
Could be at a company
Could be something like Verisign
A CA is a component of PKI

Answer 239

A

A man in the middle attack

Answer 240

A

When two private CA’s each trust the other in order for two separate organizations to be able to communicate securely

Answer 241

A

A CRL is a list of certs that have been revoked. The CRL is maintained by the CA.

Answer 242

A

It’s an improvement over the CRL approach
When OCSP is implemented, it checks the CRL in the background as part of the protocol
Thus, the CRL is checked every time and we are not risking trusting entities with certs that have been revoked for one reason or another

Answer 243

A

A certificate is the mechanism used to associate a public key with a collection of components in a manner that is sufficient to uniquely identify the claimed owner.
The cert includes a serial number, version number, identity information, algorithm information, lifetime dates and the signature of the issuing authority.

Answer 244

A

The RA performs the certificate registration duties

Answer 245

A

Certification Authority
Registration Authority
Certificate Repository
Certificate Revocation System
Key backup and recovery system
Automatic key update
Management of Key Histories
Timestamping
Client-side software

Answer 246

A

Confidentiality
Access Control
Integrity
Authentication
Non-repudiation

Answer 247

A

100 meters.

Answer 248

A

Reflected Input

Cross-site scripting attacks are successful only against web applications that include reflected input.

Reflected Input Example - a simple web application that contains a single text box asking a user to enter their name. When the user clicks Submit, the web application loads a new page that says, “Hello, name.”

Answer 249

A

Input validation

nput validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML tag in the input.

Answer 250

A

The tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.

Answer 251

A

Cross-site scripting uses reflected input to trick a user’s browser into executing untrusted code from a trusted site.
Cross-site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated requests to third-party sites.

Answer 252

A

ISO/IEC 15408

These are Common Criteria for the evaluation of the security level of a system

Answer 253

A

EAL1 - Functionally tested
EAL2 - Structurally tested
EAL3 - Methodically tested and checked
EAL4 - Methodically designed, tested and reviewed
EAL5 - Semiformally designed and tested
EAL6 - Semiformally verified design and tested
EAL7 - Formally verified design and tested

Answer 254

A

It means that it’s based on a model that can be mathematically proven

Answer 255

A

Protection profiles (pp)

Answer 256

A

Security Problem Description
Security Objectives
Security Requirements

Answer 257

A

It only means it has the potential of providing the specified level of protection. It must be properly configured to actually provide the desired level of protection
It is up to the customer to keep the software properly configured at all times.
The level of protection is a point in time snapshot. The next version of the software could have a lower level of protection

Answer 258

A

ISO/IEC 15408-1 Introduction and General model
ISO/IEC 15408-2 Security Functional Components
ISO/IEC 15408-3 Security Assurance Components

Answer 259

A

Certification is the comprehensive technical evaluation of the security components and their compliance for the purpose of accredition
The goal of the certification process is to ensure that a system, product, or network is right for the customer’s purposes
Accreditation is the formal acceptance of the adequacy of a system’s overall security and functionality by management.
Following examination of the certifaction information, Management makes a formal accreditation statement

Answer 260

A

Integrity

Answer 261

A

Users - active agents
Transformation procedures (TP’s)
Constrained data items (CDI’s)
Unconstrained data items (UDI’s)
Integrity Verification Procedures (IVP’s)

Answer 262

A

Well formed transactions - these are a series of operations that transform a data item from one consistent state to another.

Answer 263

A

Data is separated into CDI (secure and worthy of protection) and UDI (less critical)
Users can’t modify CDI directly. They must use Transformation Procedures to modify the data on behalf of the user
The IVP ensures that all critical data manipulation follows the application defined integrity rules
The Clark-Wilson model enforces the “access triple”
1. Subject (user)
2. Program (TP)
3. Object (CDI)

Answer 264

A

A non-interference model ensures that any actions that take place at a higher level of security do not affect or interfere with actions that take place at a lower level
It is concerned about what a subject knows about the state of the system
It is designed to prevent data leakage. If an entity at a higher security level performs an action, it cannot change the state for an entity at a lower security level.

Answer 265

A

The model allows for dynamically changing access controls that protect against conflicts of interest
The Brewer and Nash model states that a subject can write to an object if, and only if, the subject cannot read another object that is in a different dataset
Its main goal is to protect against conflicts of interest by users’ access attempts (example – stock broker having access to earnings report)
It is also known as the Chinese Wall model

Answer 266

A

How to securely create an object
How to securely create a subject
How to securely delete an object
How to securely delete a subject
How to securely provide the read access right
How to securely provide grant the access right
How to securely provide the delete access right
How to securely provide transfer access rights

Answer 267

A

The Harrison-Ruzzo-Ullman model deals with access rights of subjects and the integrity of those rights

A subject can carry out only a finite set of operations on an object.

Gist – If there is a complex operation required (Steps A-F, for example) and one of those commands is not authorized, then the whole operation fails.
Think transaction integrity

Answer 268

A

ICMP Type 3

SNMP is a UDP-based service. UDP does not have any means of sending back errors, because it is a simplex protocol. Thus, when UDP errors occur, the system will switch protocols and use ICMP to send back information. In the case of a non-existing service, the port is thus not available, so an ICMP Type 3 error will be returned.

Answer 269

A

Trike -is a threat modeling methodology that focuses on a risk-based approach instead of depending upon the aggregated threat model used in STRIDE and DREAD. It provides a method of performing a security audit in a reliable and repeatable procedure.
STRIDE stands for
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privilege
DREAD
- Disaster,
- Reproducibility,
- Exploitability,
- Affected Users
- Discoverability
VAST - is a threat modeling concept based on Agile project management and programming principles.
- Visual
- Agile
- Simple
- Threat

Answer 270

A

Polymorphic viruses actually modify their own code as they travel from system to system. The virus’s propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system.

Answer 271

A

Audit trail

Audit trails provide a comprehensive record of system activity and can help detect a wide variety of security violations, software flaws, and performance problems. An audit trail includes a variety of logs, including change logs, security logs, and system logs, but any one of these individual logs can’t detect all the issues mentioned in the question.

Answer 272

A

Hybrid

The hybrid model includes a combination of two or more clouds or an on-site/cloud hybrid approach. The other answers refer to a single cloud-based structure. A community model is shared with two or more organizations but it can be a single cloud. A private cloud is private to an organization, and a public cloud is available to any organization.

Answer 273

A

TCP ACK scan

The TCP ACK scan sends an ACK packet, simulating a packet from the middle of an already established connection.

