All R/Q Flashcards Preview

SP7 - R/Q > All R/Q > Flashcards

Flashcards in All R/Q Deck (473)
Loading flashcards...
1

1. Which of the following contains the primary goals and objectives of security?

A. A network’s border perimeter
B. The CIA Triad
C. A Stand-alone system
D. The internet

Answer: B The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.

2

2. Vulnerabilities and risks are evaluated based on their threats against which of the following?

A. One or more of the CIA Triad principles
B. Data Usefulness
C. Due care
D. Extent of liability

Answer: A Vulnerabilities and risks are evaluated based on their threats against one or more of the CIA Triad principles.

3

3. Which of the following is a principle of the CIA Triad that means authorized subjects are granted timely and uninterrupted access to objects?

A. Identification
B. Availability
C. Encryption
D. Layering

Answer: B Availability means that authorized subjects are granted timely and uninterrupted access to objects.

4

4. Which of the following is not considered a violation of confidentiality?

A. Stealing passwords
B. Eavesdropping
C. Hardware destruction
D. Social engineering

Answer: C Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping, and sniffing.

5

5. Which of the following is not true?

A. Violations of confidentiality include human error.
B. Violations of confidentiality include management oversight.
C. Violations of confidentiality are limited to direct intentional attacks.
D. Violations of confidentiality can occur when a transmission is not properly encrypted.

Answer: C Violations of confidentiality are not limited to direct intentional attacks. Many instances of unauthorized disclosure of sensitive or confidential information are due to human error, oversight, or ineptitude.

6

6. STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE?

A. Spoofing
B. Elevation of privilege
C. Repudiation
D. Disclosure

Answer: D Disclosure is not an element of STRIDE. The elements of STRIDE are spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

7

7. If a security mechanism offers availability, then it offers a high level of assurance that authorized subjects can ___________ the data, objects, and resources.

A. Control
B. Audit
C. Access
D. Repudiate

Answer: C Accessibility of data, objects, and resources is the goal of availability. If a security mechanism offers availability, then it is highly likely that the data, objects, and resources are accessible to authorized subjects.

8

8. _________ refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed.

A. Seclusion
B. Concealment
C. Privacy
D. Criticality

Answer: C Privacy refers to keeping information confidential that is personally identifiable or which might cause harm, embarrassment, or disgrace to someone if revealed. Seclusion is to store something in an out of the way location. Concealment is the act of hiding or preventing disclosure. The level to which information is mission critical is its measure of criticality.

9

9. All but which of the following items require awareness for all individuals affected?

A. Restricting personal email
B. Recording phone conversations
C. Gathering information about surfing habits
D. The backup mechanism used to retain email messages

Answer: D Users should be aware that email messages are retained, but the backup mechanism used to perform this operation does not need to be disclosed to them.

10

10. What element of data categorization management can override all other forms of access control?

A. Classification
B. Physical access
C. Custodian responsibilities
D. Taking ownership

Answer: D Ownership grants an entity full capabilities and privileges over the object they own. The ability to take ownership is often granted to the most powerful accounts in an operating system because it can be used to overstep any access control limitations otherwise implemented.

11

11. What ensures that the subject of an activity or event cannot deny that the event occurred?

A. CIA Triad
B. Abstraction
C. Nonrepudiation
D. Hash totals

Answer: C Nonrepudiation ensures that the subject of an activity or event cannot deny that the event occurred.

12

12. Which of the following is the most important and distinctive concept in relation to layered security?

A. Multiple
B. Series
C. Parallel
D. Filter

Answer: B Layering is the deployment of multiple security mechanisms in a series. When security restrictions are performed in a series, they are performed one after the other in a linear fashion. Therefore, a single failure of a security control does not render the entire solution ineffective.

13

13. Which of the following is not considered an example of data hiding?

A. Preventing an authorized reader of an object from deleting that object
B. Keeping a database from being accessed by unauthorized visitors
C. Restricting a subject at a lower classification level from accessing data at a higher classification level
D. Preventing an application from accessing hardware directly

Answer: A Preventing an authorized reader of an object from deleting that object is just an example of access control, not data hiding. If you can read an object, it is not hidden from you.

14

14 What is the primary goal of change management?

A. Maintaining documentation
B. Keeping users informed of changes
C. Allowing rollback of failed changes
D. Preventing security compromises

Answer: D The prevention of security compromises is the primary goal of change management.

15

15. What is the primary objective of data classification schemes?

A. To control access to objects for authorized subjects
B. To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
C. To establish a transaction trail for auditing accountability
D. To manipulate access controls to provide for the most efficient means to grant or restrict functionality

Answer: B The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.

16

16. Which of the following is typically not a characteristic considered when classifying data?

A. Value
B. Size of object
C. Useful lifetime
D. National security implications

Answer: B Size is not a criterion for establishing data classification. When classifying an object, you should take value, lifetime, and security implications into consideration.

17

17. What are the two common data classification schemes?

A. Military and private sector
B. Personal and government
C. Private sector and unrestricted sector
D. Classified and unclassified

Answer: A Military (or government) and private sector (or commercial business) are the two common data classification schemes.

18

18. Which of the following is the lowest military data classification for classified data?

A. Sensitive
B. Secret
C. Proprietary
D. Private

Answer: B Of the options listed, secret is the lowest classified military data classification. Keep in mind that items labeled as confidential, secret, and top secret are collectively known as classified, and confidential is below secret in the list.

19

19. Which commercial business/private sector data classification is used to control information about individuals within an organization?

A. Confidential
B. Private
C. Sensitive
D. Proprietary

Answer: B The commercial business/private sector data classification of private is used to protect information about individuals.

20

20. Data classifications are used to focus security controls over all but which of the following?

A. Storage
B. Processing
C. Layering
D. Transfer

Answer: C Layering is a core aspect of security mechanisms, but it is not a focus of data classifications.

21

1. Which of the following is the weakest element in any security solution?

A. Software products
B. Internet connections
C. Security policies
D. Humans

Answer: D Regardless of the specifics of a security solution, humans are the weakest element.

22

2. When seeking to hire new employees, what is the first step?

A. Create a job description.
B. Set position classification.
C. Screen candidates.
D. Request resumes.

Answer: A The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.

23

3. Which of the following is a primary purpose of an exit interview?

A. To return the exiting employee's personal belongings
B. To review the nondisclosure agreement
C. To evaluate the exiting employee's performance
D. To cancel the exiting employee's network access accounts

Answer: B The primary purpose of an exit interview is to review the nondisclosure agreement (NDA) and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.

24

4. When an employee is to be terminated, which of the following should be done?

A. Inform the employee a few hours before they are officially terminated.
B. Disable the employee's network access just as they are informed of the termination.
C. Send out a broadcast email informing everyone that a specific employee is to be terminated.
D. Wait until you and the employee are the only people remaining in the building before announcing the termination.

Answer: B You should remove or disable the employee's network user account immediately before or at the same time they are informed of their termination.

25

5. If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security?

A. Asset identification
B. Third-party governance
C. Exit interview
D. Qualitative analysis

Answer: B Third-party governance is the application of security oversight on third parties that your organization relies on.

26

6. A portion of the _________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk.

A. Hybrid assessment
B. Risk aversion process
C. Countermeasure selection
D. Documentation review

Answer: D A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.

27

7. Which of the following statements is not true?

A. IT security can provide protection only against logical or technical attacks.
B. The process by which the goals of risk management are achieved is known as risk analysis.
C. Risks to an IT infrastructure are all computer based.
D. An asset is anything used in a business process or task.

Answer: C Risks to an IT infrastructure are not all computer based. In fact, many risks come from noncomputer sources. It is important to consider all possible risks when performing risk evaluation for an organization. Failing to properly evaluate and respond to all forms of risk, a company remains vulnerable.

28

8. Which of the following is not an element of the risk analysis process?

A. Analyzing an environment for risks
B. Creating a cost/benefit report for safeguards to present to upper management
C. Selecting appropriate safeguards and implementing them
D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage

Answer: C Risk analysis includes analyzing an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.

29

9. Which of the following would generally not be considered an asset in a risk analysis?

A. A development process
B. An IT infrastructure
C. A proprietary system resource
D. Users' personal files

Answer: D The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.

30

10. Which of the following represents accidental or intentional exploitations of vulnerabilities?

A. Threat events
B. Risks
C. Threat agents
D. Breaches

Answer: A Threat events are accidental or intentional exploitations of vulnerabilities.

31

11. When a safeguard or a countermeasure is not present or is not sufficient, what remains?

A. Vulnerability
B. Exposure
C. Risk
D. Penetration

Answer: A A vulnerability is the absence or weakness of a safeguard or countermeasure.

32

12. Which of the following is not a valid definition for risk?

A. An assessment of probability, possibility, or chance
B. Anything that removes a vulnerability or protects against one or more specific threats
C. Risk = threat * vulnerability
D. Every instance of exposure

Answer: B Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.

33

13. When evaluating safeguards, what is the rule that should be followed in most cases?

A. The expected annual cost of asset loss should not exceed the annual costs of safeguards.
B. The annual costs of safeguards should equal the value of the asset.
C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.
D. The annual costs of safeguards should not exceed 10 percent of the security budget.

Answer: C The annual costs of safeguards should not exceed the expected annual cost of asset loss.

34

14. How is single loss expectancy (SLE) calculated?

A. Threat + vulnerability
B. Asset value ($) * exposure factor
C. Annualized rate of occurrence * vulnerability
D. Annualized rate of occurrence * asset value * exposure factor

Answer: B SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV * EF).

35

15. How is the value of a safeguard to a company calculated?

A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard + annual cost of safeguard - controls gap
D. Total risk - controls gap

Answer: A The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard [(ALE1 – ALE2) – ACS].

36

16. What security control is directly focused on preventing collusion?

A. Principle of least privilege
B. Job descriptions
C. Separation of duties
D. Qualitative risk analysis

Answer: C The likelihood that a co-worker will be willing to collaborate on an illegal or abusive scheme is reduced because of the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.

37

17. What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions?

A. Education
B. Awareness
C. Training
D. Termination

Answer: C Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.

38

18. Which of the following is not specifically or directly related to managing the security function of an organization?

A. Worker job satisfaction
B. Metrics
C. Information security strategies
D. Budget

Answer: A Managing the security function often includes assessment of budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.

39

19. While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk?

A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information

Answer: B The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment.

40

20. You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change?

A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence

Answer: D A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.

41

1. What is the first step that individuals responsible for the development of a business continuity plan should perform?

A. BCP team selection
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment

Answer: B The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.

42

2. Once the BCP team is selected, what should be the first item placed on the team's agenda?

A. Business impact assessment
B. Business organization analysis
C. Resource requirements analysis
D. Legal and regulatory assessment

Answer: B The first task of the BCP team should be the review and validation of the business organization analysis initially performed by those individuals responsible for spearheading the BCP effort. This ensures that the initial effort, undertaken by a small group of individuals, reflects the beliefs of the entire BCP team.

43

3. What is the term used to describe the responsibility of a firm's officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability?

A. Corporate responsibility
B. Disaster requirement
C. Due diligence
D. Going concern responsibility

Answer: C A firm's officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place.

44

4. What will be the major resource consumed by the BCP process during the BCP phase?

A. Hardware
B. Software
C. Processing time
D. Personnel

Answer: D During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process itself. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

45

5. What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment?

A. Monetary
B. Utility
C. Importance
D. Time

Answer: A The quantitative portion of the priority identification should assign asset values in monetary units.

46

6. Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year?

A. ARO
B. SLE
C. ALE
D. EF

Answer: C The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

47

7. What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization?

A. SLE
B. EF
C. MTD
D. ARO

Answer: C The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

48

8. You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?

A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000

Answer: B The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

49

9. (8) You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches?Referring to the scenario in question 8, what is the annualized loss expectancy?

A. $3,000,000
B. $2,700,000
C. $270,000
D. $135,000

Answer: D This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an SLE of $135,000.

50

10. You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)?

A. $750,000
B. $1.5 million
C. $7.5 million
D. $15 million

Answer: A This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an SLE of $750,000.

51

11. Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases?

A. Resource prioritization
B. Likelihood assessment
C. Strategy development
D. Provisions and processes

Answer: C The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.

52

12. Which resource should you protect first when designing continuity plan provisions and processes?

A. Physical plant
B. Infrastructure
C. Financial
D. People

Answer: D The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees!

53

13. Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment?

A. Loss of a plant
B. Damage to a vehicle
C. Negative publicity
D. Power outage

Answer: C It is very difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.

54

14. Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?

A. 0.01
B. $10,000,000
C. $100,000
D. 0.10

Answer: B The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

55

15. (14) Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?Referring to the scenario in question 14, what is the annualized loss expectancy?

A. 0.01
B. $10,000,000
C. $100,000
D. 0.10

Answer: C The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.

56

16. In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

A. Strategy development
B. Business impact assessment
C. Provisions and processes
D. Resource prioritization

Answer: C In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

57

17. What type of mitigation provision is utilized when redundant communications links are installed?

A. Hardening systems
B. Defining systems
C. Reducing systems
D. Alternative systems

Answer: D This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

58

18. What type of plan outlines the procedures to follow when a disaster interrupts the normal operations of a business?

A. Business continuity plan
B. Business impact assessment
C. Disaster recovery plan
D. Vulnerability assessment

Answer: C Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

59

19. What is the formula used to compute the single loss expectancy for a risk scenario?

A. SLE = AV × EF
B. SLE = RO × EF
C. SLE = AV × ARO
D. SLE = EF × ARO

Answer: A The single loss expectancy (SLE) is computed as the product of the asset value (AV) and the exposure factor (EF). The other formulas displayed here do not accurately reflect this calculation.

60

20. Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance?

A. Vice president of business operations
B. Chief information officer
C. Chief executive officer
D. Business continuity manager

Answer: C You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer is the highest ranking.

61

1. Which criminal law was the first to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer system(s)?

A. Computer Security Act
B. National Infrastructure Protection Act
C. Computer Fraud and Abuse Act
D. Electronic Communications Privacy Act

Answer: C The Computer Fraud and Abuse Act, as amended, provides criminal and civil penalties for those individuals convicted of using viruses, worms, Trojan horses, and other types of malicious code to cause damage to computer system(s).

62

2. Which law first required operators of federal interest computer systems to undergo periodic training in computer security issues?

A. Computer Security Act
B. National Infrastructure Protection Act
C. Computer Fraud and Abuse Act
D. Electronic Communications Privacy Act

Answer: A The Computer Security Act requires mandatory periodic training for all people involved in managing, using, or operating federal computer systems that contain sensitive information.

63

3. What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures?

A. Criminal law
B. Common law
C. Civil law
D. Administrative law

Answer: D Administrative laws do not require an act of the legislative branch to implement at the federal level. Administrative laws consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government. Although they do not require an act of Congress, these laws are subject to judicial review and must comply with criminal and civil laws enacted by the legislative branch.

64

4. Which federal government agency has responsibility for ensuring the security of government computer systems that are not used to process sensitive and/or classified information?

A. National Security Agency
B. Federal Bureau of Investigation
C. National Institute of Standards and Technology
D. Secret Service

Answer: C The National Institute of Standards and Technology (NIST) is charged with the security management of all federal government computer systems that are not used to process sensitive national security information. The National Security Agency (part of the Department of Defense) is responsible for managing those systems that do process classified and/or sensitive information.

65

5. What is the broadest category of computer systems protected by the Computer Fraud and Abuse Act, as amended?

A. Government-owned systems
B. Federal interest systems
C. Systems used in interstate commerce
D. Systems located in the United States

Answer: C The original Computer Fraud and Abuse Act of 1984 covered only systems used by the government and financial institutions. The act was broadened in 1986 to include all federal interest systems. The Computer Abuse Amendments Act of 1994 further amended the CFAA to cover all systems that are used in interstate commerce, including a large portion (but not all) of the computer systems in the United States.

66

6. What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities?

A. Privacy Act
B. Fourth Amendment
C. Second Amendment
D. Gramm-Leach-Bliley Act

Answer: B The Fourth Amendment to the U.S. Constitution sets the "probable cause" standard that law enforcement officers must follow when conducting searches and/or seizures of private property. It also states that those officers must obtain a warrant before gaining involuntary access to such property.

67

7. Matthew recently authored an innovative algorithm for solving a mathematical problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property protection. Which type of protection is best suited to his needs?

A. Copyright
B. Trademark
C. Patent
D. Trade secret

Answer: A Copyright law is the only type of intellectual property protection available to Matthew. It covers only the specific software code that Matthew used. It does not cover the process or ideas behind the software. Trademark protection is not appropriate for this type of situation. Patent protection does not apply to mathematical algorithms. Matthew can't seek trade secret protection because he plans to publish the algorithm in a public technical journal.

68

8. Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection best suits their needs?