Answer 274

A

Quarantine

NAC often operates in a pre-admission philosophy in which a system must meet all current security requirements (such as patch application and antivirus updates) before it is allowed to communicate with the network. This often means systems that are not in compliance are quarantined or otherwise involved in a captive portal strategy in order to force compliance before network access is restored.

Answer 275

A

Asynchronous one-time passwords

An asynchronous token generates and displays one-time passwords using a challenge-response process to generate the password. A synchronous token is synchronized with an authentication server and generates synchronous one-time passwords. Static passwords are not one-time passwords but instead stay the same for a period of time. A passphrase is a static password created from an easy-to-remember phrase.

Answer 276

A

A reset has been transmitted.

The flag value of 00000100 indicates a RST, or reset flag, has been transmitted. This is not necessarily an indication of malicious activity.

Answer 277

A

Biometric systems using a one-to-many search provide identification by searching a database for a match.

Biometric systems using a one-to-one search provide authentication.

Biometric systems do not provide authorization or accountability.

Answer 278

A

Nondiscretionary access control

Nondiscretionary access control enables the enforcement of systemwide restrictions that override object-specific access control.

Answer 279

A

Sender Policy Framework (SPF)

To protect against spam and email spoofing, an organization can also configure their SMTP servers for Sender Policy Framework. SPF operates by checking that inbound messages originate from a host authorized to send messages by the owners of the SMTP origin domain.

Answer 280

A

Opportunistic TLS for SMTP will attempt to set up to an encrypted connection with every other email server in the event that it is supported; otherwise, it will downgrade to plaintext.

Answer 281

A

Multilevel

In a multilevel security mode system, there is no requirement that all users have appropriate clearances to access all the information processed by the system.

Answer 282

A

DREAD
Probability * Damage Potential
igh/medium/low.

Answer 283

A

Top-down approach

Answer 284

A

FISMA

The Federal Information Security Management Act (FISMA), passed in 2002, requires that federal agencies implement an information security program that covers the agency’s operations.

Answer 285

A

Yes,

Deterrent access control is deployed to discourage violation of security policies.

Answer 286

A

Trusted

A trusted system is one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.

Answer 287

A

Production

Answer 288

A

A threat could pass through a single checkpoint that did not address its particular malicious activity.

Parallel security designs are insecure because a threat could pass through a single checkpoint that did not address its particular malicious activity.

Think physical security. Bank (serial) vs. shopping mall (parallel)

Answer 289

A

Absraction

Abstraction describes putting similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.

Answer 290

A

Classification level

Classification level is assigned based on an asset’s value as well as its sensitivity and confidentiality. It is not used as a valuation element.

Answer 291

A

Nondiscretionary access control

Nondiscretionary access control enables the enforcement of systemwide restrictions that override object-specific access control.

Answer 292

A

Compartmentalized environment

Compartmentalized environments require specific security clearances over compartments or domains instead of objects.

Answer 293

A

Strategic

A strategic plan is a long-term plan that is fairly stable. It defines the organization’s goals, mission, and objectives. It is useful for about five years if it is maintained and updated annually. The strategic plan also serves as the planning horizon. Long-term goals and visions of the future are discussed in a strategic plan.

Answer 294

A

Changes can be rolled back to a previous state.

Answer 295

A

Level 0

Supervisory mode programs are run by the security kernel, at Level 0 of the ring protection scheme.

Answer 296

A

Distributed reflective denial of service

Coordinated attack efforts between cooperative machines using traffic in an entirely legitimate manner are distributed reflective denial-of-service attacks.

A distributed reflective denial-of-service (DRDoS) attack is a variant of a DoS. It uses a reflected approach to an attack. In other words, it doesn’t attack the victim directly, but instead manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources. Domain Name System (DNS) poisoning attacks (covered in Chapter 12) and smurf attacks (covered later in this chapter) are examples.

Answer 297

A

Encryption

Answer 298

A

Stealth viruses rick antivirus software into thinking everything is functioning normally.

Stealth viruses alter operating system file access routines so that when an antivirus package scans the system, it is provided with the information it would see on a clean system rather than with infected versions of data.

Answer 299

A

No, it’s not a reliable security practice. Too easily spoofed.

Answer 300

A

Remote dialing

Remote dialing (aka hoteling) is the vulnerability or feature of a PBX system that allows for an external entity to piggyback onto the PBX system and make long-distance calls without being charged for the tolls.

Answer 301

A

Field-powered device

A field-powered device has electronics that activate when the device enters the electromagnetic field that the reader generates. Such devices actually generate electricity from an EM field to power themselves.

Answer 302

A

The symbol ⊕ represents the exclusive OR (XOR) function, which is true when one and only one of the input bits is true.

Answer 303

A

Tor

While all of these technologies may be used in attempts to achieve anonymity, Tor is the only technology listed that may provide anonymized browsing when properly implemented.

Answer 304

A

Tor stands for The Onion Router and is a privacy-oriented browser. It provides its privacy and security by relaying your traffic across different networks known as nodes. These nodes are placed globally all over the world ensuring that neither no one can see your origin and destination IP locations.

Answer 305

A

Slow speed

Public key cryptosystems are notoriously slower than their secret key counterparts. They eliminate the difficulty of key exchange and provide for both scalability and nonrepudiation

Answer 306

A

Password guessing

Answer 307

A

To host resources accessed by outside visitors but that are still isolated from the private network

Answer 308

A

People,
Infrastructure
Buildings/facilities.

Answer 309

A

Simulation tests are similar to the structured walk-throughs.

Answer 310

A

Trust comes first.

Trust is built into a system by crafting the components of security. Then assurance (in other words, reliability) is evaluated using certification and/or accreditation processes.

Answer 311

A

Full Backups As the name implies, full backups store a complete copy of the data contained on the protected device. Full backups duplicate every file on the system regardless of the setting of the archive bit. Once a full backup is complete, the archive bit on every file is reset, turned off, or set to 0.

Incremental Backups Incremental backups store only those files that have been modified since the time of the most recent full or incremental backup. Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. Once an incremental backup is complete, the archive bit on all duplicated files is reset, turned off, or set to 0.

Differential Backups Differential backups store all files that have been modified since the time of the most recent full backup. Only files that have the archive bit turned on, enabled, or set to 1 are duplicated. However, unlike full and incremental backups, the differential backup process does not change the archive bit.

Answer 312

A

Business continuity planning

Answer 313

A

A product that automates the inspection of audit logs and real-time event information to detect intrusion attempts and possibly also system failures

An intrusion detection system (IDS) is a product that automates the inspection of audit logs and real-time event information to detect intrusion attempts.