A. Copyright
B. Trademark
C. Patent
D. Trade secret

Answer: D Mary and Joe should treat their oil formula as a trade secret. As long as they do not publicly disclose the formula, they can keep it a company secret indefinitely.

69

9. Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status?

A. ©
B. ®
C. ™
D. †

Answer: C Richard's product name should be protected under trademark law. Until his registration is granted, he can use the ™ symbol next to it to inform others that it is protected under trademark law. Once his application is approved, the name becomes a registered trademark and Richard can begin using the ® symbol.

70

10. What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances?

A. Privacy Act
B. Electronic Communications Privacy Act
C. Health Insurance Portability and Accountability Act
D. Gramm-Leach-Bliley Act

Answer: A The Privacy Act of 1974 limits the ways government agencies may use information that private citizens disclose to them under certain circumstances.

71

11. What law formalizes many licensing arrangements used by the software industry and attempts to standardize their use from state to state?

A. Computer Security Act
B. Uniform Computer Information Transactions Act
C. Digital Millennium Copyright Act
D. Gramm-Leach-Bliley Act

Answer: B The Uniform Computer Information Transactions Act (UCITA) attempts to implement a standard framework of laws regarding computer transactions to be adopted by all states. One of the issues addressed by UCITA is the legality of various types of software license agreements.

72

12. The Children's Online Privacy Protection Act was designed to protect the privacy of children using the Internet. What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent?

A. 13
B. 14
C. 15
D. 16

Answer: A The Children's Online Privacy Protection Act (COPPA) provides severe penalties for companies that collect information from young children without parental consent. COPPA states that this consent must be obtained from the parents of children younger than the age of 13 before any information is collected (other than basic information required to obtain that consent).

73

13. Which one of the following is not a requirement that Internet service providers must satisfy in order to gain protection under the "transitory activities" clause of the Digital Millennium Copyright Act?

A. The service provider and the originator of the message must be located in different states.
B. The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider.
C. Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients and must not be retained for longer than reasonably necessary.
D. The transmission must be originated by a person other than the provider.

Answer: A The Digital Millennium Copyright Act does not include any geographical location requirements for protection under the "transitory activities" exemption. The other options are three of the five mandatory requirements. The other two requirements are that the service provider must not determine the recipients of the material and the material must be transmitted with no modification to its content.

74

14. Which one of the following laws is not designed to protect the privacy rights of consumers and Internet users?

A. Health Insurance Portability and Accountability Act
B. Identity Theft Assumption and Deterrence Act
C. USA PATRIOT Act
D. Gramm-Leach-Bliley Act

Answer: C The USA PATRIOT Act was adopted in the wake of the September 11, 2001, terrorist attacks. It broadens the powers of the government to monitor communications between private citizens and therefore actually weakens the privacy rights of consumers and Internet users. The other laws mentioned all contain provisions designed to enhance individual privacy rights.

75

15. Which one of the following types of licensing agreements does not require that the user acknowledge that they have read the agreement prior to executing it?

A. Standard license agreement
B. Shrink-wrap agreement
C. Click-wrap agreement
D. Verbal agreement

Answer: B Shrink-wrap license agreements become effective when the user opens a software package. Click-wrap agreements require the user to click a button during the installation process to accept the terms of the license agreement. Standard license agreements require that the user sign a written agreement prior to using the software. Verbal agreements are not normally used for software licensing but also require some active degree of participation by the software user.

76

16. What industry is most directly impacted by the provisions of the Gramm-Leach-Bliley Act?

A. Health care
B. Banking
C. Law enforcement
D. Defense contractors

Answer: B The Gramm-Leach-Bliley Act provides, among other things, regulations regarding the way financial institutions can handle private information belonging to their customers.

77

17. What is the standard duration of patent protection in the United States?

A. 14 years from the application date
B. 14 years from the date the patent is granted
C. 20 years from the application date
D. 20 years from the date the patent is granted

Answer: C U.S. patent law provides for an exclusivity period of 20 years beginning at the time the patent application is submitted to the Patent and Trademark Office.

78

18. Which one of the following is not a valid legal reason for processing information about an individual under the European Union's data privacy directive?

A. Contract
B. Legal obligation
C. Marketing needs
D. Consent

Answer: C Marketing needs are not a valid reason for processing personal information, as defined by the European Union privacy directive.

79

19. What compliance obligation relates to the processing of credit card information?

A. SOX
B. HIPAA
C. PCI DSS
D. FERPA

Answer: C The Payment Card Industry Data Security Standard (PCI DSS) applies to organizations involved in the storage, transmission, and processing of credit card information.

80

20. What act updated the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA)?

A. HITECH
B. CALEA
C. CFAA
D. CCCA

Answer: A The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 amended the privacy and security requirements of HIPAA.

81

1. Which one of the following identifies the primary a purpose of information classification processes?

A. Define the requirements for protecting sensitive data.
B. Define the requirements for backing up data.
C. Define the requirements for storing data.
D. Define the requirements for transmitting data.

Answer: A A primary purpose of information classification processes is to identify security classifications for sensitive data and define the requirements to protect sensitive data. Information classification processes will typically include requirements to protect sensitive data at rest (in backups and stored on media), but not requirements for backing up and storing any data. Similarly, information classification processes will typically include requirements to protect sensitive data in transit, but not any data.

82

2. When determining the classification of data, which one of the following is the most important consideration?

A. Processing system
B. Value
C. Storage media
D. Accessibility

Answer: B Data is classified based on its value to the organization. In some cases, it is classified based on the potential negative impact if unauthorized personnel can access it, which represents a negative value. It is not classified based on the processing system, but the processing system is classified based on the data it processes. Similarly, the storage media is classified based on the data classification, but the data is not classified based on where it is stored. Accessibility is affected by the classification, but the accessibility does not determine the classification. Personnel implement controls to limit accessibility of sensitive data.

83

3. Which of the following answers would not be included as sensitive data?

A. Personally identifiable information (PII)
B. Protected health information (PHI)
C. Proprietary data
D. Data posted on a website

Answer: D Data posted on a website is not sensitive, but PII, PHI, and proprietary data are all sensitive data.

84

4. What is the most important aspect of marking media?

A. Data labeling
B. Content description
C. Electronic labeling
D. Classification

Answer: D Classification is the most important aspect of marking media because it clearly identifies the value of the media and users know how to protect it based on the classification. Including information such as the date and a description of the content isn't as important as marking the classification. Electronic labels or marks can be used, but when they are used, the most important information is still the classification of the data.

85

5. Which would an administrator do to classified media before reusing it in a less secure environment?

A. Erasing
B. Clearing
C. Purging
D. Overwriting

Answer: C Purging media removes all data by writing over existing data multiple times to ensure that the data is not recoverable using any known methods. Purged media can then be reused in less secure environments. Erasing the media performs a delete, but the data remains and can easily be restored. Clearing, or overwriting, writes unclassified data over existing data, but some sophisticated forensics techniques may be able to recover the original data, so this method should not be used to reduce the classification of media.

86

6. Which of the following statements correctly identifies a problem with sanitization methods?

A. Methods are not available to remove data ensuring that unauthorized personnel cannot retrieve data.
B. Even fully incinerated media can offer extractable data.
C. Personnel can perform sanitization steps improperly.
D. Stored data is physically etched into the media.

Answer: C Sanitization can be unreliable because personnel can perform the purging, degaussing, or other processes improperly. When done properly, purged data is not recoverable using any known methods. Data cannot be retrieved from incinerated, or burned, media. Data is not physically etched into the media.

87

7. Which of the following choices is the most reliable method of destroying data on a solid state drive?

A. Erasing
B. Degaussing
C. Deleting
D. Purging

Answer: D Purging is the most reliable method of the given choices. Purging overwrites the media with random bits multiple times and includes additional steps to ensure data is removed. While not an available answer choice, destruction of the drive is a more reliable method. Erasing or deleting processes rarely remove the data from media, but instead mark it for deletion. Solid state drives (SSDs) do not have magnetic flux so degaussing an SSD doesn't destroy data.

88

8. Which of the following is the most secure method of deleting data on a DVD?

A. Formatting
B. Deleting
C. Destruction
D. Degaussing

Answer: C Physical destruction is the most secure method of deleting data on optical media such as a DVD. Formatting and deleting processes rarely remove the data from any media. DVDs do not have magnetic flux so degaussing a DVD doesn't destroy data.

89

9. Which of the following does not erase data?

A. Clearing
B. Purging
C. Overwriting
D. Remanence

Answer: D Data remanence refers to data remnants that remain on a hard drive as residual magnetic flux. Clearing, purging, and overwriting are valid methods of erasing data.

90

10. Which one of the following is based on Blowfish and helps protect against rainbow table attacks?

A. 3DES
B. AES
C. Bcrypt
D. SCP

Answer: C Linux systems use bcrypt to encrypt passwords, and bcrypt is based on Blowfish. Bcrypt adds 128 additional bits as a salt to protect against rainbow table attacks. Advanced Encryption Standard (AES) and Triple DES (or 3DES) are separate symmetric encryption protocols, and neither one is based on Blowfish, or directly related to protecting against rainbow table attacks. Secure Copy (SCP) uses Secure Shell (SSH) to encrypt data transmitted over a network.

91

11. Which one of the following would administrators use to connect to a remote server securely for administration?

A. Telnet
B. Secure File Transfer Protocol (SFTP)
C. Secure Copy (SCP)
D. Secure Shell (SSH)

Answer: D SSH is a secure alternative to Telnet because it encrypts data transmitted over a network. In contrast, Telnet transmits data in cleartext. SFTP and SCP are good methods for transmitting sensitive data over a network, but not for administration purposes.

92

12. Which one of the following tasks would a custodian most likely perform?

A. Access the data
B. Classify the data
C. Assign permissions to the data
D. Back up data

Answer: D A data custodian performs day to day tasks to protect the integrity security of data and this includes backing it up. Users access the data. Owners classify the data. Administrators assign permissions to the data.

93

13. Which one of the following data roles is most likely to assign permissions to grant users access to data?

A. Administrator
B. Custodian
C. Owner
D. User

Answer: A The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Owners have ultimate responsibility for the data and ensure that it is classified properly, and owners provide guidance to administrators on who can have access, but owners do not assign permissions. Users simply access the data.

94

14. Which of the following best defines "rules of behavior" established by a data owner?

A. Ensuring users are granted access to only what they need
B. Determining who has access to a system
C. Identifying appropriate use and protection of data
D. Applying security controls to a system

Answer: C The rules of behavior identify the rules for appropriate use and protection of data. Least privilege ensures users are granted access to only what they need. A data owner determines who has access to a system, but that is not rules of behavior. Rules of behavior apply to users, not systems or security controls.

95

15. Within the context of the European Union (EU) Data Protection law, what is a data processor?

A. The entity that processes personal data on behalf of the data controller
B. The entity that controls processing of data
C. The computing system that processes data
D. The network that processes data

Answer: A The EU Data Protection law defines a data processor as "a natural or legal person which processes personal data solely on behalf of the data controller." The data controller is the entity that controls processing of the data and directs the data processor. Within the context of the EU Data Protection law, the data processor is not a computing system or network.

96

16. What do the principles of notice, choice, onward transfer, and access closely apply to?
A. Privacy
B. Identification
C. Retention
D. Classification

Answer: A These are the first four principles in the Safe Harbor principles and they apply to maintaining the privacy of data. They do not address identification or retention of data. They primarily refer to privacy data such as personally identifiable information (PII), and while that may be considered a classification, classification isn't the primary purpose of the seven Safe Harbor principles.

97

17. An organization is implementing a preselected baseline of security controls, but finds not all of the controls apply. What should they do?

A. Implement all of the controls anyway.
B. Identify another baseline.
C. Re-create a baseline.
D. Tailor the baseline to their needs.

Answer: D Scoping and tailoring processes allow an organization to tailor security baselines to its needs. There is no need to implement security controls that do not apply, and it is not necessary to identify or re-create a different baseline.

98

18. Scenario: An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data.Of the following choices, what would have prevented this loss without sacrificing security?

A. Mark the media kept offsite.
B. Don't store data offsite.
C. Destroy the backups offsite.
D. Use a secure offsite storage facility.

Answer: D Backup media should be protected with the same level of protection afforded the data it contains, and using a secure offsite storage facility would ensure this. The media should be marked, but that won't protect it if it is stored in an unmanned warehouse. A copy of backups should be stored offsite to ensure availability if a catastrophe affects the primary location. If copies of data are not stored offsite, or offsite backups are destroyed, security is sacrificed by risking availability.

99

19. Scenario: An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data.Which of the following administrator actions might have prevented this incident?

A. Mark the tapes before sending them to the warehouse.
B. Purge the tapes before backing up data to them.
C. Degauss the tapes before backing up data to them.
D. Add the tapes to an asset management database.

Answer: A If the tapes were marked before they left the datacenter, employees would recognize their value and it is more likely someone would challenge their storage in an unmanned warehouse. Purging or degaussing the tapes before using them will erase previously held data but won't help if sensitive information is backed up to the tapes after they are purged or degaussed. Adding the tapes to an asset management database will help track them but wouldn't prevent this incident.

100

20. Scenario: An organization has a datacenter manned 24 hours a day that processes highly sensitive information. The datacenter includes email servers, and administrators purge email older than six months to comply with the organization's security policy. Access to the datacenter is controlled, and all systems that process sensitive information are marked. Administrators routinely back up data processed in the datacenter. They keep a copy of the backups on site and send an unmarked copy to one of the company warehouses. Warehouse workers organize the media by date, and they have backups from the last 20 years. Employees work at the warehouse during the day and lock it when they leave at night and over the weekends. Recently a theft at the warehouse resulted in the loss of all of the offsite backup tapes. Later, copies of their data, including sensitive emails from years ago, began appearing on Internet sites, exposing the organization's internal sensitive data.Of the following choices, what policy was not followed regarding the backup media?

A. Media destruction
B. Record retention
C. Configuration management
D. Versioning

Answer: B Personnel did not follow the record retention policy. The scenario states that administrators purge onsite email older than six months to comply with the organization's security policy, but offsite backups included backups for the last 20 years. Personnel should follow media destruction policies when the organization no longer needs the media, but some backups are needed. Configuration management ensures that systems are configured correctly using a baseline, but this does not apply to backup media. Versioning is applied to applications, not backup tapes.

101

1. How many possible keys exist in a 4-bit key space?

A. 4
B. 8
C. 16
D. 128

Answer: C To determine the number of keys in a key space, raise 2 to the power of the number of bits in the key space. In this example, 24 = 16.

102

2. John recently received an email message from Bill. What cryptographic goal would need to be met to convince John that Bill was actually the sender of the message?

A. Nonrepudiation
B. Confidentiality
C. Availability
D. Integrity

Answer: A Nonrepudiation prevents the sender of a message from later denying that they sent it.

103

3. What is the length of the cryptographic key used in the Data Encryption Standard (DES) cryptosystem?

A. 56 bits
B. 128 bits
C. 192 bits
D. 256 bits

Answer: A DES uses a 56-bit key. This is considered one of the major weaknesses of this cryptosystem.

104

4. What type of cipher relies on changing the location of characters within a message to achieve confidentiality?

A. Stream cipher
B. Transposition cipher
C. Block cipher
D. Substitution cipher

Answer: B Transposition ciphers use a variety of techniques to reorder the characters within a message.

105

5. Which one of the following is not a possible key length for the Advanced Encryption Standard Rijndael cipher?

A. 56 bits
B. 128 bits
C. 192 bits
D. 256 bits

Answer: A The Rijndael cipher allows users to select a key length of 128, 192, or 256 bits, depending on the specific security requirements of the application

106

6. Which one of the following cannot be achieved by a secret key cryptosystem?

A. Nonrepudiation
B. Confidentiality
C. Availability
D. Key distribution

Answer: A Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message.

107

7. When correctly implemented, what is the only cryptosystem known to be unbreakable?

A. Transposition cipher
B. Substitution cipher
C. Advanced Encryption Standard
D. One-time pad

Answer: D Assuming that it is used properly, the one-time pad is the only known cryptosystem that is not vulnerable to attacks.

108

8. What is the output value of the mathematical function 16 mod 3?

A. 0
B. 1
C. 3
D. 5

Answer: B Option B is correct because 16 divided by 3 equals 5, with a remainder value of 1.

109

9. In the 1940s, a team of cryptanalysts from the United States successfully broke a Soviet code based on a one-time pad in a project known as VENONA. What rule did the Soviets break that caused this failure?

A. Key values must be random.
B. Key values must be the same length as the message.
C. Key values must be used only once.
D. Key values must be protected from physical disclosure.

Answer: A The cryptanalysts from the United States discovered a pattern in the method the Soviets used to generate their one-time pads. After this pattern was discovered, much of the code was eventually broken.

110

10. Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message?

A. Stream cipher
B. Caesar cipher
C. Block cipher
D. ROT3 cipher

Answer: C Block ciphers operate on message "chunks" rather than on individual characters or bits. The other ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of a message.

111

11. What is the minimum number of cryptographic keys required for secure two-way communications in symmetric key cryptography?

A. One
B. Two
C. Three
D. Four

Answer: A Symmetric key cryptography uses a shared secret key. All communicating parties utilize the same key for communication in any direction.

112

12. Dave is developing a key escrow system that requires multiple people to retrieve a key but does not depend on every participant being present. What type of technique is he using?

A. Split knowledge
B. M of N Control
C. Work function
D. Zero-knowledge proof

Answer: B M of N Control requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks.

113

13. Which one of the following Data Encryption Standard (DES) operating modes can be used for large messages with the assurance that an error early in the encryption/decryption process won't spoil results throughout the communication?

A. Cipher Block Chaining (CBC)
B. Electronic Codebook (ECB)
C. Cipher Feedback (CFB)
D. Output Feedback (OFB)

Answer: D Output Feedback (OFB) mode prevents early errors from interfering with future encryption/decryption. Cipher Block Chaining and Cipher Feedback modes will carry errors throughout the entire encryption/decryption process. Electronic Codebook (ECB) operation is not suitable for large amounts of data.

114

14. Many cryptographic algorithms rely on the difficulty of factoring the product of large prime numbers. What characteristic of this problem are they relying on?

A. It contains diffusion.
B. It contains confusion.
C. It is a one-way function.
D. It complies with Kerchoff's principle.

Answer: C A one-way function is a mathematical operation that easily produces output values for each possible combination of inputs but makes it impossible to retrieve the input values.

115

15. How many keys are required to fully implement a symmetric algorithm with 10 participants?

A. 10
B. 20
C. 45
D. 100

Answer: C The number of keys required for a symmetric algorithm is dictated by the formula (n*(n–1))/2, which in this case, where n = 10, is 45.

116

16. What block size is used by the Advanced Encryption Standard?

A. 32 bits
B. 64 bits
C. 128 bits
D. Variable

Answer: C The Advanced Encryption Standard uses a 128-bit block size, despite the fact that the Rijndael algorithm it is based on allows a variable block size.

117

17. What kind of attack makes the Caesar cipher virtually unusable?

A. Meet-in-the-middle attack
B. Escrow attack
C. Frequency analysis attack
D. Transposition attack

Answer: C The Caesar cipher (and other simple substitution ciphers) are vulnerable to frequency analysis attacks that analyze the rate at which specific letters appear in the ciphertext.

118

18. What type of cryptosystem commonly makes use of a passage from a well-known book for the encryption key?

A. Vernam cipher
B. Running key cipher
C. Skipjack cipher
D. Twofish cipher

Answer: B Running key (or "book") ciphers often use a passage from a commonly available book as the encryption key.

119

19. Which AES finalist makes use of prewhitening and postwhitening techniques?

A. Rijndael
B. Twofish
C. Blowfish
D. Skipjack

Answer: B The Twofish algorithm, developed by Bruce Schneier, uses prewhitening and postwhitening.

120

20. How many encryption keys are required to fully implement an asymmetric algorithm with 10 participants?

A. 10
B. 20
C. 45
D. 100

Answer: B In an asymmetric algorithm, each participant requires two keys: a public key and a private key.

121

1. In the RSA public key cryptosystem, which one of the following numbers will always be largest?

A. e
B. n
C. p
D. q

Answer: B The number n is generated as the product of the two large prime numbers, p and q. Therefore, n must always be greater than both p and q. Furthermore, it is an algorithm constraint that e must be chosen such that e is smaller than n. Therefore, in RSA cryptography, n is always the largest of the four variables shown in the options to this question.

122

2. Which cryptographic algorithm forms the basis of the El Gamal cryptosystem?

A. RSA
B. Diffie-Hellman
C. 3DES
D. IDEA

Answer: B The El Gamal cryptosystem extends the functionality of the Diffie-Hellman key exchange protocol to support the encryption and decryption of messages.

123

3. If Richard wants to send an encrypted message to Sue using a public key cryptosystem, which key does he use to encrypt the message?

A. Richard's public key
B. Richard's private key
C. Sue's public key
D. Sue's private key

Answer: C Richard must encrypt the message using Sue's public key so that Sue can decrypt it using her private key. If he encrypted the message with his own public key, the recipient would need to know Richard's private key to decrypt the message. If he encrypted it with his own private key, any user could decrypt the message using Richard's freely available public key. Richard could not encrypt the message using Sue's private key because he does not have access to it. If he did, any user could decrypt it using Sue's freely available public key.

124

4. If a 2,048-bit plaintext message were encrypted with the El Gamal public key cryptosystem, how long would the resulting ciphertext message be?

A. 1,024 bits
B. 2,048 bits
C. 4,096 bits
D. 8,192 bits

Answer: C The major disadvantage of the El Gamal cryptosystem is that it doubles the length of any message it encrypts. Therefore, a 2,048-bit plain-text message would yield a 4,096-bit ciphertext message when El Gamal is used for the encryption process.

125

5. Acme Widgets currently uses a 1,024-bit RSA encryption standard companywide. The company plans to convert from RSA to an elliptic curve cryptosystem. If it wants to maintain the same cryptographic strength, what ECC key length should it use?

A. 160 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits

Answer: A The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same strength as encryption achieved with the RSA encryption algorithm. A 1,024-bit RSA key is cryptographically equivalent to a 160-bit elliptic curve cryptosystem key.

126

6. John wants to produce a message digest of a 2,048-byte message he plans to send to Mary. If he uses the SHA-1 hashing algorithm, what size will the message digest for this particular message be?

A. 160 bits
B. 512 bits
C. 1,024 bits
D. 2,048 bits

Answer: A The SHA-1 hashing algorithm always produces a 160-bit message digest, regardless of the size of the input message. In fact, this fixed-length output is a requirement of any secure hashing algorithm.

127

7. Which one of the following technologies is considered flawed and should no longer be used?

A. SHA-2
B. PGP
C. WEP
D. TLS

Answer: C The WEP algorithm has documented flaws that make it trivial to break. It should never be used to protect wireless networks.

128

8. What encryption technique does WPA use to protect wireless communications?

A. TKIP
B. DES
C. 3DES
D. AES

Answer: A WiFi Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to protect wireless communications. WPA2 uses AES encryption.

129

9. Richard received an encrypted message sent to him from Sue. Which key should he use to decrypt the message?

A. Richard's public key
B. Richard's private key
C. Sue's public key
D. Sue's private key

Answer: B Sue would have encrypted the message using Richard's public key. Therefore, Richard needs to use the complementary key in the key pair, his private key, to decrypt the message.

130

10. Richard wants to digitally sign a message he's sending to Sue so that Sue can be sure the message came from him without modification while in transit. Which key should he use to encrypt the message digest?

A. Richard's public key
B. Richard's private key
C. Sue's public key
D. Sue's private key

Answer: B Richard should encrypt the message digest with his own private key. When Sue receives the message, she will decrypt the digest with Richard's public key and then compute the digest herself. If the two digests match, she can be assured that the message truly originated from Richard.

131

11. Which one of the following algorithms is not supported by the Digital Signature Standard?
A. Digital Signature Algorithm
B. RSA
C. El Gamal DSA
D. Elliptic Curve DSA

Answer: C The Digital Signature Standard allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.

132

12. Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for secure electronic communication?

A. X.500
B. X.509
C. X.900
D. X.905

Answer: B X.509 governs digital certificates and the public key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke certificates.

133

13. What cryptosystem provides the encryption/decryption technology for the commercial version of Phil Zimmerman's Pretty Good Privacy secure email system?

A. ROT13
B. IDEA
C. ECC
D. El Gamal

Answer: B Pretty Good Privacy uses a "web of trust" system of digital signature verification. The encryption technology is based on the IDEA private key cryptosystem.

134

14. What TCP/IP communications port is used by Transport Layer Security traffic?

A. 80
B. 220
C. 443
D. 559

Answer: C Transport Layer Security uses TCP port 443 for encrypted client-server communications.

135

15. What type of cryptographic attack rendered Double DES (2DES) no more effective than standard DES encryption?

A. Birthday attack
B. Chosen ciphertext attack
C. Meet-in-the-middle attack
D. Man-in-the-middle attack

Answer: C The meet-in-the-middle attack demonstrated that it took relatively the same amount of computation power to defeat 2DES as it does to defeat standard DES. This led to the adoption of Triple DES (3DES) as a standard for government communication.

136

16. Which of the following tools can be used to improve the effectiveness of a brute-force password cracking attack?

A. Rainbow tables
B. Hierarchical screening
C. TKIP
D. Random enhancement

Answer: A Rainbow tables contain precomputed hash values for commonly used passwords and may be used to increase the efficiency of password cracking attacks.

137

17. Which of the following links would be protected by WPA encryption?

A. Firewall to firewall
B. Router to firewall
C. Client to wireless access point
D. Wireless access point to router

Answer: C The WiFi Protected Access protocol encrypts traffic passing between a mobile client and the wireless access point. It does not provide end-to-end encryption.

138

18. What is the major disadvantage of using certificate revocation lists?

A. Key management
B. Latency
C. Record keeping
D. Vulnerability to brute-force attacks

Answer: B Certificate revocation lists (CRLs) introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.

139

19. Which one of the following encryption algorithms is now considered insecure?

A. El Gamal
B. RSA
C. Skipjack
D. Merkle-Hellman Knapsack

Answer: D The Merkle-Hellman Knapsack algorithm, which relies on the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.

140

20. What does IPsec define?

A. All possible security classifications for a specific configuration
B. A framework for setting up a secure communication channel
C. The valid transition states in the Biba model
D. TCSEC security categories

Answer: B IPsec is a security protocol that defines a framework for setting up a secure channel to exchange information between two entities.

141

1. What is system certification?

A. Formal acceptance of a stated system configuration
B. A technical evaluation of each part of a computer system to assess its compliance with security standards
C. A functional evaluation of the manufacturer's goals for each hardware and software component to meet integration standards
D. A manufacturer's certificate stating that all components were installed and configured correctly

Answer: B A system certification is a technical evaluation. Option A describes system accreditation. Options C and D refer to manufacturer standards, not implementation standards.

142

2. What is system accreditation?

A. Formal acceptance of a stated system configuration
B. A functional evaluation of the manufacturer's goals for each hardware and software component to meet integration standards
C. Acceptance of test results that prove the computer system enforces the security policy
D. The process to specify secure communication between machines

Answer: A Accreditation is the formal acceptance process. Option B is not an appropriate answer because it addresses manufacturer standards. Options C and D are incorrect because there is no way to prove that a configuration enforces a security policy and accreditation does not entail secure communication specification.

143

3. What is a closed system?

A. A system designed around final, or closed, standards
B. A system that includes industry standards
C. A proprietary system that uses unpublished protocols
D. Any machine that does not run Windows

Answer: C A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and Option B describes an open system.

144

4. Which best describes a confined or constrained process?

A. A process that can run only for a limited time
B. A process that can run only during certain times of the day
C. A process that can access only certain memory locations
D. A process that controls access to an object

Answer: C A constrained process is one that can access only certain memory locations. Options A, B, and D do not describe a constrained process.

145

5. What is an access object?

A. A resource a user or process wants to access
B. A user or process that wants to access a resource
C. A list of valid access rules
D. The sequence of valid access types

Answer: A An object is a resource a user or process wants to access. Option A describes an access object.

146

6. What is a security control?

A. A security component that stores attributes that describe an object
B. A document that lists all data classification types
C. A list of valid access rules
D. A mechanism that limits access to an object

Answer: D A control limits access to an object to protect it from misuse by unauthorized users.

147

7. For what type of information system security accreditation are the applications and systems at a specific, self-contained location evaluated?

A. System accreditation
B. Site accreditation
C. Application accreditation
D. Type accreditation

Answer: B The applications and systems at a specific, self-contained location are evaluated for DITSCAP and NIACAP site accreditation.

148

8. How many major categories do the TCSEC criteria define?

A. Two
B. Three
C. Four
D. Five

Answer: C TCSEC defines four major categories: Category A is verified protection, Category B is mandatory protection, Category C is discretionary protection, and Category D is minimal protection.

149

9. What is a trusted computing base (TCB)?

A. Hosts on your network that support secure transmissions
B. The operating system kernel and device drivers
C. The combination of hardware, software, and controls that work together to enforce a security policy
D. The software and controls that certify a security policy

Answer: C The TCB is the combination of hardware, software, and controls that work together to enforce a security policy.

150

10. What is a security perimeter? (Choose all that apply.)

A. The boundary of the physically secure area surrounding your system
B. The imaginary boundary that separates the TCB from the rest of the system
C. The network where your firewall resides
D. Any connections to your computer system

Answer: A;B Although the most correct answer in the context of this chapter is Option B, Option A is also a correct answer in the context of physical security.

151

11. What part of the TCB concept validates access to every resource prior to granting the requested access?

A. TCB partition
B. Trusted library
C. Reference monitor
D. Security kernel

Answer: C The reference monitor validates access to every resource prior to granting the requested access. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions. In other words, the security kernel is the implementation of the reference monitor concept. Options A and B are not valid TCB concept components.

152

12. What is the best definition of a security model?

A. A security model states policies an organization must follow.
B. A security model provides a framework to implement a security policy.
C. A security model is a technical evaluation of each part of a computer system to assess its concordance with security standards.
D. A security model is the process of formal acceptance of a certified configuration.

Answer: B Option B is the only option that correctly defines a security model. Options A, C, and D define part of a security policy and the certification and accreditation process.

153

13. Which security models are built on a state machine model?

A. Bell-LaPadula and Take-Grant
B. Biba and Clark-Wilson
C. Clark-Wilson and Bell-LaPadula
D. Bell-LaPadula and Biba

Answer: D The Bell-LaPadula and Biba models are built on the state machine model.

154

14. Which security model addresses data confidentiality?

A. Bell-LaPadula
B. Biba
C. Clark-Wilson
D. Brewer and Nash

Answer: A Only the Bell-LaPadula model addresses data confidentiality. The Biba and Clark-Wilson models address data integrity. The Brewer and Nash model prevents conflicts of interest.

155

15. Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level?

A. * (star) Security Property
B. No write up property
C. No read up property
D. No read down property

Answer: C The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher security level object.

156

16. What is the implied meaning of the simple property of Biba?

A. Write down
B. Read up
C. No write up
D. No read down

Answer: B The simple property of Biba is no read down, but it implies that it is acceptable to read up.

157

17. When a trusted subject violates the star property of Bell-LaPadula in order to write an object into a lower level, what valid operation could be taking place?

A. Perturbation
B. Polyinstantiation
C. Aggregation
D. Declassification

Answer: D Declassification is the process of moving an object into a lower level of classification once it is determined that it no longer justifies being placed at a higher level. Only a trusted subject can perform declassification because this action is a violation of the verbiage of the star property of Bell-LaPadula, but not the spirit or intent, which is to prevent unauthorized disclosure.

158

18. What security method, mechanism, or model reveals a capabilities list of a subject across multiple objects?

A. Separation of duties
B. Access control matrix
C. Biba
D. Clark-Wilson

Answer: B An access control matrix assembles ACLs from multiple objects into a single table. The rows of that table are the ACEs of a subject across those objects, thus a capabilities list.

159

19. What security model has a feature that in theory has one name or label, but when implemented into a solution, takes on the name or label of the security kernel?

A. Graham-Denning model
B. Deployment modes
C. Trusted computing base
D. Chinese Wall

Answer: C The trusted computing base (TCB) has a component known as the reference monitor in theory, which becomes the security kernel in implementation.

160

20. Which of the following is not part of the access control relationship of the Clark-Wilson model?

A. Object
B. Interface
C. Programming language
D. Subject

Answer: C The three parts of the Clark-Wilson model's access control relationship (a.k.a. access triple) are subject, object, and program (or interface).

161

1. Many PC operating systems provide functionality that enables them to support the simultaneous execution of multiple applications on single-processor systems. What term is used to describe this capability?

A. Multiprogramming
B. Multithreading
C. Multitasking
D. Multiprocessing

Answer: C Multitasking is processing more than one task at the same time. In most cases, multitasking is simulated by the operating system even when not supported by the processor.

162

2. What technology provides an organization with the best control over BYOD equipment?

A. Application whitelisting
B. Mobile device management
C. Encrypted removable storage
D. Geotagging

Answer: B Mobile device management (MDM) is a software solution to the challenging task of managing the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting. Not all mobile devices support removable storage, and even fewer support encrypted removable storage. Geotagging is used to mark photos and social network posts, not for BYOD management. Application whitelisting may be an element of BYOD management, but is only part of a full MDM solution.

163

3. You have three applications running on a single-core single-processor system that supports multitasking. One of those applications is a word processing program that is managing two threads simultaneously. The other two applications are using only one thread of execution. How many application threads are running on the processor at any given time?