Option A defines a firewall,

Answer 314

A

To lure attackers into a bogus system or network environment and present sufficient material of apparent worth or interest to keep the attacker around long enough to track them down

A honeypot (single system) or honeynet (entire network) is intended to provide a lure for attackers, and by design it provides sufficient material of apparent worth or interest to keep attackers around for a while.

Answer 315

A

The relationship between assets, vulnerabilities, and threats

The primary purpose for operations security is to safeguard information assets that reside in a system day to day, to identify and safeguard any vulnerabilities that might be present in that system, and to prevent any exploitation of threats. Administrators often call the relationship between assets, vulnerabilities, and threats an operations security triple.

Answer 316

A

The ® symbol is reserved for trademarks that have received official registration status by the US Patent and Trademark Office.

If you use a trademark in the course of your public activities, you are automatically protected under any relevant trademark law and can use the ™ symbol to show that you intend to protect words or slogans as trademarks.

Answer 317

A

Timely

To be admissible, evidence must be:

relevant
material
competent (means it must have been obtained legally)

Answer 318

A

Voluntary surrender

Internal investigations usually operate under the authority of senior managers, who grant access (i.e., voluntary surrender) to all information and resources necessary to conduct the investigation.

Answer 319

A

compromise

If system security has been broken, the system is considered compromised.

Answer 320

A

Take no action that jeopardizes the business interests of principals.

The Code of Ethics does not require that you protect the business interests of the principals. In fact, you may find yourself ethically bound to take action that jeopardizes those business interests.

Answer 321

A

The cardinality of a table refers to the number of rows in the table,

The degree of a table is the number of columns.

Answer 322

A

Local Alarm System Local alarm systems must broadcast an audible (up to 120 decibel [db]) alarm signal that can be easily heard up to 400 feet away. Additionally, they must be protected from tampering and disablement, usually by security guards. For a local alarm system to be effective, there must be a security team or guards positioned nearby who can respond when the alarm is triggered.

Central Station System The alarm is usually silent locally, but offsite monitoring agents are notified so they can respond to the security breach. Most residential security systems are of this type. Most central station systems are well-known or national security companies, such as Brinks and ADT. A proprietary system is similar to a central station system, but the host organization has its own onsite security staff waiting to respond to security breaches.

Auxiliary Station Auxiliary alarm systems can be added to either local or centralized alarm systems. When the security perimeter is breached, emergency services are notified to respond to the incident and arrive at the location. This could include fire, police, and medical services.

Answer 323

A

Companion viruses are self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legitimate operating system file. They rely on the default filename extensions that Windows-based operating systems append to commands when executing program files (.com, .exe, and .bat, in that order).

For example, if you had a program on your hard disk named game.exe, a companion virus might use the name game.com. If you then open a Command tool and simply type GAME, the operating system would execute the virus file, game.com, instead of the file you actually intended to execute, game.exe.

Answer 324

A

An electronic access control (EAC) lock comprises three elements:

an electromagnet to keep the door closed,
a credential reader to authenticate subjects and to disable the electromagnet,
door-closed sensor to reenable the electromagnet.

Answer 325

A

Enterprise extended

Enterprise extended infrastructure mode exists when a wireless network is designed to support a large physical environment through the use of a single SSID but numerous access points.

Answer 326

A

Low Orbit Ion Cannon (LOIC) is a commonly used distributed denial of service (DDoS) attack toolkit.

Answer 327

A

Satan and Saint are reconnaissance utilities used to map networks and scan for known vulnerabilities.

Answer 328

A

Mobile site plan

Details of mobile sites are part of a disaster recovery plan, rather than a business continuity plan, since they are not deployed until after a disaster strikes.

(some questions may be about differentiating between BCP and DR plans).

Answer 329

A

USGS

The US Geological Survey provides detailed earthquake risk data for locations in the United States.

FEMA develops flood maps

Answer 330

A

Heuristic detection

Heuristic detection techniques develop models of normal activity and then identify deviations from that baseline.

Answer 331

A

Both omissions and errors are difficult aspects to protect against, particularly as they deal with human and circumstantial origins.

Answer 332

A

Response

Evidence collection takes place during the response phase of the incident. Incidents are identified and verified during the detection phase. Compliance with laws might occur during the reporting phase, depending on the incident. Personnel typically perform a root-cause analysis during the remediation phase.

Answer 333

A

Hardware segmentation is similar to process isolation in purpose. It prevents the access of information that belongs to a different process/security level.

Answer 334

A

Hardware segmentation is similar to process isolation in purpose. It prevents the access of information that belongs to a different process/security level.

The main difference is that hardware segmentation enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an operating system. Such implementations are rare, and they are generally restricted to national security implementations where the extra cost and complexity is offset by the sensitivity of the information involved and the risks inherent in unauthorized access or disclosure.

Answer 335

A

128 bits

The MD5 algorithm produces 128-bit hashes regardless of the size of the input message.

Answer 336

A

Clark-Wilson model

Of the four models mentioned, Biba and Clark-Wilson are most commonly used for commercial applications because both focus on data integrity. Of these two, Clark-Wilson offers more control and does a better job of maintaining integrity, so it’s used most often for commercial applications. Bell-LaPadula is used most often for military applications. Brewer and Nash applies only to datasets (usually within database management systems) where conflict-of-interest classes prevent subjects from accessing more than one dataset that might lead to a conflict-of-interest situation.

Answer 337

A

Periodic security audits

Failing to perform periodic security audits can result in the perception that due care is not being maintained. Such audits alert personnel that senior management is practicing due diligence in maintaining system security. An organization should not indiscriminately deploy all available controls but should choose the most effective ones based on risks.

Answer 338

A

Antivirus software

Antivirus software is not a deterrent access control, though it can be identified as a preventive, corrective, or recovery access control. Examples of deterrent access controls include security policies, cameras, awareness training, fences, locks, security badges, and guards.

Answer 339

A

security policies
cameras
awareness training
fences,
locks,
security badges,
guards.

Answer 340

A

In the read-through test, you distribute copies of the disaster recovery plan to key personnel for review but do not actually meet or perform live testing.

Answer 341

A

Read-through tests involve the distribution of recovery checklists to disaster recovery personnel for review.
Structured walk-throughs are “tabletop” exercises that involve assembling the disaster recovery team to discuss a disaster scenario.
Simulation tests are more comprehensive and may impact one or more noncritical business units of the organization.
Parallel tests involve relocating personnel to the alternate site and commencing operations there.
Full-interruption tests involve relocating personnel to the alternate site and shutting down operations at the primary site.