A. One
B. Two
C. Three
D. Four

Answer: A A single-processor system can operate on only one thread at a time. There would be a total of four application threads (ignoring any threads created by the operating system), but the operating system would be responsible for deciding which single thread is running on the processor at any given time.

164

4. What type of federal government computing system requires that all individuals accessing the system have a need to know all of the information processed by that system?

A. Dedicated
B. System high
C. Compartmented
D. Multilevel

Answer: A In a dedicated system, all users must have a valid security clearance for the highest level of information processed by the system, they must have access approval for all information processed by the system, and they must have a valid need to know of all information processed by the system.

165

5. What is a security risk of an embedded system that is not commonly found in a standard PC?

A. Software flaws
B. Access to the Internet
C. Control of a mechanism in the physical world
D. Power loss

Answer: C Because an embedded system is in control of a mechanism in the physical world, a security breach could cause harm to people and property. This typically is not true of a standard PC. Power loss, Internet access, and software flaws are security risks of both embedded systems and standard PCs.

166

6. What type of memory chip allows the end user to write information to the memory only one time and then preserves that information indefinitely without the possibility of erasure?

A. ROM
B. PROM
C. EPROM
D. EEPROM

Answer: B Programmable read-only memory (PROM) chips may be written to once by the end user but may never be erased. The contents of ROM chips are burned in at the factory, and the end user is not allowed to write data. EPROM and EEPROM chips both make provisions for the end user to somehow erase the contents of the memory device and rewrite new data to the chip.

167

7. Which type of memory chip can be erased only when it is removed from the computer and exposed to a special type of ultraviolet light?

A. ROM
B. PROM
C. EPROM
D. EEPROM

Answer: C EPROMs may be erased through exposure to high-intensity ultraviolet light. ROM and PROM chips do not provide erasure functionality. EEPROM chips may be erased through the application of electrical currents to the chip pins and do not require removal from the computer prior to erasure.

168

8. Which one of the following types of memory might retain information after being removed from a computer and, therefore, represent a security risk?

A. Static RAM
B. Dynamic RAM
C. Secondary memory
D. Real memory

Answer: C Secondary memory is a term used to describe magnetic, optical, or flash media. These devices will retain their contents after being removed from the computer and may later be read by another user.

169

9. What is the most effective means of reducing the risk of losing the data on a mobile device, such as a notebook computer?

A. Defining a strong logon password
B. Minimizing sensitive data stored on the mobile device
C. Using a cable lock
D. Encrypting the hard drive

Answer: B The risk of a lost or stolen notebook is the data loss, not the loss of the system itself. Thus, keeping minimal sensitive data on the system is the only way to reduce the risk. Hard drive encryption, cable locks, and strong passwords, although good ideas, are preventive tools, not means of reducing risk. They don't keep intentional and malicious data compromise from occurring; instead, they encourage honest people to stay honest.

170

10. What type of electrical component serves as the primary building block for dynamic RAM chips?

A. Capacitor
B. Resistor
C. Flip-flop
D. Transistor

Answer: A Dynamic RAM chips are built from a large number of capacitors, each of which holds a single electrical charge. These capacitors must be continually refreshed by the CPU in order to retain their contents. The data stored in the chip is lost when power is removed.

171

11. Which one of the following storage devices is most likely to require encryption technology in order to maintain data security in a networked environment?

A. Hard disk
B. Backup tape
C. Removable drives
D. RAM

Answer: C Removable drives are easily taken out of their authorized physical location, and it is often not possible to apply operating system access controls to them. Therefore, encryption is often the only security measure short of physical security that can be afforded to them. Backup tapes are most often well controlled through physical security measures. Hard disks and RAM chips are often secured through operating system access controls.

172

12. In which of the following security modes can you be assured that all users have access permissions for all information processed by the system but will not necessarily need to know of all that information?

A. Dedicated
B. System high
C. Compartmented
D. Multilevel

Answer: B In system high mode, all users have appropriate clearances and access permissions for all information processed by the system but need to know only some of the information processed by that system.

173

13. The most commonly overlooked aspect of mobile phone eavesdropping is related to which of the following?

A. Storage device encryption
B. Screen locks
C. Overhearing conversations
D. Wireless networking

Answer: C The most commonly overlooked aspect of mobile phone eavesdropping is related to people in the vicinity overhearing conversations (at least one side of them). Organizations frequently consider and address issues of wireless networking, storage device encryption, and screen locks.

174

14. What type of memory device is usually used to contain a computer's motherboard BIOS?

A. PROM
B. EEPROM
C. ROM
D. EPROM

Answer: B BIOS and device firmware are often stored on EEPROM chips to facilitate future firmware updates.

175

15. What type of memory is directly available to the CPU and is often part of the CPU?

A. RAM
B. ROM
C. Register Memory
D. Virtual memory

Answer: C Registers are small memory locations that are located directly on the CPU chip itself. The data stored within them is directly available to the CPU and can be accessed extremely quickly.

176

16. In what type of addressing scheme is the data actually supplied to the CPU as an argument to the instruction?

A. Direct addressing
B. Immediate addressing
C. Base+offset addressing
D. Indirect addressing

Answer: B In immediate addressing, the CPU does not need to actually retrieve any data from memory. The data is contained in the instruction itself and can be immediately processed.

177

17. What type of addressing scheme supplies the CPU with a location that contains the memory address of the actual operand?

A. Direct addressing
B. Immediate addressing
C. Base+offset addressing
D. Indirect addressing

Answer: D In indirect addressing, the location provided to the CPU contains a memory address. The CPU retrieves the operand by reading it from the memory address provided (which is why it's called indirect).

178

18. What security principle helps prevent users from accessing memory spaces assigned to applications being run by other users?

A. Separation of privilege
B. Layering
C. Process isolation
D. Least privilege

Answer: C Process isolation provides separate memory spaces to each process running on a system. This prevents processes from overwriting each other's data and ensures that a process can't read data from another process.

179

19. Which security principle mandates that only a minimum number of operating system processes should run in supervisory mode?

A. Abstraction
B. Layering
C. Data hiding
D. Least Privilege

Answer: D The principle of least privilege states that only processes that absolutely need kernel-level access should run in supervisory mode. The remaining processes should run in user mode to reduce the number of potential security vulnerabilities.

180

20. Which security principle takes the concept of process isolation and implements it using physical controls?

A. Hardware segmentation
B. Data hiding
C. Layering
D. Abstraction

Answer: A Hardware segmentation achieves the same objectives as process isolation but takes them to a higher level by implementing them with physical controls in hardware.

181

1. Which of the following is the most important aspect of security?

A. Physical security
B. Intrusion detection
C. Logical security
D. Awareness training

Answer: A Physical security is the most important aspect of overall security. Without physical security, none of the other aspects of security are sufficient.

182

2. What method can be used to map out the needs of an organization for a new facility?

A. Log file audit
B. Critical path analysis
C. Risk analysis
D. Inventory

Answer: B Critical path analysis can be used to map out the needs of an organization for a new facility. A critical path analysis is the process of identifying relationships between mission-critical applications, processes, and operations and all of the supporting elements.

183

3. What infrastructure component is often located in the same position across multiple floors in order to provide a convenient means of linking floor-based networks together?

A. Server room
B. Wiring closet
C. Datacenter
D. Media cabinets

Answer: B A wiring closet is the infrastructure component is often located in the same position across multiple floors in order to provide a convenient means of linking floor-based networks together.

184

4. Which of the following is not a security-focused design element of a facility or site?

A. Separation of work and visitor areas
B. Restricted access to areas with higher value or importance
C. Confidential assets located in the heart or center of a facility
D. Equal access to all locations within a facility

Answer: D Equal access to all locations within a facility is not a security-focused design element. Each area containing assets or resources of different importance, value, and confidentiality should have a corresponding level of security restriction placed on it.

185

5. Which of the following does not need to be true in order to maintain the most efficient and secure server room?

A. It must be human compatible.
B. It must include the use of nonwater fire suppressants.
C. The humidity must be kept between 40 and 60 percent.
D. The temperature must be kept between 60 and 75 degrees Fahrenheit.

Answer: A A computer room does not need to be human compatible to be efficient and secure. Having a human-incompatible server room provides a greater level of protection against attacks.

186

6. Which of the following is not a typical security measure implemented in relation to a media storage facility containing reusable removable media?

A. Employing a librarian or custodian
B. Using a check-in/check-out process
C. Hashing
D. Using sanitization tools on returned media

Answer: C Hashing is not a typical security measure implemented in relation to a media storage facility containing reusable removable media. Hashing is used when it is necessary to verify the integrity of a dataset, while data on reusable removable media should be removed and not retained. Usually the security features for a media storage facility include using a librarian or custodian, using a check-in/check-out process, and using sanitization tools on returned media.

187

7. Which of the following is a double set of doors that is often protected by a guard and is used to contain a subject until their identity and authentication is verified?

A. Gate
B. Turnstile
C. Mantrap
D. Proximity detector

Answer: C A mantrap is a double set of doors that is often protected by a guard and used to contain a subject until their identity and authentication is verified.

188

8. What is the most common form of perimeter security devices or mechanisms?

A. Security guards
B. Fences
C. CCTV
D. Lighting

Answer: D Lighting is the most common form of perimeter security devices or mechanisms. Your entire site should be clearly lit. This provides for easy identification of personnel and makes it easier to notice intrusions.

189

9. Which of the following is not a disadvantage of using security guards?

A. Security guards are usually unaware of the scope of the operations within a facility.
B. Not all environments and facilities support security guards.
C. Not all security guards are themselves reliable.
D. Prescreening, bonding, and training does not guarantee effective and reliable security guards.

Answer: A Security guards are usually unaware of the scope of the operations within a facility, which supports confidentiality of those operations and thus helps reduce the possibility that a security guard will be involved in the disclosure of confidential information.

190

10. What is the most common cause of failure for a water-based fire suppression system?

A. Water shortage
B. People
C. Ionization detectors
D. Placement of detectors in drop ceilings

Answer: B The most common cause of failure for a water-based system is human error. If you turn off the water source after a fire and forget to turn it back on, you'll be in trouble for the future. Also, pulling an alarm when there is no fire will trigger damaging water release throughout the office.

191

11. What is the most common and inexpensive form of physical access control device?

A. Lighting
B. Security guard
C. Key locks
D. Fences

Answer: C Key locks are the most common and inexpensive form of physical access control device. Lighting, security guards, and fences are all much more costly.

192

12. What type of motion detector senses changes in the electrical or magnetic field surrounding a monitored object?A. WaveB. PhotoelectricC. HeatD. Capacitance

Answer: D A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object.

193

13. Which of the following is not a typical type of alarm that can be triggered for physical security?

A. Preventive
B. Deterrent
C. Repellant
D. Notification

Answer: A There is no such thing as a preventive alarm. Alarms are always triggered in response to a detected intrusion or attack.

194

14. No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent all but which of the following?

A. Piggybacking
B. Espionage
C. Masquerading
D. Abuse

Answer: B No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Espionage cannot be prevented by physical access controls.

195

15. What is the most important goal of all security solutions?

A. Prevention of disclosure
B. Maintaining integrity
C. Human safety
D. Sustaining availability

Answer: C Human safety is the most important goal of all security solutions.

196

16. What is the ideal humidity range for a computer room?

A. 20–40 percent
B. 40–60 percent
C. 60–75 percent
D. 80–95 percent

Answer: B The humidity in a computer room should ideally be from 40 to 60 percent.

197

17. At what voltage level can static electricity cause destruction of data stored on hard drives?

A. 4,000
B. 17,000
C. 40
D. 1,500

Answer: D Destruction of data stored on hard drives can be caused by 1,500 volts of static electricity.

198

18. A Type B fire extinguisher may use all except which of the following suppression mediums?

A. Water
B. CO2
C. Halon or an acceptable halon substitute
D. Soda acid

Answer: A Water is never the suppression medium in Type B fire extinguishers because they are used on liquid fires.

199

19. What is the best type of water-based fire suppression system for a computer facility?

A. Wet pipe system
B. Dry pipe system
C. Preaction system
D. Deluge system

Answer: C A preaction system is the best type of water-based fire suppression system for a computer facility.

200

20. Which of the following is typically not a culprit in causing damage to computer equipment in the event of a fire and a triggered suppression?

A. Heat
B. Suppression medium
C. Smoke
D. Light

Answer: D Light is usually not damaging to most computer equipment, but fire, smoke, and the suppression medium (typically water) are very destructive.

201

1. What is layer 4 of the OSI model?

A. Presentation
B. Network
C. Data Link
D. Transport

Answer: D The Transport layer is layer 4. The Presentation layer is layer 6, the Data Link layer is layer 2, and the Network layer is layer 3.

202

2. What is encapsulation?

A. Changing the source and destination addresses of a packet
B. Adding a header and footer to data as it moves down the OSI stack
C. Verifying a person's identity
D. Protecting evidence until it has been properly collected

Answer: B Encapsulation is adding a header and footer to data as it moves down the OSI stack.

203

3. Which OSI model layer manages communications in simplex, half-duplex, and full-duplex modes?

A. Application
B. Session
C. Transport
D. Physical

Answer: B Layer 5, Session, manages simplex (one-direction), half-duplex (two-way, but only one direction can send data at a time), and full-duplex (two-way, in which data can be sent in both directions simultaneously) communications.

204

4. Which of the following is the least resistant to EMI?

A. Thinnet
B. 10Base-T UTP
C. 10Base5
D. Coaxial cable

Answer: B 10Base-T UTP is the least resistant to EMI because it is unshielded. Thinnet (10Base2) and thicknet (10Base5) are each a type of coaxial cable, which is shielded against EMI.

205

5. Which of the following is not an example of network segmentation?

A. Intranet
B. DMZ
C. Extranet
D. VPN

Answer: D A VPN is a secure tunnel used to establish connections across a potentially insecure intermediary network. Intranet, extranet, and DMZ are examples of network segmentation.

206

6. Which of the following is not considered a non-IP protocol?

A. IPX
B. UDP
C. AppleTalk
D. NetBEUI

Answer: B UDP is a transport layer protocol that operates as the payload of an IP packet. While it is not IP itself, it depends on IP. IPX, AppleTalk, and NetBEUI are all alternatives to IP and thus are labeled as non-IP protocols.

207

7. If you are the victim of a bluejacking attack, what was compromised?

A. Your firewall
B. Your switch
C. Your cell phone
D. Your web cookies

Answer: C A bluejacking attack is a wireless attack on Bluetooth, and the most common device compromised in a bluejacking attack is a cell phone.

208

8. Which networking technology is based on the IEEE 802.3 standard?

A. Ethernet
B. Token Ring
C. FDDI
D. HDLC

Answer: A Ethernet is based on the IEEE 802.3 standard.

209

9. What is a TCP wrapper?

A. An encapsulation protocol used by switches
B. An application that can serve as a basic firewall by restricting access based on user IDs or system IDs
C. A security protocol used to protect TCP/IP traffic over WAN links
D. A mechanism to tunnel TCP/IP through non-IP networks

Answer: B A TCP wrapper is an application that can serve as a basic firewall by restricting access based on user IDs or system IDs.

210

10. What is both a benefit and a potentially harmful implication of multilayer protocols?

A. Throughput
B. Encapsulation
C. Hash integrity checking
D. Logical addressing

Answer: B Encapsulation is both a benefit and a potentially harmful implication of multilayer protocols.

211

11. By examining the source and destination addresses, the application usage, the source of origin, and the relationship between current packets with the previous packets of the same session, __________ firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities.

A. Static packet-filtering
B. Application-level gateway
C. Stateful inspection
D. Circuit-level gateway

Answer: C Stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities.

212

12. __________ firewalls are known as third-generation firewalls.

A. Application-level gateway
B. Stateful inspection
C. Circuit-level gateway
D. Static packet-filtering

Answer: B Stateful inspection firewalls are known as third-generation firewalls.

213

13. Which of the following is not true regarding firewalls?

A. They are able to log traffic information.
B. They are able to block viruses.
C. They are able to issue alarms based on suspected attacks.
D. They are unable to prevent internal attacks.

Answer: B Most firewalls offer extensive logging, auditing, and monitoring capabilities as well as alarms and even basic IDS functions. Firewalls are unable to block viruses or malicious code transmitted through otherwise authorized communication channels, prevent unauthorized but accidental or intended disclosure of information by users, prevent attacks by malicious users already behind the firewall, or protect data after it passed out of or into the private network.

214

14. Which of the following is not a routing protocol?

A. OSPF
B. BGP
C. RPC
D. RIP

Answer: C There are numerous dynamic routing protocols, including RIP, OSPF, and BGP, but RPC is not a routing protocol.

215

15. A __________ is an intelligent hub because it knows the addresses of the systems connected on each outbound port. Instead of repeating traffic on every outbound port, it repeats traffic only out of the port on which the destination is known to exist.

A. Repeater
B. Switch
C. Bridge
D. Router

Answer: B A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port.

216

16. Which of the following is not a technology specifically associated with 802.11 wireless networking?

A. WAP
B. WPA
C. WEP
D. 802.11i

Answer: A Wireless Application Protocol (WAP) is a technology associated with cell phones accessing the Internet rather than 802.11 wireless networking.

217

17. Which wireless frequency access method offers the greatest throughput with the least interference?

A. FHSS
B. DSSS
C. OFDM
D. OSPF

Answer: C Orthogonal Frequency-Division Multiplexing (OFDM) offers high throughput with the least interference. OSPF is a routing protocol, not a wireless frequency access method.

218

18. What security concept encourages administrators to install firewalls, malware scanners, and an IDS on every host?

A. Endpoint security
B. Network access control (NAC)
C. VLAN
D. RADIUS

Answer: A Endpoint security is the security concept that encourages administrators to install firewalls, malware scanners, and an IDS on every host.

219

19. What function does RARP perform?

A. It is a routing protocol.
B. It converts IP addresses into MAC addresses.
C. It resolves physical addresses into logical addresses.
D. It manages multiplex streaming.

Answer: C Reverse Address Resolution Protocol (RARP) resolves physical addresses (MAC addresses) into logical addresses (IP addresses).

220

20. What form of infrastructure mode wireless networking deployment supports large physical environments through the use of a single SSID but numerous access points?

A. Stand-alone
B. Wired extension
C. Enterprise extension
D. Bridge

Answer: C Enterprise extended infrastructure mode exists when a wireless network is designed to support a large physical environment through the use of a single SSID but numerous access points.

221

1. __________________ is a layer 2 connection mechanism that uses packet-switching technology to establish virtual circuits between the communication endpoints.

A. ISDN
B. Frame Relay
C. SMDS
D. ATM

Answer: B Frame Relay is a layer 2 connection mechanism that uses packet-switching technology to establish virtual circuits between the communication endpoints. The Frame Relay network is a shared medium across which virtual circuits are created to provide point-to-point communications. All virtual circuits are independent of and invisible to each other.

222

2. Tunnel connections can be established over all except for which of the following?

A. WAN links
B. LAN pathways
C. Dial-up connections
D. Stand-alone systems

Answer: D A stand-alone system has no need for tunneling because no communications between systems are occurring and no intermediary network is present.

223

3. __________________ is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic.

A. UDP
B. IDEA
C. IPSec
D. SDLC

Answer: C IPSec, or IP Security, is a standards-based mechanism for providing encryption for point-to-point TCP/IP traffic.

224

4. Which of the following IP addresses is not a private IP address as defined by RFC 1918?

A. 10.0.0.18
B. 169.254.1.119
C. 172.31.8.204
D. 192.168.6.43

Answer: B The 169.254.x.x subnet is in the APIPA range, which is not part of RFC 1918. The addresses in RFC 1918 are 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255.

225

5. Which of the following cannot be linked over a VPN?

A. Two distant Internet-connected LANs
B. Two systems on the same LAN
C. A system connected to the Internet and a LAN connected to the Internet
D. Two systems without an intermediary network connection

Answer: D An intermediary network connection is required for a VPN link to be established.

226

6. What is needed to allow an external client to initiate a communication session with an internal system if the network uses a NAT proxy?

A. IPSec tunnel
B. Static mode NAT
C. Static private IP address
D. Reverse DNS

Answer: B Static mode NAT is needed to allow an outside entity to initiate communications with an internal system behind a NAT proxy.

227

7. Which of the following VPN protocols do not offer native data encryption? (Choose all that apply.)

A. L2F
B. L2TP
C. IPSec
D. PPTP

Answer: A;B;D L2F, L2TP, and PPTP all lack native data encryption. Only IPSec includes native data encryption.

228

8. At which OSI model layer does the IPSec protocol function?

A. Data Link
B. Transport
C. Session
D. Network

Answer: D IPSec operates at the Network layer (layer 3).

229

9. Which of the following is not defined in RFC 1918 as one of the private IP address ranges that are not routed on the Internet?

A. 169.172.0.0–169.191.255.255
B. 192.168.0.0–192.168.255.255
C. 10.0.0.0–10.255.255.255
D. 172.16.0.0–172.31.255.255

Answer: A The address range 169.172.0.0–169.191.255.255 is not listed in RFC 1918 as a private IP address range. It is, in fact, a public IP address range.

230

10. Which of the following is not a benefit of NAT?

A. Hiding the internal IP addressing scheme
B. Sharing a few public Internet addresses with a large number of internal clients
C. Using the private IP addresses from RFC 1918 on an internal network
D. Filtering network traffic to prevent brute-force attacks

Answer: D NAT does not protect against or prevent brute-force attacks.

231

11. A significant benefit of a security control is when it goes unnoticed by users. What is this called?

A. Invisibility
B. Transparency
C. Diversion
D. Hiding in plain sight

Answer: B When transparency is a characteristic of a service, security control, or access mechanism it is unseen by users.

232

12. When you're designing a security system for Internet-delivered email, which of the following is least important?

A. Nonrepudiation
B. Availability
C. Message integrity
D. Access restriction

Answer: B Although availability is a key aspect of security in general, it is the least important aspect of security systems for Internet-delivered email.

233

13. Which of the following is typically not an element that must be discussed with end users in regard to email retention policies?

A. Privacy
B. Auditor review
C. Length of retainer
D. Backup method

Answer: D The backup method is not an important factor to discuss with end users regarding email retention.

234

14. What is it called when email itself is used as an attack mechanism?

A. Masquerading
B. Mail-bombing
C. Spoofing
D. Smurf attack

Answer: B Mail-bombing is the use of email as an attack mechanism. Flooding a system with messages causes a denial of service.

235

15. Why is spam so difficult to stop?

A. Filters are ineffective at blocking inbound messages.
B. The source address is usually spoofed.
C. It is an attack requiring little expertise.
D. Spam can cause denial-of-service attacks.

Answer: B It is often difficult to stop spam because the source of the messages is usually spoofed.

236

16. Which of the following is a type of connection that can be described as a logical circuit that always exists and is waiting for the customer to send data?

A. ISDN
B. PVC
C. VPN
D. SVC

Answer: B A permanent virtual circuit (PVC) can be described as a logical circuit that always exists and is waiting for the customer to send data.

237

17. In addition to maintaining an updated system and controlling physical access, which of the following is the most effective countermeasure against PBX fraud and abuse?

A. Encrypting communications
B. Changing default passwords
C. Using transmission logs
D. Taping and archiving all conversations

Answer: B Changing default passwords on PBX systems provides the most effective increase in security.

238

18. Which of the following can be used to bypass even the best physical and logical security mechanisms to gain access to a system?

A. Brute-force attacks
B. Denial of service
C. Social engineering
D. Port scanning

Answer: C Social engineering can often be used to bypass even the most effective physical and logical controls. Whatever activity the attacker convinces the victim to perform, it is usually directed toward opening a back door that the attacker can use to gain access to the network.

239

19. Which of the following is not a denial-of-service attack?

A. Exploiting a flaw in a program to consume 100 percent of the CPU
B. Sending malformed packets to a system, causing it to freeze
C. Performing a brute-force attack against a known user account
D. Sending thousands of emails to a single address

Answer: C A brute-force attack is not considered a DoS.

240

20. What authentication protocol offers no encryption or protection for logon credentials?

A. PAP
B. CHAP
C. SSL
D. RADIUS

Answer: A Password Authentication Protocol (PAP) is a standardized authentication protocol for PPP. PAP transmits usernames and passwords in the clear. It offers no form of encryption. It simply provides a means to transport the logon credentials from the client to the authentication server.

241

1. Which of the following would not be an asset that an organization would want to protect with access controls?

A. Information
B. Systems
C. Devices
D. Facilities
E. None of the above

Answer: E All of the answers are included in the types of assets that an organization would try to protect with access controls.

242

2. Which of the following is true related to a subject?

A. A subject is always a user account.
B. The subject is always the entity that provides or hosts the information or data.
C. The subject is always the entity that receives information about or data from an object.
D. A single entity can never change roles between subject and object. 

Answer: C The subject is active and is always the entity that receives information about, or data from, the object. A subject can be a user, a program, a process, a file, a computer, a database, and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.

243

3. Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?

A. Preventive
B. Detective
C. Corrective
D. Authoritative

Answer: A A preventive access control helps stop an unwanted or unauthorized activity from occurring. Detective controls discover the activity after it has occurred, and corrective controls attempt to reverse any problems caused by the activity. Authoritative isn't a valid type of access control.

244

4. What type of access controls are hardware or software mechanisms used to manage access to resources and systems, and provide protection for those resources and systems?

A. Administrative
B. Logical/technical
C. Physical
D. Preventive

Answer: B Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems. Administrative controls are managerial controls and physical controls use physical items to control physical access. A preventive control attempts to prevent security incidents.

245

5. Which of the following best expresses the primary goal when controlling access to assets?

A. Preserve confidentiality, integrity, and availability of systems and data.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.

Answer: A A primary goal when controlling access to assets is to protect against losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system, but objects do not authenticate. Subjects access objects, but objects do not access subjects. Identification and authentication is important as a first step in access control, but much more is needed to protect assets.

246

6. A user logs in with a login ID and a password. What is the purpose of the login ID?

A. Authentication
B. Authorization
C. Accountability
D. Identification

Answer: D A user professes an identity with a login ID. The combination of the login ID and the password provides authentication. Subjects are authorized access to objects after authentication. Logging and auditing provides accountability.

247

7. Accountability requires all of the following items except one. Which item is not required for accountability?

A. Identification
B. Authentication
C. Auditing
D. Authorization

Answer: D Accountability does not include authorization. Accountability requires proper identification and authentication. After authentication, accountability requires logging to support auditing.

248

8. What can you use to prevent users from rotating between two passwords?

A. Password complexity
B. Password history
C. Password age
D. Password length

Answer: B Password history can prevent users from rotating between two passwords. It remembers previously used passwords. Password complexity and password length help ensure users create strong passwords. Password age ensures users change their password regularly.

249

9. Which of the following best identifies the benefit of a passphrase?

A. It is short.
B. It is easy to remember.
C. It includes a single set of characters.
D. It is easy to crack.

Answer: B A passphrase is a long string of characters that is easy to remember, such as IP@$$edTheCISSPEx@m. It is not short and typically includes all four sets of character types. It is strong and complex, making it difficult to crack.

250

10. Which of the following is an example of a Type 2 authentication factor?

A. Something you have
B. Something you are
C. Something you do
D. Something you know

Answer: A A Type 2 authentication factor is based on something you have, such as a smartcard or token device. Type 3 authentication is based on something you are and sometimes something you do, which uses physical and behavioral biometric methods. Type 1 authentication is based on something you know, such as passwords or PINs.

251

11. Your organization issues devices to employees. These devices generate one-time passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?

A. Synchronous token
B. Asynchronous token
C. Smartcard
D. Common access card

Answer: A A synchronous token generates and displays one-time passwords, which are synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the one-time password. Smartcards do not generate one-time passwords, and common access cards are a version of a smartcard that includes a picture of the user.

252

12. Which of the following provides authentication based on a physical characteristic of a subject?

A. Account ID
B. Biometrics
C. Token
D. PIN

Answer: B Physical biometric methods such as fingerprints and iris scans provide authentication for subjects. An account ID provides identification. A token is something you have and it creates one-time passwords, but it is not related to physical characteristics. A personal identification number (PIN) is something you know.

253

13. What does the crossover error rate (CER) for a biometric device indicate?

A. It indicates that the sensitivity is too high.
B. It indicates that the sensitivity is too low.
C. It indicates the point where the false rejection rate equals the false acceptance rate.
D. When high enough, it indicates the biometric device is highly accurate.

Answer: C The point at which biometric Type 1 errors (false rejection rate) and Type 2 errors (false acceptance rate) are equal is the crossover error rate (CER). A lower CER indicates a higher quality biometric device. It does not indicate that sensitivity is too high or too low.

254

14. A biometric system has falsely rejected a valid user, indicating that the user is not recognized. What type of error is this?

A. Type 1 error
B. Type 2 error
C. Crossover error rate
D. Equal error rate

Answer: A A Type 1 error (false rejection or false negative) occurs when a valid subject is not authenticated. A Type 2 error (false acceptance or false positive) occurs when an invalid subject is authenticated. The crossover error rate (also called equal error rate) compares the rate of Type 1 errors to Type 2 errors and provides a measurement of the accuracy of the biometric system.

255

15. What is the primary purpose of Kerberos?

A. Confidentiality
B. Integrity
C. Authentication
D. Accountability

Answer: C The primary purpose of Kerberos is authentication, as it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

256

16. Which of the following is the best choice to support a federated identity management system?

A. Kerberos
B. Hypertext Markup Language (HTML)
C. Extensible Markup Language (XML)
D. Security Assertion Markup Language (SAML)

Answer: D SAML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. XML could be used, but it would require redefining tags already defined in SAML.

257

17. What is the function of the network access server within a RADIUS architecture?

A. Authentication server
B. Client
C. AAA server
D. Firewall

Answer: B The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn't the primary function.

258

18. Which of the following authentication, authorization, and accounting (AAA) protocols is based on RADIUS and supports Mobile IP and Voice over IP?

A. Distributed access control
B. Diameter
C. TACACS+
D. TACACS

Answer: B Diameter is based on RADIUS and it supports Mobile IP and Voice over IP. Distributed access control systems such as a federated identity management system are not a specific protocol, and they don't necessarily provide authentication, authorization, and accounting. TACACS and TACACS+ are AAA protocols, but they are alternatives to RADIUS, not based on RADIUS.

259

19. Scenario: An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he's had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter. Which of the following basic principles was violated during the administrator's employment?

A. Implicit deny
B. Loss of availability
C. Defensive privileges
D. Least privilege

Answer: D The principle of least privilege was violated because he retained privileges from all his previous administrator positions in different divisions. Implicit deny ensures that only access that is explicitly granted is allowed, but the administrator was explicitly granted privileges. While the administrator's actions could have caused loss of availability, loss of availability isn't a basic principle. Defensive privileges aren't a valid security principle.

260

20. Scenario: An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he's had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter. What could have discovered problems with this user's account while he was employed?

A. Policy requiring strong authentication
B. Multifactor authentication
C. Logging
D. Account review

Answer: D Account review can discover when users have more privileges than they need and could have been used to discover that this employee had permissions from several positions. Strong authentication methods (including multifactor authentication) would not have prevented the problems in this scenario. Logging could have recorded activity, but a review is necessary to discover the problems.

261

1. Which of the following best describes an explicit deny principle?

A. All actions that are not expressly denied are allowed.
B. All actions that are not expressly allowed are denied.
C. All actions must be expressly denied.
D. None of the above

Answer: B The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn't require all actions to be denied.

262

2. What is the intent of least privilege?

A. Enforce the most restrictive rights required by users to run system processes.
B. Enforce the least restrictive rights required by users to run system processes.
C. Enforce the most restrictive rights required by users to complete assigned tasks.
D. Enforce the least restrictive rights required by users to complete assigned tasks.

Answer: C The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don't execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.

263

3. A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table?

A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege

Answer: B An access control matrix includes multiple objects, and it lists subjects' access to each of the objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to the excessive privileges a subject gathers over time.

264

4. Who, or what, grants permissions to users in a discretionary access control model?

A. Administrators
B. Access control list
C. Assigned labels
D. The data custodian

Answer: D The data custodian (or owner) grants permissions to users in a discretionary access control (DAC) model. Administrators grant permissions for resources they own, but not for all resources in a DAC model. A rule-based access control model uses an access control list. The mandatory access control model uses labels. Administrators

265

5. Which of the following models is also known as an identity-based access control model?

A. Discretionary access control
B. Role-based access control
C. Rule-based access control
D. Mandatory access control

Answer: A A discretionary access control model is an identity-based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the owner. The role-based access control model is based on role or group membership. The rule-based access control model is based on rules within an ACL. The mandatory access control model uses assigned labels to identify access.

266

6. A central authority determines which files a user can access. Which of the following best describes this?

A. An access control list (ACL)
B. An access control matrix
C. Discretionary access control model
D. Nondiscretionary access control model

Answer: D A nondiscretionary access control model uses a central authority to determine which objects (such as files) that users (and other subjects) can access. In contrast, a discretionary access control model allows users to grant or reject access to any objects they own. An ACL is an example or rule-based access control model. An access control matrix includes multiple objects, and it lists the subject's access to each of the objects.