Answer 342

A

Hierarchical Environment A hierarchical environment relates various classification labels in an ordered structure from low security to medium security to high security, such as Confidential, Secret, and Top Secret, respectively. Each level or classification label in the structure is related. Clearance in one level grants the subject access to objects in that level as well as to all objects in lower levels but prohibits access to all objects in higher levels. For example, someone with a Top Secret clearance can access Top Secret data and Secret data.

Compartmentalized Environment In a compartmentalized environment, there is no relationship between one security domain and another. Each domain represents a separate isolated compartment. To gain access to an object, the subject must have specific clearance for its security domain.

Hybrid Environment A hybrid environment combines both hierarchical and compartmentalized concepts so that each hierarchical level may contain numerous subdivisions that are isolated from the rest of the security domain. A subject must have the correct clearance and the need to know data within a specific compartment to gain access to the compartmentalized object. A hybrid MAC environment provides granular control over access, but becomes increasingly difficult to manage as it grows. Figure 14.3 is an example of a hybrid environment.

Answer 343

A

A software-defined network (SDN) typically uses an attribute-based access control (ABAC) model. SDNs don’t normally use the discretionary access control (DAC), mandatory access control, or role-based access control (RBAC) models.

Answer 344

A

The private IP addresses defined in RFC 1918 are:

10.0.0.0 to 10.255.255.255 (a full Class A range),
172.16.0.0 to 172.31.255.255 (16 Class B ranges), and
192.168.0.0 to 192.168.255.255 (255 Class C ranges).

Answer 345

A

Privileged entities

Answer 346

A

Firewalls are unable to filter on encrypted traffic within a VPN, which is a drawback. VPNs can cross firewalls. Firewalls do not have to always block outbound VPN connections. Firewalls usually only minimally affect the throughput of a VPN and then only when filtering is possible.

Answer 347

A

The primary purpose of change management is to allow management to review all changes.

However, it is true that the overall goal of change management is to prevent unwanted reductions to security.

Answer 348

A

Use of quantitative and qualitative approaches

Answer 349

A

Evil twin is an attack in which a hacker operates a false access point that will automatically clone, or twin, the identity of an access point based on a client device’s request to connect. Each time a device successfully connects to a wireless network, it retains a wireless profile in its history. These wireless profiles are used to automatically reconnect to a network whenever the device is in range of the related base station. Each time the wireless adapter is enabled on a device, it wants to connect to a network, so it sends out reconnection requests to each of the networks in its wireless profile history. These reconnect requests include the original base station’s MAC address and the network’s SSID. The evil twin attack system eavesdrops on the wireless signal for these reconnect requests. Once the evil twin sees a reconnect request, it spoofs its identity with those parameters and offers a plaintext connection to the client. The client accepts the request and establishes a connection with the false evil twin base station. This enables the hacker to eavesdrop on communications through a man-in-the-middle attack, which could lead to session hijacking, data manipulation credential theft, and identity theft.

Answer 350

A

A rogue WAP can also be deployed by an attacker externally to target your existing wireless clients or future visiting wireless clients.

An attack against existing wireless clients requires that the rogue WAP be configured to duplicate the SSID, MAC address, and wireless channel of the valid WAP, although operating at a higher power rating. This may cause clients with saved wireless profiles to inadvertently select or prefer to connect to the rogue WAP instead of the valid original WAP.

The second method focuses on attracting new visiting wireless clients. This type of rogue WAP is configured with a social engineering trick by setting the SSID to an alternate name that appears legitimate or even preferred over the original valid wireless network’s SSID. For example, if the original SSID is “ABCcafe,” then the rogue WAP SSID could be “ABCcafe-2,” “ABCcafe-LTE,” or “ABCcafe-VIP.” The rogue WAP’s MAC address and channel do not need to be clones of the original WAP. These alternate names may seem like better network options to new visitors and thus trick them into electing to connect to the false network instead of the legitimate one.

Answer 351

A

Allowing users to reuse the same password

Preventing password reuse by tracking password history increases security but allowing users to reuse the same password does not increase security. You can also improve password security by enabling account lockout controls, enforcing a password policy, and using password verification tools to check the strength of existing passwords.

Answer 352

A

Confidentiality and integrity

Kerberos provides confidentiality and integrity protection security services for authentication traffic using symmetric cryptography to encrypt tickets sent over the network to prove identification and provide authentication. The security services provide by Kerberos are not directly related to availability or nonrepudiation.

Answer 353

A

No

Kerberos is an effective SSO system within a single organization but not between organizations.

Answer 354

A

I had packet in mind

Here is what CISSP said:
A data object is called a datagram or a packet in the Network layer. It is called a PDU in layers 5 through 7. It is called a segment in the Transport layer and a frame in the Data Link layer.

Answer 355

A

Hide the identity of an attacker through misdirection

Answer 356

A

Key elements of an audit report include:

Purpose
Scope
Results of the audit.

Answer 357

A

The difference between piggybacking and tailgating is that a piggybacker would have a consent of an authorized person allowing him the access, while a tailgater simply enters the premises.

Answer 358

A

Ensuring that changes do not reduce security

The goal of change management is to ensure that any change does not lead to unintended outages or reduce security.

The Q didn’t ask for goal or purpose, but they wanted the goal

Answer 359

A

Mandatory access control model

A mandatory access control model includes a lattice-based format, with labels used to identify separate compartments.

Answer 360

A

Compliance checking

Compliance checking ensures that all necessary elements of a security solution are properly deployed and functioning as expected.

Answer 361

A

VLAN

A VLAN (virtual LAN) is a hardware-imposed network segmentation created by switches that requires a routing function to support communication between different segments.

Answer 362

A

Extract data from XML/HMTL-formatted data automatically

A screen scraper tool is used to automatically extract standardized formatted data, such as XML and HTML, from human-friendly output. This tool is often used to extract results from web search engines.

Answer 363

A

Security governance

Security governance should include acquisitions, divestitures, and oversight committees.

Answer 364

A

Tactical

Tactical planning is designed to focus on timeframes of approximately one year and may include scheduling of tasks, assignment of responsibilities, hiring plans, maintenance plans, and even acquisition plans.

Answer 365

A

Strategic Plan A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose.
Tactical Plan The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. A tactical plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals.
Operational Plan An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. Operational plans must be updated often (such as monthly or quarterly)

Answer 366

A

A company’s right to audit

The purpose of a privacy policy is to inform users where they do and do not have privacy for the primary benefit of the protection of the company’s right to audit and monitor user activity.

Answer 367

A

Vulnerability scanners

Vulnerability scanners can check systems to ensure they are up-to-date with current patches (along with other checks) and are an effective tool to verify the patch management program.

Answer 368

A

parallel test

Parallel tests represent the next level in testing and involve actually relocating personnel to the alternate recovery site and implementing site activation procedures.

Answer 369

A

A baseline is a listing of security controls that provide a minimum level of security.

Organizations can tailor a baseline to meet its needs. The baseline is a starting point, and it does not ensure maximum security. A baseline provides a listing of controls an organization can apply, but it isn’t necessarily a listing of applied controls.

Answer 370

A

Sutherland

Answer 371

A

Web application firewall

PCI DSS allows organizations to choose between performing annual web vulnerability assessment tests or installing a web application firewall.

Answer 372

A

Real evidence

Real evidence must be either uniquely identified by a witness or authenticated through a documented chain of custody.

Since you couldn’t authenticate hearsay via a documented chain of custody, the answer must be real evidence.

Answer 373

A

NIFC

The National Interagency Fire Center provides daily updates on wildfires occurring in the United States.

Answer 374

A

Probable cause

To obtain a search warrant, investigators must have probable cause.

Answer 375

A

Integrity

The Goguen-Meseguer model is an integrity model based on predetermining the set or domain—a list of objects that a subject can access.

Answer 376

A

Restore service

During the mitigation phase of an incident, you would take steps to isolate and contain the incident. You would gather evidence during the response phase. Personnel notify appropriate people during the reporting phase. Servers are restored during the recovery phase.

Answer 377

A

Certificate path validation is verification that each certificate in a certificate path is valid and legitimate.

Answer 378

A

Waiting for the event to expire

In most cases, you must simply wait until the emergency or condition expires and things return to normal. If physical and infrastructure support is lost, such as after a catastrophe, regular activity (including deploying updates, performing scans, or tightening controls) is not possible.

Answer 379

A

512 bits

The SHA-2 algorithms support the creation of message digests up to 512 bits long.

Answer 380

A

X.509

X.509 defines a common format for digital certificates containing certification of a public encryption key.

Answer 381

A

Dedicated mode

The scenario presented in the question describes the three characteristics of dedicated mode.

Answer 382

A

System high

System high mode provides the most granular control over resources and users because it enforces clearances, requires need to know, and allows the processing of only single sensitivity levels. All the other levels either do not have unique need to know between users (dedicated), allow multiple levels of data processing (compartmented), or allow a wide number of users with varying clearance (multilevel).

Answer 383

A

Substitution

Confusion occurs when the relationship between the plaintext and the key is so complicated that an attacker can’t merely continue altering the plaintext and analyzing the resulting ciphertext to determine the key.

Answer 384

A

Substitution achieves confusion

Transposition achies diffusion

Answer 385

A

Trusted path

A trusted path is a channel established with strict standards to allow necessary communication without exposing the TCB to security vulnerabilities.

Answer 386

A

Defined

The Defined stage of SW-CMM is characterized by the use of formal, documented software development processes.

Answer 387

A

A.Dual stack

B. Tunneling

D. NAT-PT

The means by which IPv6 and IPv4 can coexist on the same network is to use one or more of three primary options. Dual stack is to have most systems operate both IPv4 and IPv6 and use the appropriate protocol for each conversation. Tunneling allows most systems to operate a single stack of either IPv4 or IPv6 and use an encapsulation tunnel to access systems of the other protocol. Network Address Translation-Protocol Translation (NAT-PT) (RFC-2766) can be used to convert between IPv4 and IPv6 network segments similar to how NAT converts between internal and external addresses. There is no distinct IPsec version 6 because IPsec is native to IPv6, and IPsec does not assist or support a network operating both IPv4 and IPv6 on its own.

Answer 388

A

Open source intelligence

Open source intelligence is the gathering of information from any publicly available resource. This includes websites, social networks, discussion forums, file services, public databases, and other online sources. This also includes non-Internet sources, such as libraries and periodicals.

Answer 389

A

The Read attribute will allow you to read the file, but not make changes.
The Change attribute will allow you read, write, execute and delete the file, but will not allow you to change the ACLs and/or owner of the files.
‘Full Control’ allows any changes to be made to the file and its permissions and ownership.

Answer 390

A

SIP is an IETF-defined signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP).

Answer 391

A

Up until the conception of Diameter, IETF had individual working groups who define how Voice over IP (VoIP), Fax over IP (FoIP), Mobile IP, and remote authentication protocols work. Defining and implementing them individually in any network can easily end up in too much confusion and interoperability. It requires customers to roll out and configure several different policy servers and increases the cost with each new added service. With Diameter all of these services can be authenticated over the same authentication architecture.

Answer 392

A

Scoping is the process of reducing the breadth of provisions within a standard that must be considered in practice by an organization in light of the actual technologies it deploys.
Tailoring is

Answer 393

A

A VPN must include both a tunneling protocol and encryption.

Answer 394

A

Implementing a three-tiered application architecture

A three-tiered architecture consisting of presentation layer, business logic layer, and data layer should be used in this type of situation. This framework splits up the functionality processes that are necessary in e-commerce, but also allows for increasing degrees of security to be implemented. Each layer (presentation, business logic, data layer) runs on separate systems and the traffic between each system should go through separate firewalls.

Answer 395

A

The algorithm is an alphabet and the key is the number of shifts

Answer 396

A

The decryption key may reside in memory long past its last use, and be accessible and recoverable.

Until power has been removed from primary memory for a sufficient amount of time, encryption/decryption keys for any process may remain recoverable directly from memory, where they must necessarily reside during processing. Additionally, the memory pages that contain the keys may continue to be present after their use if they are not subsequently reused

Answer 397

A

Customary

Customary law is built upon the ideas of history and tradition of a country. People are expected to act a certain way according to custom. Examples of nations that use a form of customary law are India, China and African nations

A tort is a wrongful act resulting in injury or damages, for which the civil law provides that the injured person (or the person suffering damages) may seek …

Answer 398

A

A software component that determines if a user is authorized to perform a requested operation

A reference monitor is the abstract machine that holds all of the rules of access for the system. The security kernel is the active entity that enforces the reference monitor’s rules. They control the access attempts of any and all subjects; a user is just one example of a subject.