267

7. A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this?

A. Discretionary access control model
B. An access control list (ACL)
C. Rule-based access control model
D. Role-based access control model

Answer: D A role-based access control model can group users into roles based on the organization's hierarchy and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects that subjects can access. In contrast, a discretionary access control model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

268

8. Which of the following statements is true related to the role-based access control (role-BAC) model?

A. A role-BAC model allows users membership in multiple groups.
B. A role-BAC model allows users membership in a single group.
C. A role-BAC model is non-hierarchical.
D. A role-BAC model uses labels.

Answer: A The role-BAC model is based on role or group membership and users can be members of multiple groups. Users are not limited to only a single role. Role-BAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control model uses assigned labels to identify access.

269

9. Which of the following is the best choice for a role within an organization using a role-based access control model?

A. Web server
B. Application
C. Database
D. Programmer

Answer: D A programmer is a valid role in a role-based access control model. Administrators would place programmers' user accounts into the Programmer role and assign privileges to this role. Roles are typically used to organize users, and the other answers are not users.

270

10. Which of the following best describes a rule-based access control model?

A. It uses local rules applied to users individually.
B. It uses global rules applied to users individually.
C. It uses local rules applied to all users equally.
D. It uses global rules applied to all users equally.

Answer: D A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.

271

11. What type of access control model is used on a firewall?

A. Mandatory access control model
B. Discretionary access control model
C. Rule-based access control model
D. Role-based access control model

Answer: C Firewalls use a rule-based access control model with rules expressed in an access control list. A mandatory access control model uses labels. A discretionary access control model allows users to assign permissions. A role-based access control model organizes users in groups.

272

12. What type of access controls rely on the use of labels?

A. Discretionary
B. Nondiscretionary
C. Mandatory
D. Role based

Answer: C Mandatory access controls rely on the use of labels for subjects and objects. Discretionary access control systems allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management such as a rule-based access control deployed on a firewall. Role-based access controls define a subject's access based on job-related roles.

273

13. Which of the following best describes a characteristic of the mandatory access control model?

A. Employs explicit-deny philosophy
B. Permissive
C. Rule-based
D. Prohibitive

Answer: D The mandatory access control model is prohibitive and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules.

274

14. Which of the following is not a valid access control model?

A. Discretionary access control model
B. Nondiscretionary access control model
C. Mandatory access control model
D. Lettuce-based access control model

Answer: D Lettuce-based access control model is not a valid type of access control model. The other answers list valid access control models. A lattice-based (not lettuce-based) access control model is a type of mandatory access control model.

275

15. What would an organization do to identify weaknesses?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Access review

Answer: C A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, but threat modeling doesn't identify weaknesses. An access review audits account management and object access practices.

276

16. Which of the following can help mitigate the success of an online brute-force attack?

A. Rainbow table
B. Account lockout
C. Salting passwords
D. Encryption of password

Answer: B An account lockout policy will lock an account after a user has entered an incorrect password too many times, and this blocks an online brute-force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the password, but not against a brute-force attack.

277

17. What is an attack that attempts to detect flaws in smartcards?

A. Whaling
B. Side-channel attack
C. Brute-force
D. Rainbow table attack

Answer: B A side-channel attack is a passive, noninvasive attack to observe the operation of a device, and can be used against some smartcards. Methods include power monitoring, timing, and fault analysis attacks. Whaling is a type of phishing attack that targets high-level executives. A brute-force attack attempts to discover passwords by using all possible character combinations. A rainbow table attack is used to crack passwords.

278

18. What type of attack uses email and attempts to trick high-level executives?

A. Phishing
B. Spear phishing
C. Whaling
D. Vishing

Answer: C Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).

279

19. Scenario: An organization has recently suffered a series of security breaches that have significantly damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks.What would the consultant use to identify potential attackers?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Access review and audit

Answer: B Threat modeling helps identify, understand, and categorize potential threats. Asset valuation identifies the value of assets, and vulnerability analysis identifies weaknesses that can be exploited by threats. An access review and audit ensures that account management practices support the security policy.

280

20. Scenario: An organization has recently suffered a series of security breaches that have significantly damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks.What would need to be completed to ensure that the consultant has the correct focus?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Creation of audit trails

Answer: A Asset valuation identifies the actual value of assets so that they can be prioritized. This will ensure that the consultant focuses on high-value assets. Threat modeling identifies threats, but asset valuation should be done first so that the focus is on threats to high-value assets. Vulnerability analysis identifies weaknesses but should be focused on high-value assets. Audit trails are useful to re-create events leading up to an incident, but if they aren't already created, creating them now won't help unless the organization is attacked again.

281

1. Which one of the following tools is used primarily to perform network discovery scans?

A. Nmap
B. Nessus
C. Metasploit
D. lsof

Answer: A Nmap is a network discovery scanning tool that reports the open ports on a remote system.

282

2. Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker's perspective on the scan. Which one of the following results is the greatest cause for alarm?

A. 80/open
B. 22/filtered
C. 443/open
D. 1433/open

Answer: D Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network.

283

3. Which one of the following factors should not be taken into consideration when planning a security testing schedule for a particular system?

A. Sensitivity of the information stored on the system
B. Difficulty of performing the test
C. Desire to experiment with new testing tools
D. Desirability of the system to attackers

Answer: C The sensitivity of information stored on the system, difficulty of performing the test, and likelihood of an attacker targeting the system are all valid considerations when planning a security testing schedule. The desire to experiment with new testing tools should not influence the production testing schedule.

284

4. Which one of the following is not normally included in a security assessment?

A. Vulnerability scan
B. Risk assessment
C. Mitigation of vulnerabilities
D. Threat assessment

Answer: C Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities.

285

5. Who is the intended audience for a security assessment report?

A. Management
B. Security auditor
C. Security professional
D. Customers

Answer: A Security assessment reports should be addressed to the organization's management. For this reason, they should be written in plain English and avoid technical jargon.

286

6. Beth would like to run an nmap scan against all of the systems on her organization's private network. These include systems in the 10.0.0.0 private address space. She would like to scan this entire private address space because she is not certain what subnets are used. What network address should Beth specify as the target of her scan?

A. 10.0.0.0/0
B. 10.0.0.0/8
C. 10.0.0.0/16
D. 10.0.0.0/24

Answer: B The use of an 8-bit subnet mask means that the first octet of the IP address represents the network address. In this case, that means 10.0.0.0/8 will scan any IP address beginning with 10.

287

7. Alan ran an nmap scan against a server and determined that port 80 is open on the server. What tool would likely provide him the best additional information about the server's purpose and the identity of the server's operator?

A. SSH
B. Web browser
C. telnet
D. ping

Answer: B The server is likely running a website on port 80. Using a web browser to access the site may provide important information about the site's purpose.

288

8. What port is typically used to accept administrative connections using the SSH utility?

A. 20
B. 22
C. 25
D. 80

Answer: B The SSH protocol uses port 22 to accept administrative connections to a server.

289

9. Which one of the following tests provides the most accurate and detailed information about the security state of a server?

A. Unauthenticated scan
B. Port scan
C. Half-open scan
D. Authenticated scan

Answer: D Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.

290

10. What type of network discovery scan only follows the first two steps of the TCP handshake?

A. TCP connect scan
B. Xmas scan
C. TCP SYN scan
D. TCP ACK scan

Answer: C The TCP SYN scan sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.

291

11. Matthew would like to test systems on his network for SQL injection vulnerabilities. Which one of the following tools would be best suited to this task?

A. Port scanner
B. Network vulnerability scanner
C. Network discovery scanner
D. Web vulnerability scanner

Answer: D SQL injection attacks are web vulnerabilities, and Matthew would be best served by a web vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but the web vulnerability scanner is specifically designed for the task and more likely to be successful.

292

12. Badin Industries runs a web application that processes e-commerce orders and handles credit card transactions. As such, it is subject to the Payment Card Industry Data Security Standard (PCI DSS). The company recently performed a web vulnerability scan of the application and it had no unsatisfactory findings. How often must Badin rescan the application?

A. Only if the application changes
B. At least monthly
C. At least annually
D. There is no rescanning requirement.

Answer: C PCI DSS requires that Badin rescan the application at least annually and after any change in the application.

293

13. Grace is performing a penetration test against a client's network and would like to use a tool to assist in automatically executing common exploits. Which one of the following security tools will best meet her needs?

A. nmap
B. Metasploit
C. Nessus
D. Snort

Answer: B Metasploit is an automated exploit tool that allows attackers to easily execute common attack techniques.

294

14. Paul would like to test his application against slightly modified versions of previously used input. What type of test does Paul intend to perform?

A. Code review
B. Application vulnerability review
C. Mutation fuzzing
D. Generational fuzzing

Answer: C Mutation fuzzing uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.

295

15. Users of a banking application may try to withdraw funds that don't exist from their account. Developers are aware of this threat and implemented code to protect against it. What type of software testing would most likely catch this type of vulnerability if the developers have not already remediated it?

A. Misuse case testing
B. SQL injection testing
C. Fuzzing
D. Code review

Answer: A Misuse case testing identifies known ways that an attacker might exploit a system and tests explicitly to see if those attacks are possible in the proposed code.

296

16. What type of interface testing would identify flaws in a program's command-line interface?

A. Application programming interface testing
B. User interface testing
C. Physical interface testing
D. Security interface testing

Answer: B User interface testing includes assessments of both graphical user interfaces (GUIs) and command-line interfaces (CLIs) for a software program.

297

17. During what type of penetration test does the tester always have access to system configuration information?

A. Black box penetration test
B. White box penetration test
C. Gray box penetration test
D. Red box penetration test

Answer: B During a white box penetration test, the testers have access to detailed configuration information about the system being tested.

298

18. What port is typically open on a system that runs an unencrypted HTTP server?

A. 22
B. 80
C. 143
D. 443

Answer: B Unencrypted HTTP communications take place over TCP port 80 by default.

299

19. Which one of the following is the final step of the Fagin inspection process?

A. Inspection
B. Rework
C. Follow-up
D. None of the above

Answer: C The Fagin inspection process concludes with the follow-up phase.

300

20. What information security management task ensures that the organization's data protection requirements are met effectively?

A. Account management
B. Backup verification
C. Log review
D. Key performance indicators

Answer: B The backup verification process ensures that backups are running properly and thus meeting the organization's data protection objectives.

301

1. An organization ensures that users are granted access to only the data they need to perform specific work tasks. What principle are they following?

A. Principle of least permission
B. Separation of duties
C. Need to know
D. Role-based access control

Answer: C Need to know is the requirement to have access to, knowledge about, or possession of data to perform specific work tasks, but no more. The principle of least privilege includes both rights and permissions, but the term principle of least permission is not valid within IT security. Separation of duties ensures that a single person doesn't control all the elements of a process. Role-based access control grants access to resources based on a role.

302

2. An administrator is granting permissions to a database. What is the default level of access the administrator should grant to new users?

A. Read
B. Modify
C. Full access
D. No access

Answer: D The default level of access should be no access. The principle of least privilege dictates that users should only be granted the level of access they need for their job and the question doesn't indicate new users need any access. Read access, modify access, and full access grants users some level of access, which violates the principle of least privilege.

303

3. Why is separation of duties important for security purposes?

A. It ensures that multiple people can do the same job.
B. It prevents an organization from losing important information when they lose important people.
C. It prevents any single security person from being able to make major security changes without involving other individuals.
D. It helps employees concentrate their talents where they will be most useful.

Answer: C A separation of duties policy prevents a single person from controlling all elements of a process, and when applied to security settings, it can prevent a person from making major security changes without assistance. Job rotation helps ensure that multiple people can do the same job and can help prevent the organization from losing information when a single person leaves. Having employees concentrate their talents is unrelated to separation of duties.

304

4. What is a primary benefit of job rotation and separation of duties policies?

A. Preventing collusion
B. Preventing fraud
C. Encouraging collusion
D. Correcting incidents

Answer: B Job rotation and separation of duties policies help prevent fraud. Collusion is an agreement among multiple persons to perform some unauthorized or illegal actions, and implementing these policies helps prevent fraud. They don't prevent collusion and certainly aren't intended to encourage employees to collude against an organization. They help deter and prevent incidents, but they do not correct them.

305

5. A financial organization commonly has employees switch duty responsibilities every six months. What security principle are they employing?

A. Job rotation
B. Separation of duties
C. Mandatory vacations
D. Least privilege

Answer: A A job rotation policy has employees rotate jobs or job responsibilities and can help detect incidences of collusion and fraud. A separation of duties policy ensures that a single person doesn't control all elements of a specific function. Mandatory vacation policies ensure that employees take an extended time away from their job, requiring someone else to perform their job responsibilities, which increases the likelihood of discovering fraud. Least privilege ensures that users have only the permissions they need to perform their job and no more.

306

6. Which of the following is one of the primary reasons an organization enforces a mandatory vacation policy?

A. To rotate job responsibilities
B. To detect fraud
C. To increase employee productivity
D. To reduce employee stress levels

Answer: B Mandatory vacation policies help detect fraud. They require employees to take an extended time away from their job, requiring someone else to perform their job responsibilities and this increases the likelihood of discovering fraud. It does not rotate job responsibilities. While mandatory vacations might help employees reduce their overall stress levels, and in turn increase productivity, these are not the primary reasons for mandatory vacation policies.

307

7. An organization wants to reduce vulnerabilities against fraud from malicious employees. Of the following choices, what would help with this goal? (Choose all that apply.)

A. Job rotation
B. Separation of duties
C. Mandatory vacations
D. Baselining

Answer: A;B;C Job rotation, separation of duties, and mandatory vacation policies will all help reduce fraud. Baselining is used for configuration management and would not help reduce collusion or fraud.

308

8. Of the following choices, what is not a valid security practice related to special privileges?

A. Monitor special privilege assignments.
B. Grant access equally to administrators and operators.
C. Monitor special privilege usage.
D. Grant access to only trusted employees.

Answer: B Special privileges should not be granted equally to administrators and operators. Instead, personnel should be granted only the privileges they need to perform their job. Special privileges are activities that require special access or elevated rights and permissions to perform administrative and sensitive job tasks. Assignment and usage of these privileges should be monitored, and access should be granted only to trusted employees.

309

9. Which of the following identifies vendor responsibilities and can include monetary penalties if the vendor doesn't meet the stated responsibilities?

A. Service level agreement (SLA)
B. Memorandum of understanding (MOU)
C. Interconnection security agreement (ISA)
D. Software as a Service (SaaS)

Answer: A A service level agreement identifies responsibilities of a third party such as a vendor and can include monetary penalties if the vendor doesn't meet the stated responsibilities. A MOU is in informal agreement and does not include monetary penalties. An ISA defines requirements for establishing, maintaining, and disconnecting a connection. SaaS is one of the cloud-based service models and does not specify vendor responsibilities.

310

10. What should be done with equipment that is at the end of its life cycle and that is being donated to a charity?

A. Remove all CDs and DVDs.
B. Remove all software licenses.
C. Sanitize it.
D. Install the original software.

Answer: C Systems should be sanitized when they reach the end of their life cycle to ensure that they do not include any sensitive data. Removing CDs and DVDs is part of the sanitation process, but other elements of the system, such as disk drives, should also be checked to ensure they don't include sensitive information. Removing software licenses or installing the original software is not necessarily required unless the organization's sanitization process requires it.

311

11. An organization is planning the layout of a new building that will house a datacenter. Where is the most appropriate place to locate the datacenter?

A. In the center of the building
B. Closest to the outside wall where power enters the building
C. Closest to the outside wall where heating, ventilation, and air conditioning systems are located
D. At the back of the building

Answer: A Valuable assets require multiple layers of physical security and placing a datacenter in the center of the building helps provide these additional layers. Placing valuable assets next to an outside wall (including at the back of the building) eliminates some layers of security.

312

12. Which of the following is a true statement regarding virtual machines (VMs) running as guest operating systems on physical servers?

A. Updating the physical server automatically updates the VMs.
B. Updating any VM automatically updates all the VMs.
C. VMs do not need to be updated as long as the physical server is updated.
D. VMs must be updated individually.

Answer: D VMs need to be updated individually just as they would be if they were running on a physical server. Updates to the physical server do not update hosted VMs. Similarly, updating one VM doesn't update all VMs.

313

13. Some cloud-based service models require an organization to perform some maintenance and take responsibility for some security. Which of the following models places the majority of these responsibilities on the organization leasing the cloud-based resources?

A. Infrastructure as a Service (IaaS)
B. Platform as a Service (PaaS)
C. Software as a Service (SaaS)
D. Cloud as a Service (CaaS)

Answer: A Organizations have the most responsibility for maintenance and security when leasing IaaS cloud resources. The cloud service provider takes more responsibility with the PaaS model and the most responsibility with the SaaS model. CaaS isn't a valid name for a cloud-based service model.

314

14. An organization is using a Software as a Service (SaaS) cloud-based service shared with another organization. What type of deployment model does this describe?