Answer 399

A

Reconstitution

The Activation/Notification Phase describes the process of activating the plan based on outage impacts and notifying recovery personnel.
The Recovery Phase details a suggested course of action for recovery teams to restore system operations at an alternate site or using contingency capabilities.
The final phase, Reconstitution, includes activities to test and validate system capability and functionality and outlines actions that can be taken to return the system to normal operating condition and prepare the system against future outages.

Answer 400

A

Establishing baselines for data purges

Determining when data should be purged is the responsibility of a data owner, not the data custodian. The data owner should be aware of the legal, regulatory, and policy issues surrounding how long data is to be kept. Once the data owner decides that particular data should be purged, the data custodian would most likely be tasked with configuring a system to carry out the purging process. The other tasks all belong to a data custodian.

Answer 401

A

VPNs can be created in combination with end-user applications.

Multiprotocol Label Switching (MPLS) gives service providers the ability to create VPNs without the need of end-user applications.

Answer 402

A

Council of Europe Convention on Cybercrime

The Council of Europe (CoE) Convention on Cybercrime is one example of an attempt to create a standard international response to cybercrime. It is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation. The Convention’s objectives include the creation of a framework for establishing jurisdiction and extradition of the accused. For example, extradition can only take place when the event is a crime in both jurisdictions.

Answer 403

A

Lucifer

IBM’s 128-bit algorithm, Lucifer, was accepted as the national standard in 1974. It was altered by NIST and referred to as Digital Encryption Algorithm, which used a 56-bit key.

Answer 404

A

B. Internet users who waste computer resources

The IAB has declared wasting computer resources through purposeful activities unethical because it sees these resources as assets that are to be available for the computing society.

Answer 405

A

Physical attributes

A biometric system can make authentication decisions based on an individual’s behavior, as in signature dynamics and voice prints, but these can change over time and possibly be forged. Biometric systems that base authentication decisions on physical attributes (iris, retina, fingerprint) provide more accuracy, because they do not change as often and are harder to impersonate.

Answer 406

A

Pharming involves DNS poisoning and phishing involves social engineering.

Answer 407

A

i. A semantic integrity mechanism makes sure structural and semantic rules are enforced.
ii. A database has referential integrity if all foreign keys reference existing primary keys.
iii. Entity integrity guarantees that the tuples are uniquely identified by primary key values.

Answer 408

A

A.Qualitative approach to risk analysis

A is correct. Since threat modeling is based on perceptions, opinions, judgments, and experiences-rather than hard costs and facts-threat modeling is an example of a qualitative approach to risk analysis. Calculating hard costs and facts would be a quantitative or value-based approach.

Answer 409

A

C. Established a standard

he operations manager has established a standard, which specifies how hardware will be maintained. A regulation is a directive usually imposed from an entity outside the company-such as a mandate from government, a legal requirement, or an industry requirement. Policies are usually established by senior management, rather than line management. The operations manager may be reacting to a policy directive that requires uniformity and consistency in server management. The introduction of the checklists provided the tools necessary to implement this policy. Use of the checklists will eventually yield a baseline for server quality.

Answer 410

A

The point to which application data must be recovered to resume system operations

The Recovery Point Objective (RPO) is the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an “acceptable loss” in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Answer 411

A

Choke points

The network perimeter concept recognizes the need to separate sensitive networks from non-sensitive networks and accomplishes this by using choke points to block segment-to-segment access.

Answer 412

A

When he uses it to refresh memory

Notes that are taken by an investigator will, in most cases, not be admissible in court as evidence. It is not seen as reliable information and can only be used by the investigator to help him remember activities during the investigation.

Answer 413

A

Valuable papers insurance is a special type of property-casualty insurance. Valuable papers insurance reimburses the policyholder for the monetary value of any valuable papers such as wills, trusts, or corporate charters that are lost for any reason, though it cannot actually replace these papers.

Answer 414

A

Microprobing

Answer 415

A

Preaction system

Answer 416

A

Binding

Binding is a method of limiting a subject’s independence within a network. In this example, certain accounting users are bound to one database. Binding illustrates the principle of obligation.

Answer 417

A

Media analysis

The three types of DFS are: media, software, and network analysis. Media analysis is commonly referred to as computer forensics and consists of analyzing physical media for evidence acquisition.

Answer 418

A

SESAME is an authentication protocol similar to Kerberos.

Answer 419

A

To provide protection of a sensitive area

Internal partitions only go up to the dropped ceiling and not to the real ceiling. These means that someone can easily go through the dropped ceiling, climb over the partition, and enter the sensitive area. Thus this barrier is easily overcome.

Answer 420

A

The user base of the data

Who might use the data is dependent upon its usefulness, but doesn’t factor into how it is classified.

Answer 421

A

It detects a break in a circuit.

In an electromechanical IDS, a physical circuit is constructed around a potential ingress point, such as a window, commonly with strips of metal foil. If the window is opened, the foil is severed and the circuit is broken, tripping the alarm.

Answer 422

A

Functionality
Effectiveness
Assurance

Answer 423

A

Multicast

Multicast - When a single station needs to send data to a specific group of other stations, the method it uses is referred to as a multicast.

Unicast - is the method used to transmit data from one station to one other station.

Broadcast is the method used to transmit data from one station to all other stations on the LAN indiscriminately.

Answer 424

A

They can commonly be successfully attacked remotely, resulting in malicious code executing within the same security context as the local process being compromised.

Answer 425

A

It’s a Non-Compete Agreement

Answer 426

A

logical

technical

Answer 427

A

computer file,
a network service,
a system resource,
a process,
a program,
a product,
an IT infrastructure,
a database,
a hardware device,
furniture,
product recipes/formulas,
intellectual property,
personnel,
software,
facilities,
and so on.

Answer 428

A

The weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability.

In other words, a vulnerability is a flaw, loophole, oversight, error, limitation, frailty, or susceptibility in the IT infrastructure or any other aspect of an organization. If a vulnerability is exploited, loss or damage to assets can occur.

Answer 429

A

Exposure is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event.

Answer 430

A

risk = threat * vulnerability

Answer 431

A

The whole purpose of security is to prevent risks from becoming realized by removing vulnerabilities and blocking threat agents and threat events from jeopardizing assets. As a risk management tool, security is the implementation of safeguards.

Answer 432

A

A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Answer 433

A

To reduce the ARO.

Although there are some perfect safeguards, most are not. Thus, many safeguards have an applied ARO that is smaller (you hope much smaller) than the non-safeguarded ARO, but it is not often zero. With the new ARO (and possible new EF), a new ALE with the application of a safeguard is computed.

Answer 434

A

ConceptFormula

Exposure factor (EF)%

Single loss expectancy (SLE)SLE = AV * EF

Annualized rate of occurrence (ARO)# / year

Annualized loss expectancy (ALE)ALE = SLE * ARO or ALE = AV * EF * ARO

Annual cost of the safeguard (ACS)$ / year

Value or benefit of a safeguard(ALE1 – ALE2) – ACS

Answer 435

A

In most cases, the cost/benefit with the highest value is the best safeguard to implement for that specific risk against a specific asset.

Answer 436

A

The Delphi technique is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus.

It is used on qualitative risk analysis.

Answer 437

A

Reduce or mitigate
Assign or transfer
Accept
Deter - Risk deterrence is the process of implementing deterrents to would-be violators of security and policy. Some examples include implementation of auditing, security cameras, security guards, instructional signage, warning banners, motion detectors, strong authentication, and making it known that the organization is willing to cooperate with authorities and prosecute those who participate in cybercrime.
Risk avoidance is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of risk avoidance. Another example is to locate a business in Arizona instead of Florida to avoid hurricanes.
Reject or ignore - final but unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk.

Answer 438

A

Total risk is the amount of risk an organization would face if no safeguards were implemented. A formula for total risk is as follows:

threats * vulnerabilities * asset value = total risk

(Note that the * here does not imply multiplication, but a combination function; this is not a true mathematical formula.)

Answer 439

A

total risk – controls gap = residual risk

Answer 440

A

SCA stands for Security Control Assessment

It’s a formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation.

Can be performed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment.

NIST Special Publication 800-53A titled “Guide for Assessing the Security Controls in Federal Information Systems”

Answer 441

A

Purchase cost
Development cost
Administrative or management cost
Maintenance or upkeep cost
Cost in acquiring asset
Cost to protect or sustain asset
Value to owners and users
Value to competitors
Intellectual property or equity value
Market valuation (sustainable price)
Replacement cost
Productivity enhancement or degradation
Operational costs of asset presence and loss
Liability of asset loss
Usefulness

Answer 442

A

NIST Special Publication 800-37. There are 6 steps to the Risk Management Framework (RMF).

Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.
Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.
Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.”

Answer 443

A

(OCTAVE) - Operationally Critical Threat, Asset, and Vulnerability evaluation

(FAIR) - Factor Analysis of Information Risk and

(TARA) - Threat Agent Risk Assessment

Answer 444

A

Operational departments that are responsible for the core services the business provides to its clients
Critical support services, such as the information technology (IT) department, facilities and maintenance personnel, and other groups responsible for the upkeep of systems that support the operational departments
Corporate security teams responsible for physical security, as they are many times the first responders to an incident and are also responsible for the physical safeguarding of the primary facility and alternate processing facility
Senior executives and other key individuals essential for the ongoing viability of the organization

Answer 445

A

Project scope and planning
Business impact assessment,
Continuity planning
Approval and implementation

Answer 446

A

Identify priorities
Risk Identification
LIKELIHOOD ASSESSMENT
IMPACT ASSESSMENT
RESOURCE PRIORITIZATION (BCP team priorities)

Answer 447

A

Both criminal and civil

Answer 448

A

Administrative law is published in the Code of Federal Regulations, often referred to as the CFR.

Answer 449

A

The International Traffic in Arms Regulations (ITAR) controls the export of items that are specifically designated as military and defense items, including technical information related to those items. The items covered under ITAR appear on a list called the United States Munitions List (USML), maintained in 22 CFR 121.
The Export Administration Regulations (EAR) cover a broader set of items that are designed for commercial use but may have military applications. Items covered by EAR appear on the Commerce Control List (CCL) maintained by the U.S. Department of Commerce. Notably, EAR includes an entire category covering information security products.

Answer 450

A

Privacy Act of 1974 The Privacy Act mandates that agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government.

The Privacy Act of 1974 applies only to government agencies. Many people misunderstand this law and believe that it applies to how companies and other organizations handle sensitive personal information, but that is not the case.

Answer 451

A

Electronic Communications Privacy Act of 1986 The Electronic Communications Privacy Act (ECPA) makes it a crime to invade the electronic privacy of an individual.

One of the most notable provisions of the ECPA is that it makes it illegal to monitor mobile telephone conversations. In fact, such monitoring is punishable by a fine of up to $500 and a prison term of up to five years.

Answer 452

A

Communications Assistance for Law Enforcement Act (CALEA) of 1994 The Communications Assistance for Law Enforcement Act (CALEA) of 1994 amended the Electronic Communications Privacy Act of 1986. CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

Answer 453

A

The Economic Espionage Act of 1996 extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage. This changed the legal definition of theft so that it was no longer restricted by physical constraints.

Answer 454

A

BAA agreements
Breach notification agreements

Under the HITECH Breach Notification Rule, HIPAA-covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the Secretary of Health and Human Services and the media when the breach affects more than 500 individuals

Answer 455

A

It’s about personally identifiable information.

This includes unencrypted copies of a person’s name in conjunction with any of the following information:

Social Security number
Driver’s license number
State identification card number
Credit or debit card number
Bank account number in conjunction with the security code, access code, or password that would permit access to the account
Medical records
Health insurance information

In the years following SB 1386, many (but not all) other states passed similar laws modeled on the California data breach notification law. As of 2017,

Only Alabama and South Dakota do not have state breach notification laws.

Answer 456

A

Websites must have a privacy notice that clearly states the types of information they collect and what it’s used for, including whether any information is disclosed to third parties. The privacy notice must also include contact information for the operators of the site.
Parents must be provided with the opportunity to review any information collected from their children and permanently delete it from the site’s records.
Parents must give verifiable consent to the collection of information about children younger than the age of 13 prior to any such collection. Exceptions in the law allow websites to collect minimal information solely for the purpose of obtaining such parental consent.

Answer 457

A

Gramm-Leach-Bliley Act of 1999 Until the Gramm-Leach-Bliley Act (GLBA) became law in 1999, there were strict governmental barriers between financial institutions.

GLBA somewhat relaxed the regulations concerning the services each organization could provide. When Congress passed this law, it realized that this increased latitude could have far-reaching privacy implications.
Because of this concern, it included a number of limitations on the types of information that could be exchanged even among subsidiaries of the same corporation and required financial institutions to provide written privacy policies to all their customers by July 1, 2001.