A. Public
B. Private
C. Community
D. Hybrid

Answer: C A community cloud deployment model provides cloud-based assets to two or more organizations. A public cloud model includes assets available for any consumers to rent or lease. A private cloud deployment model includes cloud-based assets for a single organization. A hybrid model includes a combination of two or more deployment models.

315

15. Backup tapes have reached the end of their life cycle and need to be disposed of. Which of the following is the most appropriate disposal method?

A. Throw them away. Because they are at the end of their life cycle, it is not possible to read data from them.
B. Purge the tapes of all data before disposing of them.
C. Erase data off the tapes before disposing of them.
D. Store the tapes in a storage facility.

Answer: B The tapes should be purged, ensuring that data cannot be recovered using any known means. Even though tapes may be at the end of their life cycle, they can still hold data and should be purged before throwing them away. Erasing doesn't remove all usable data from media, but purging does. There is no need to store the tapes if they are at the end of their life cycle.

316

16. Which of the following can be an effective method of configuration management using a baseline?

A. Implementing change management
B. Using images
C. Implementing vulnerability management
D. Implementing patch management

Answer: B Images can be an effective configuration management method using a baseline. Imaging ensures that systems are deployed with the same, known configuration. Change management processes help prevent outages from unauthorized changes. Vulnerability management processes helps to identify vulnerabilities, and patch management processes help to ensure systems are kept up-to-date.

317

17. Which of the following steps would not be included in a change management process?

A. Immediately implement the change if it will improve performance.
B. Request the change.
C. Create a rollback plan for the change.
D. Document the change.

Answer: A Change management processes may need to be temporarily bypassed to respond to an emergency, but they should not be bypassed simply because someone thinks it can improve performance. Even when a change is implemented in response to an emergency, it should still be documented and reviewed after the incident. Requesting changes, creating rollback plans, and documenting changes are all valid steps within a change management process.

318

18. While troubleshooting a network problem, a technician realized it could be resolved by opening a port on a firewall. The technician opened the port and verified the system was now working. However, an attacker accessed this port and launched a successful attack. What could have prevented this problem?

A. Patch management processes
B. Vulnerability management processes
C. Configuration management processes
D. Change management processes

Answer: D Change management processes would ensure that changes are evaluated before being implemented to prevent unintended outages or needlessly weakening security. Patch management ensures systems are up-to-date, vulnerability management checks systems for known vulnerabilities, and configuration management ensures that system are deployed similarly, but these other processes wouldn't prevent an unauthorized change.

319

19. Which of the following is not a part of a patch management process?

A. Evaluate patches
B. Test patches
C. Deploy all patches
D. Audit patches

Answer: C Only required patches should be deployed so an organization will not deploy all patches. Instead, an organization evaluates the patches to determine which patches are needed, tests them to ensure that they don't cause unintended problems, deploys the approved and tested patches, and audits systems to ensure that patches have been applied.

320

20. What would an administrator use to check systems for known issues that attackers may use to exploit the systems?

A. Versioning tracker
B. Vulnerability scanner
C. Security audit
D. Security review

Answer: B Vulnerability scanners are used to check systems for known issues and are part of an overall vulnerability management program. Versioning is used to track software versions and is unrelated to detecting vulnerabilities. Security audits and reviews help ensure that an organization is following its policies but wouldn't directly check systems for vulnerabilities.

321

1. Which of the following is the best response after detecting and verifying an incident?

A. Contain it
B. Report it
C. Remediate it
D. Gather evidence

Answer: A Containment is the first step after detecting and verifying an incident. This limits the effect or scope of an incident. Organizations report the incident based on policies and governing laws, but this is not the first step. Remediation attempts to identify the cause of the incident and steps that can be taken to prevent a reoccurrence, but this is not the first step. It is important to protect evidence while trying to contain an incident, but gathering the evidence will occur after containment.

322

2. Which of the following would security personnel do during the remediation stage of an incident response?

A. Contain the incident
B. Collect evidence
C. Rebuild system
D. Root cause analysis

Answer: D Security personnel perform a root cause analysis during the remediation stage. A root cause analysis attempts to discover the source of the problem. After discovering the cause, the review will often identify a solution to help prevent a similar occurrence in the future. Containing the incident and collecting evidence is done early in the incident response process. Rebuilding a system may be needed during the recovery stage.

323

3. Which of the following are denial-of-service attacks? (Choose three.)

A. Teardrop
B. Smurf
C. Ping of death
D. Spoofing

Answer: A;B;C Teardrop, smurf, and ping of death are all types of DoS attacks. Attackers use spoofing to hide their identity in a variety of attacks, but spoofing is not an attack by itself.

324

4. How does a SYN flood attack work?

A. Exploits a packet processing glitch in Windows systems
B. Uses an amplification network to flood a victim with packets
C. Disrupts the three-way handshake used by TCP
D. Sends oversized ping packets to a victim

Answer: C A SYN flood attack disrupts the TCP three-way handshake process by never sending the third packet. It is not unique to any specific operating system such as Windows. Smurf attacks use amplification networks to flood a victim with packets. A ping-of-death attack uses oversized ping packets.

325

5. A web server hosted on the Internet was recently attacked, exploiting a vulnerability in the operating system. The operating system vendor assisted in the incident investigation and verified the vulnerability was not previously known. What type of attack was this?

A. Botnet
B. Zero-day exploit
C. Denial-of-service
D. Distributed denial-of-service

Answer: B A zero-day exploit takes advantage of a previously unknown vulnerability. A botnet is a group of computers controlled by a bot herder that can launch attacks, but they can exploit both known vulnerabilities and previously unknown vulnerabilities. Similarly, denial-of-service (DoS) and distributed DoS (DDoS) attacks could use zero-day exploits or use known methods.

326

6. Of the following choices, which is the most common method of distributing malware?

A. Drive-by downloads
B. USB flash drives
C. Ransomware
D. Unapproved software

Answer: A Of the choices offered, drive-by downloads is the most common distribution method for malware. USB flash drives can be used to distribute malware, but this method isn't as common as drive-by downloads. Ransomware is a type of malware infection, not a method of distributing malware. If users are able to install unapproved software, they may inadvertently install malware, but this isn't the most common method either.

327

7. Of the following choices, what indicates the primary purpose of an intrusion detection system (IDS)?

A. Detect abnormal activity
B. Diagnose system failures
C. Rate system performance
D. Test a system for vulnerabilities

Answer: A An IDS automates the inspection of audit logs and real-time system events to detect abnormal activity indicating unauthorized system access. Although IDSs can detect system failures and monitor system performance, they don't include the ability to diagnose system failures or rate system performance. Vulnerability scanners are used to test systems for vulnerabilities.

328

8. Which of the following is true for a host-based intrusion detection system (HIDS)?

A. It monitors an entire network.
B. It monitors a single system.
C. It's invisible to attackers and authorized users.
D. It cannot detect malicious code.

Answer: B An HIDS monitors a single system looking for abnormal activity. A network-based IDS (NIDS) watches for abnormal activity on a network. An HIDS is normally visible as a running process on a system and provides alerts to authorized users. An HIDS can detect malicious code similar to how anti-malware software can detect malicious code.

329

9. Which of the following is a fake network designed to tempt intruders with unpatched and unprotected security vulnerabilities and false data?

A. IDS
B. Honeynet
C. Padded cell
D. Pseudo flaw

Answer: B Honeypots are individual computers, and honeynets are entire networks created to serve as a trap for intruders. They look like legitimate networks and tempt intruders with unpatched and unprotected security vulnerabilities as well as attractive and tantalizing but false data. An intrusion detection system (IDS) will detect attacks. In some cases an IDS can divert an attacker to a padded cell, which is a simulated environment with fake data intended to keep the attacker's interest. A pseudo flaw (used by many honeypots and honeynets) is a false vulnerability intentionally implanted in a system to tempt attackers.

330

10. Of the following choices, what is the best form of anti-malware protection?

A. Multiple solutions on each system
B. A single solution throughout the organization
C. Anti-malware protection at several locations
D. One-hundred-percent content filtering at all border gateways

Answer: C A multipronged approach provides the best solution. This involves having anti-malware software at several locations, such as at the boundary between the Internet and the internal network, at email servers, and on each system. More than one anti-malware application on a single system isn't recommended. A single solution for the whole organization is often ineffective because malware can get into the network in more than one way. Content filtering at border gateways (boundary between the Internet and the internal network) is a good partial solution, but it won't catch malware brought in through other methods.

331

11. When using penetration testing to verify the strength of your security policy, which of the following is not recommended?

A. Mimicking attacks previously perpetrated against your system
B. Performing attacks without management knowledge
C. Using manual and automated attack tools
D. Reconfiguring the system to resolve any discovered vulnerabilities

Answer: B Penetration testing should be performed only with the knowledge and consent of the management staff. Unapproved security testing could result in productivity loss, trigger emergency response teams, and legal action against the tester including loss of employment. A penetration test can mimic previous attacks and use both manual and automated attack methods. After a penetration test, a system may be reconfigured to resolve discovered vulnerabilities.

332

12. What is used to keep subjects accountable for their actions while they are authenticated to a system?

A. Authentication
B. Monitoring
C. Account lockout
D. User entitlement reviews

Answer: B Accountability is maintained by monitoring the activities of subjects and objects as well as core system functions that maintain the operating environment and the security mechanisms. Authentication is required for effective monitoring, but it doesn't provide accountability by itself. Account lockout prevents login to an account if the wrong password is entered too many times. User entitlement reviews can identify excessive privileges.

333

13. What type of a security control is an audit trail?

A. Administrative
B. Detective
C. Corrective
D. Physical

Answer: B Audit trails are a passive form of detective security control. Administrative controls are management practices. Corrective controls can correct problems related to an incident, and physical controls are controls that you can physically touch.

334

14. Which of the following options is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes?

A. Penetration testing
B. Auditing
C. Risk analysis
D. Entrapment

Answer: B Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Penetration testing attempts to exploit vulnerabilities. Risk analysis attempts to analyze risks based on identified threats and vulnerabilities. Entrapment is tricking someone into performing an illegal or unauthorized action.

335

15. What can be used to reduce the amount of logged or audited data using nonstatistical methods?

A. Clipping levels
B. Sampling
C. Log analysis
D. Alarm triggers

Answer: A Clipping is a form of nonstatistical sampling that reduces the amount of logged data based on a clipping-level threshold. Sampling is a statistical method that extracts meaningful data from audit logs. Log analysis reviews log information looking for trends, patterns, and abnormal or unauthorized events. An alarm trigger is a notification sent to administrators when specific events or thresholds occur.

336

16. Which of the following focuses more on the patterns and trends of data than on the actual content?

A. Keystroke monitoring
B. Traffic analysis
C. Event logging
D. Security auditing

Answer: B Traffic analysis focuses more on the patterns and trends of data rather than the actual content. Keystroke monitoring records specific keystrokes to capture data. Event logging logs specific events to record data. Security auditing records security events and/or reviews logs to detect security incidents.

337

17. What would detect when a user has more privileges than necessary?

A. Account management
B. User entitlement audit
C. Logging
D. Reporting

Answer: B A user entitlement audit can detect when users have more privileges than necessary. Account management practices attempt to ensure that privileges are assigned correctly. The audit detects whether the management practices are followed. Logging records activity, but the logs need to be reviewed to determine if practices are followed. Reporting is the result of an audit.

338

18. Scenario: An organization has an incident response plan that requires reporting incidents after verifying them. For security purposes, the organization has not published the plan. Only members of the incident response team know about the plan and its contents. Recently, a server administrator noticed that a web server he manages was running slower than normal. After a quick investigation, he realized an attack was coming from a specific IP address. He immediately rebooted the web server to reset the connection and stop the attack. He then used a utility he found on the Internet to launch a protracted attack against this IP address for several hours. Because attacks from this IP address stopped, he didn't report the incident.What should have been done before rebooting the web server?

A. Review the incident
B. Perform remediation steps
C. Take recovery steps
D. Gather evidence

Answer: D Security personnel should have gathered evidence for possible prosecution of the attacker. The first response after detecting and verifying an incident is to contain the incident, but it could have been contained without rebooting the server. The lessons learned stage includes review, and it is the last stage. Remediation includes a root cause analysis to determine what allowed the incident, but this is done late in the process. In this scenario, rebooting the server performed the recovery.

339

19. Scenario: An organization has an incident response plan that requires reporting incidents after verifying them. For security purposes, the organization has not published the plan. Only members of the incident response team know about the plan and its contents. Recently, a server administrator noticed that a web server he manages was running slower than normal. After a quick investigation, he realized an attack was coming from a specific IP address. He immediately rebooted the web server to reset the connection and stop the attack. He then used a utility he found on the Internet to launch a protracted attack against this IP address for several hours. Because attacks from this IP address stopped, he didn't report the incident.Which of the following indicates the most serious mistake the server administrator made in this incident?

A. Rebooting the server
B. Not reporting the incident
C. Attacking the IP address
D. Resetting the connection

Answer: C Attacking the IP address was the most serious mistake because it is illegal in most locations. Additionally, because attackers often use spoofing techniques, it probably isn't the actual IP address of the attacker. Rebooting the server without gathering evidence and not reporting the incident were mistakes but won't have a potential lasting negative effect on the organization. Resetting the connection to isolate the incident would have been a good step if it was done without rebooting the server.

340

20. Scenario: An organization has an incident response plan that requires reporting incidents after verifying them. For security purposes, the organization has not published the plan. Only members of the incident response team know about the plan and its contents. Recently, a server administrator noticed that a web server he manages was running slower than normal. After a quick investigation, he realized an attack was coming from a specific IP address. He immediately rebooted the web server to reset the connection and stop the attack. He then used a utility he found on the Internet to launch a protracted attack against this IP address for several hours. Because attacks from this IP address stopped, he didn't report the incident.What was missed completely in this incident?

A. Lessons learned
B. Detection
C. Response
D. Recovery

Answer: A The administrator did not report the incident so there was no opportunity to perform a lessons learned step. It could be the incident occurred because of a vulnerability on the server, but without an examination, the exact cause won't be known unless the attack is repeated. The administrator detected the event and responded (though inappropriately). Rebooting the server is a recovery step. It's worth mentioning that the incident response plan was kept secret and the server administrator didn't have access to it and so likely does not know what the proper response should be.

341

1. What is the end goal of disaster recovery planning?

A. Preventing business interruption
B. Setting up temporary business operations
C. Restoring normal business activity
D. Minimizing the impact of a disaster

Answer: C Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off.

342

2. Which one of the following is an example of a man-made disaster?

A. Tsunami
B. Earthquake
C. Power outage
D. Lightning strike

Answer: C A power outage is an example of a man-made disaster. The other events listed—tsunamis, earthquakes, and lightning strikes—are all naturally occurring events.

343

3. According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a moderate risk of seismic activity?

A. 20 percent
B. 40 percent
C. 60 percent
D. 80 percent

Answer: D Forty-one of the 50 U.S. states are considered to have a moderate, high, or very high risk of seismic activity. This rounds to 80 percent to provide the value given in option D.

344

4. Which one of the following disaster types is not usually covered by standard business or homeowner's insurance?

A. Earthquake
B. Flood
C. Fire
D. Theft

Answer: B Most general business insurance and homeowner's insurance policies do not provide any protection against the risk of flooding or flash floods. If floods pose a risk to your organization, you should consider purchasing supplemental flood insurance under FEMA's National Flood Insurance Program.

345

5. In the wake of the September 11, 2001, terrorist attacks, what industry made drastic changes that directly impact DRP/BCP activities?

A. Tourism
B. Banking
C. Insurance
D. Airline

Answer: C All the industries listed in the options made changes to their practices after September 11, 2001, but the insurance industry's change toward noncoverage of acts of terrorism most directly impacts the BCP/DRP process.

346

6. Which of the following statements about business continuity planning and disaster recovery planning is incorrect?

A. Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes.
B. Organizations can choose whether to develop business continuity planning or disaster recovery planning plans.
C. Business continuity planning picks up where disaster recovery planning leaves off.
D. Disaster recovery planning guides an organization through recovery of normal operations at the primary facility.

Answer: C The opposite of this statement is true—disaster recovery planning picks up where business continuity planning leaves off. The other three statements are all accurate reflections of the role of business continuity planning and disaster recovery planning.

347

7. What does the term "100-year flood plain" mean to emergency preparedness officials?

A. The last flood of any kind to hit the area was more than 100 years ago.
B. The odds of a flood at this level are 1 in 100 in any given year.
C. The area is expected to be safe from flooding for at least 100 years.
D. The last significant flood to hit the area was more than 100 years ago.

Answer: B The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

348

8. In which one of the following database recovery techniques is an exact, up-to-date copy of the database maintained at an alternative location?

A. Transaction logging
B. Remote journaling
C. Electronic vaulting
D. Remote mirroring

Answer: D When you use remote mirroring, an exact copy of the database is maintained at an alternative location. You keep the remote copy up-to-date by executing all transactions on both the primary and remote site at the same time.