Answer 458

A

One of the major changes revolves around the way government agencies obtain wiretapping authorizations. Previously, police could obtain warrants for only one circuit at a time, after proving that the circuit was used by someone subject to monitoring. Provisions of the PATRIOT Act allow authorities to obtain a blanket authorization for a person and then monitor all communications to or from that person under the single warrant.
Another major change is in the way the government deals with Internet service providers (ISPs). Under the terms of the PATRIOT Act, ISPs may voluntarily provide the government with a large range of information. The PATRIOT Act also allows the government to obtain detailed information on user activity through the use of a subpoena (as opposed to a wiretap).
Finally, the USA PATRIOT Act amends the Computer Fraud and Abuse Act (yes, another set of amendments!) to provide more severe penalties for criminal acts. The PATRIOT Act provides for jail terms of up to 20 years and once again expands the coverage of the CFAA.

Answer 459

A

The Family Educational Rights and Privacy Act (FERPA) is another specialized privacy bill that affects any educational institution that accepts any form of funding from the federal government (the vast majority of schools).

Parents/students have the right to inspect any educational records maintained by the institution on the student.
Parents/students have the right to request correction of records they think are erroneous and the right to include a statement in the records contesting anything that is not corrected.
Schools may not release personal information from student records without written consent, except under certain circumstances.

Answer 460

A

In the past, the only legal victims of identity theft were the creditors who were defrauded.

This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.

Answer 461

A

Businesses have the right to monitor employees use of company assets
There is no “reasonable expectation of privacy” in the workplace

Steps companies should take:

Clauses in employment contracts that state the employee has no expectation of privacy while using corporate equipment
Similar written statements in corporate acceptable use and privacy policies
Logon banners warning that all communications are subject to monitoring
Warning labels on computers and telephones warning of monitoring
As with many of the issues discussed in this chapter, it’s a good idea to consult with your legal counsel before undertaking any communications-monitoring efforts.

Answer 462

A

The rights that are guaranteed by this law are:

Right to access the data
Right to know the data’s source
Right to correct inaccurate data
Right to withhold consent to process data in some situations
Right of legal action should these rights be violated

Answer 463

A

It relates to companies outside of Europe conducting business inside Europe.

Informing Individuals About Data Processing Companies must include a commitment to the Privacy Shield Principles in their privacy policy, making it enforceable by U.S. law. They must also inform individuals of their rights under the Privacy Shield framework.
Providing Free and Accessible Dispute Resolution Companies participating in the Privacy Shield must provide consumers with a response to any complaints within 45 days and agree to an appeal process that includes binding arbitration.
Cooperating with the Department of Commerce Companies covered by the agreement must respond in a timely manner to any requests for information received from the U.S. Department of Commerce related to their participation in the Privacy Shield.
Maintaining Data Integrity and Purpose Limitation Companies participating in Privacy Shield must only collect and retain personal information that is relevant to their stated purpose for collecting information.
Ensuring Accountability for Data Transferred to Third Parties Privacy Shield participants must follow strict requirements before transferring information to a third party. These requirements are designed to ensure that the transfer is for a limited and specific purpose and that the recipient will protect the privacy of the information adequately.
Transparency Related to Enforcement Actions If a Privacy Shield participant receives an enforcement action or court order because they fail to comply with program requirements, they must make public any compliance or assessment reports submitted to the FTC.
Ensuring Commitments Are Kept As Long As Data Is Held Organizations that leave the Privacy Shield agreement must continue to annually certify their compliance as long as they retain information collected under the agreement.

Answer 464

A

A major difference between the GDPR and the data protection directive is the widened scope of the regulation. The new law applies to all organizations that collect data from EU residents or process that information on behalf of someone who collects it.

A data breach notification requirement that mandates that companies inform authorities of serious data breaches within 24 hours
The creation of centralized data protection authorities in each EU member state
Provisions that individuals will have access to their own data
Data portability provisions that will facilitate the transfer of personal information between service providers at the individual’s request
The “right to be forgotten” that allows people to require companies to delete their information if it is no longer needed

Answer 465

A

No. The Payment Card Industry Data Security Standard (PCI DSS) is an excellent example of a compliance requirement that is not dictated by law but by contractual obligation.

Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Protect all systems against malware and regularly update antivirus software or programs.
Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need-to-know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security for all personnel.

Answer 466

A

The first major provision of the DMCA is the prohibition of attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder.
The DMCA also limits the liability of Internet service providers (ISP) when their circuits are used by criminals violating the copyright law.

Answer 467

A

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Answer 468

A

As an example, a company that collects personal information on employees for payroll is a data controller.

If they pass this information to a third-party company to process payroll, the payroll company is the data processor. In this example, the payroll company (the data processor) must not use the data for anything other than processing payroll at the direction of the data controller.

The GDPR restricts data transfers to countries outside the EU.

Answer 469

A

Notice: An organization must inform individuals about the purposes for which it collects and uses information about them.
Choice: An organization must offer individuals the opportunity to opt out.
Accountability for Onward Transfer: Organizations can only transfer data to other organizations that comply with the Notice and Choice principles.
Security: Organizations must take reasonable precautions to protect personal data.
Data Integrity and Purpose Limitation: Organizations should only collect data that is needed for processing purposes identified in the Notice principle. Organizations are also responsible for taking reasonable steps to ensure that personal data is accurate, complete, and current.
Access: Individuals must have access to personal information an organization holds about them. Individuals must also have the ability to correct, amend, or delete information, when it is inaccurate.
Recourse, Enforcement, and Liability: Organizations must implement mechanisms to ensure compliance with the principles and provide mechanisms to handle individual complaints.

Answer 470

A

Pseudonymization refers to the process of using pseudonyms to represent other data.

Example: Instead of including personal information such as the patient’s name, address, and phone number, it could just refer to the patient as Patient 23456 in the medical record.

Answer 471

A

Tokenization is similar to pseudonymization.

Pseudonymization uses pseudonyms to represent other data.

Tokenization uses tokens to represent other data. Neither the pseudonym nor the token has any meaning or value outside the process that creates them and links them to the other data. Additionally, both methods can be reversed to make the data meaningful.

Answer 472

A

Unlike pseudonymization and tokenization, masking cannot be reversed.

Answer 473

A

A data administrator is responsible for granting appropriate access to personnel.
A custodian helps protect the integrity and security of data by ensuring that it is properly stored and protected.

Answer 474

A

A list of security controls.

Using an OS image as a starting point is a practical example of a baseline.

Brainscape's Knowledge GenomeTM

Domain 9 - Exam Feedback Flashcards

Brainscape's Knowledge Genome^TM