349

9. What disaster recovery principle best protects your organization against hardware failure?

A. Consistency
B. Efficiency
C. Redundancy
D. Primacy

Answer: C Redundant systems/components provide protection against the failure of one particular piece of hardware.

350

10. What business continuity planning technique can help you prepare the business unit prioritization task of disaster recovery planning?

A. Vulnerability analysis
B. Business impact assessment
C. Risk management
D. Continuity planning

Answer: B During the business impact assessment phase, you must identify the business priorities of your organization to assist with the allocation of BCP resources. You can use this same information to drive the DRP business unit prioritization.

351

11. Which one of the following alternative processing sites takes the longest time to activate?

A. Hot site
B. Mobile site
C. Cold site
D. Warm site

Answer: C The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This often takes weeks.

352

12. What is the typical time estimate to activate a warm site from the time a disaster is declared?

A. 1 hour
B. 6 hours
C. 12 hours
D. 24 hours

Answer: C Warm sites typically take about 12 hours to activate from the time a disaster is declared. This is compared to the relatively instantaneous activation of a hot site and the lengthy time (at least a week) required to bring a cold site to operational status.

353

13. Which one of the following items is a characteristic of hot sites but not a characteristic of warm sites?

A. Communications circuits
B. Workstations
C. Servers
D. Current data

Answer: D Warm sites and hot sites both contain workstations, servers, and the communications circuits necessary to achieve operational status. The main difference between the two alternatives is the fact that hot sites contain near-real-time copies of the operational data and warm sites require the restoration of data from backup.

354

14. What type of database backup strategy involves maintenance of a live backup server at the remote site?

A. Transaction logging
B. Remote journaling
C. Electronic vaulting
D. Remote mirroring

Answer: D Remote mirroring is the only backup option in which a live backup server at a remote site maintains a bit-for-bit copy of the contents of the primary server, synchronized as closely as the latency in the link between primary and remote systems will allow.

355

15. What type of document will help public relations specialists and other individuals who need a high-level summary of disaster recovery efforts while they are underway?

A. Executive summary
B. Technical guides
C. Department-specific plans
D. Checklists

Answer: A The executive summary provides a high-level view of the entire organization's disaster recovery efforts. This document is useful for the managers and leaders of the firm as well as public relations personnel who need a nontechnical perspective on this complex effort.

356

16. What disaster recovery planning tool can be used to protect an organization against the failure of a critical software firm to provide appropriate support for their products?

A. Differential backups
B. Business impact assessment
C. Incremental backups
D. Software escrow agreement

Answer: D Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a "safety net" in the event a developer goes out of business or fails to honor the terms of a service agreement.

357

17. What type of backup involves always storing copies of all files modified since the most recent full backup?

A. Differential backups
B. Partial backup
C. Incremental backups
D. Database backup

Answer: A Differential backups involve always storing copies of all files modified since the most recent full backup regardless of any incremental or differential backups created during the intervening time period.

358

18. What combination of backup strategies provides the fastest backup creation time?

A. Full backups and differential backups
B. Partial backups and incremental backups
C. Full backups and incremental backups
D. Incremental backups and differential backups

Answer: C Any backup strategy must include full backups at some point in the process. Incremental backups are created faster than differential backups because of the number of files it is necessary to back up each time.

359

19. What combination of backup strategies provides the fastest backup restoration time?

A. Full backups and differential backups
B. Partial backups and incremental backups
C. Full backups and incremental backups
D. Incremental backups and differential backups

Answer: A Any backup strategy must include full backups at some point in the process. If a combination of full and differential backups is used, a maximum of two backups must be restored. If a combination of full and incremental backups is chosen, the number of required restorations may be unlimited.

360

20. What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site?

A. Structured walk-through
B. Parallel test
C. Full-interruption test
D. Simulation test

Answer: B Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center.

361

1. What is a computer crime?

A. Any attack specifically listed in your security policy
B. Any illegal attack that compromises a protected computer
C. Any violation of a law or regulation that involves a computer
D. Failure to practice due diligence in computer security

Answer: C A crime is any violation of a law or regulation. The violation stipulation defines the action as a crime. It is a computer crime if the violation involves a computer either as the target or as a tool.

362

2. What is the main purpose of a military and intelligence attack?

A. To attack the availability of military systems
B. To obtain secret and restricted information from military or law enforcement sources
C. To utilize military or intelligence agency systems to attack other nonmilitary sites
D. To compromise military systems for use in attacks against other systems

Answer: B A military and intelligence attack is targeted at the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.

363

3. What type of attack targets proprietary information stored on a civilian organization's system?

A. Business attack
B. Denial-of-service attack
C. Financial attack
D. Military and intelligence attack

Answer: A Confidential information that is not related to the military or intelligence agencies is the target of business attacks. The ultimate goal could be destruction, alteration, or disclosure of confidential information.

364

4. What goal is not a purpose of a financial attack?

A. Access services you have not purchased
B. Disclose confidential personal employee information
C. Transfer funds from an unapproved source into your account
D. Steal money from another organization

Answer: B A financial attack focuses primarily on obtaining services and funds illegally.

365

5. Which one of the following attacks is most indicative of a terrorist attack?

A. Altering sensitive trade secret documents
B. Damaging the ability to communicate and respond to a physical attack
C. Stealing unclassified information
D. Transferring funds to other countries

Answer: B A terrorist attack is launched to interfere with a way of life by creating an atmosphere of fear. A computer terrorist attack can reach this goal by reducing the ability to respond to a simultaneous physical attack.

366

6. Which of the following would not be a primary goal of a grudge attack?

A. Disclosing embarrassing personal information
B. Launching a virus on an organization's system
C. Sending inappropriate email with a spoofed origination address of the victim organization
D. Using automated tools to scan the organization's systems for vulnerable ports

Answer: D Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to "get back" at someone.

367

7. What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.)

A. Bragging rights
B. Money from the sale of stolen documents
C. Pride of conquering a secure system
D. Retaliation against a person or organization

Answer: A;C Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

368

8. What is the most important rule to follow when collecting evidence?

A. Do not turn off a computer until you photograph the screen.
B. List all people present while collecting evidence.
C. Never modify evidence during the collection process.
D. Transfer all equipment to a secure storage location.

Answer: C Although the other options have some merit in individual cases, the most important rule is to never modify, or taint, evidence. If you modify evidence, it becomes inadmissible in court.

369

9. What would be a valid argument for not immediately removing power from a machine when an incident is discovered?

A. All of the damage has been done. Turning the machine off would not stop additional damage.
B. There is no other system that can replace this one if it is turned off.
C. Too many users are logged in and using the system.
D. Valuable evidence in memory will be lost.

Answer: D The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.

370

10. Hacktivists are motivated by which of the following factors? (Choose all that apply.)

A. Financial gain
B. Thrill
C. Skill
D. Political beliefs

Answer: B;D Hacktivists (the word is a combination of hacker and activist) often combine political motivations with the thrill of hacking. They organize themselves loosely into groups with names like Anonymous and Lolzsec and use tools like the Low Orbit Ion Cannon to create large-scale denial-of-service attacks with little knowledge required.

371

11. What is an incident?

A. Any active attack that causes damage to your system
B. Any violation of a code of ethics
C. Any crime (or violation of a law or regulation) that involves a computer
D. Any event that adversely affects the confidentiality, integrity, or availability of your data

Answer: D An incident is normally defined as any event that adversely affects the confidentiality, integrity, or availability of your data.

372

12. If port scanning does no damage to a system, why is it generally considered an incident?

A. All port scans indicate adversarial behavior.
B. Port scans can precede attacks that cause damage and can indicate a future attack.
C. Scanning a port damages the port.
D. Port scanning uses system resources that could be put to better uses.

Answer: B Some port scans are normal. An unusually high volume of port scan activity can be a reconnaissance activity preceding a more dangerous attack. When you see unusual port scanning, you should always investigate.

373

13. What type of incident is characterized by obtaining an increased level of privilege?

A. Compromise
B. Denial of service
C. Malicious code
D. Scanning

Answer: A Any time an attacker exceeds their authority, the incident is classified as a system compromise. This includes valid users who exceed their authority as well as invalid users who gain access through the use of a valid user ID.

374

14. What is the best way to recognize abnormal and suspicious behavior on your system?

A. Be aware of the newest attacks.
B. Configure your IDS to detect and report all abnormal traffic.
C. Know what your normal system activity looks like.
D. Study the activity signatures of the main types of attacks.

Answer: C Although options A, B, and D are actions that can make you aware of what attacks look like and how to detect them, you will never successfully detect most attacks until you know your system. When you know what the activity on your system looks like on a normal day, you can immediately detect any abnormal activity.

375

15. If you need to confiscate a PC from a suspected attacker who does not work for your organization, what legal avenue is most appropriate?

A. Consent agreement signed by employees.
B. Search warrant.
C. No legal avenue is necessary.
D. Voluntary consent.

Answer: B In this case, you need a search warrant to confiscate equipment without giving the suspect time to destroy evidence. If the suspect worked for your organization and you had all employees sign consent agreements, you could simply confiscate the equipment.

376

16. Why should you avoid deleting log files on a daily basis?

A. An incident may not be discovered for several days and valuable evidence could be lost.
B. Disk space is cheap, and log files are used frequently.
C. Log files are protected and cannot be altered.
D. Any information in a log file is useless after it is several hours old.

Answer: A Log files contain a large volume of generally useless information. However, when you are trying to track down a problem or an incident, they can be invaluable. Even if an incident is discovered as it is happening, it may have been preceded by other incidents. Log files provide valuable clues and should be protected and archived.

377

17. Which of the following conditions might require that you report an incident? (Choose all that apply.)

A. Confidential information protected by government regulation was possibly disclosed.
B. Damages exceeded $1,500.
C. The incident has occurred before.
D. The incident resulted in a violation of a law.

Answer: A;D You must report an incident when the incident resulted in the violation of a law or regulation. This includes any damage (or potential damage) to or disclosure of protected information.

378

18. What are ethics?

A. Mandatory actions required to fulfill job requirements
B. Laws of professional conduct
C. Regulations set forth by a professional organization
D. Rules of personal behavior

Answer: D Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.

379

19. According to the (ISC)2 Code of Ethics, how are CISSPs expected to act?

A. Honestly, diligently, responsibly, and legally
B. Honorably, honestly, justly, responsibly, and legally
C. Upholding the security policy and protecting the organization
D. Trustworthy, loyally, friendly, courteously

Answer: B The second canon of the (ISC)2 Code of Ethics states how a CISSP should act, which is honorably, honestly, justly, responsibly, and legally.

380

20. Which of the following actions are considered unacceptable and unethical according to RFC 1087, "Ethics and the Internet"?

A. Actions that compromise the privacy of classified information
B. Actions that compromise the privacy of users
C. Actions that disrupt organizational activities
D. Actions in which a computer is used in a manner inconsistent with a stated security policy

Answer: B RFC 1087 does not specifically address the statements in A, C, or D. Although each type of activity listed is unacceptable, only "actions that compromise the privacy of users" are explicitly identified in RFC 1087.

381

1. Which one of the following is not a component of the DevOps model?

A. Information security
B. Software development
C. Quality assurance
D. IT operations

Answer: A The three elements of the DevOps model are software development, quality assurance, and IT operations

382

2. Bob is developing a software application and has a field where users may enter a date. He wants to ensure that the values provided by the users are accurate dates to prevent security issues. What technique should Bob use?

A. Polyinstantiation
B. Input validation
C. Contamination
D. Screening

Answer: B Input validation ensures that the input provided by users matches the design parameters.

383

3. What portion of the change management process allows developers to prioritize tasks?

A. Release control
B. Configuration control
C. Request control
D. Change audit

Answer: C The request control provides users with a framework to request changes and developers with the opportunity to prioritize those requests.

384

4. What approach to failure management places the system in a high level of security?

A. Fail open
B. Fail mitigation
C. Fail secure
D. Fail clear

Answer: C In a fail-secure state, the system remains in a high level of security until an administrator intervenes.

385

5. What software development model uses a seven-stage approach with a feedback loop that allows progress one step backward?

A. Boyce-Codd
B. Waterfall
C. Spiral
D. Agile

Answer: B The waterfall model uses a seven-stage approach to software development and includes a feedback loop that allows development to return to the previous phase to correct defects discovered during the subsequent phase

386

6. What form of access control is concerned primarily with the data stored by a field?

A. Content-dependent
B. Context-dependent
C. Semantic integrity mechanisms
D. Perturbation

Answer: A Content-dependent access control is focused on the internal data of each field.

387

7. Which one of the following key types is used to enforce referential integrity between database tables?

A. Candidate key
B. Primary key
C. Foreign key
D. Super key

Answer: C Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship.

388

8. Richard believes that a database user is misusing his privileges to gain information about the company's overall business trends by issuing queries that combine data from a large number of records. What process is the database user taking advantage of?

A. Inference
B. Contamination
C. Polyinstantiation
D. Aggregation

Answer: D In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal.

389

9. What database technique can be used to prevent unauthorized users from determining classified information by noticing the absence of information normally available to them?

A. Inference
B. Manipulation
C. Polyinstantiation
D. Aggregation

Answer: C Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels.

390

10. Which one of the following is not a principle of Agile development?

A. Satisfy the customer through early and continuous delivery.
B. Businesspeople and developers work together.
C. Pay continuous attention to technical excellence.
D. Prioritize security over other requirements.

Answer: D In Agile, the highest priority is to satisfy the customer through early and continuous delivery of valuable software.

391

11. What type of information is used to form the basis of an expert system's decision-making process?

A. A series of weighted layered computations
B. Combined input from a number of human experts, weighted according to past performance
C. A series of "if/then" rules codified in a knowledge base
D. A biological decision-making process that simulates the reasoning process used by the human mind

Answer: C Expert systems use a knowledge base consisting of a series of "if/then" statements to form decisions based on the previous experience of human experts.

392

12. In which phase of the SW-CMM does an organization use quantitative measures to gain a detailed understanding of the development process?

A. Initial
B. Repeatable
C. Defined
D. Managed

Answer: D In the Managed phase, level 4 of the SW-CMM, the organization uses quantitative measures to gain a detailed understanding of the development process.

393

13. Which of the following acts as a proxy between an application and a database to support interaction and simplify the work of programmers?

A. SDLC
B. ODBC
C. DSS
D. Abstraction

Answer: B ODBC acts as a proxy between applications and the backend DBMS.

394

14. In what type of software testing does the tester have access to the underlying source code?

A. Static testing
B. Dynamic testing
C. Cross-site scripting testing
D. Black box testing

Answer: A In order to conduct a static test, the tester must have access to the underlying source code.

395

15. What type of chart provides a graphical illustration of a schedule that helps to plan, coordinate, and track project tasks?

A. Gantt
B. Venn
C. Bar
D. PERT

Answer: A A Gantt chart is a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project.

396

16. Which database security risk occurs when data from a higher classification level is mixed with data from a lower classification level?

A. Aggregation
B. Inference
C. Contamination
D. Polyinstantiation

Answer: C Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement.

397

17. What database security technology involves creating two or more rows with seemingly identical primary keys that contain different data for users with different security clearances?

A. Polyinstantiation
B. Cell suppression
C. Aggregation
D. Views

Answer: A Database developers use polyinstantiation, the creation of multiple records that seem to have the same primary key, to protect against inference attacks.

398

18. Which one of the following is not part of the change management process?

A. Request control
B. Release control
C. Configuration audit
D. Change control

Answer: C Configuration audit is part of the configuration management process rather than the change control process.

399

19. What transaction management principle ensures that two transactions do not interfere with each other as they operate on the same data?

A. Atomicity
B. Consistency
C. Isolation
D. Durability

Answer: C The isolation principle states that two transactions operating on the same data must be temporarily separated from each other such that one does not interfere with the other.

400

20. Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the degree of this table?

A. Two
B. Three
C. Thirty
D. Undefined

Answer: B The cardinality of a table refers to the number of rows in the table while the degree of a table is the number of columns.

401

1. What is the most commonly used technique to protect against virus attacks?

A. Signature detection
B. Heuristic detection
C. Data integrity assurance
D. Automated reconstruction

Answer: A Signature detection mechanisms use known descriptions of viruses to identify malicious code resident on a system.

402

2. You are the security administrator for an e-commerce company and are placing a new web server into production. What network zone should you use?

A. Internet
B. DMZ
C. Intranet
D. Sandbox

Answer: B The DMZ (demilitarized zone) is designed to house systems like web servers that must be accessible from both the internal and external networks.

403

3. Which one of the following types of attacks relies on the difference between the timing of two events?

A. Smurf
B. TOCTTOU
C. Land
D. Fraggle

Answer: B The time-of-check-to-time-of-use (TOCTTOU) attack relies on the timing of the execution of two events.

404

4. Which of the following techniques requires that administrators identify appropriate applications for an environment?

A. Sandboxing
B. Control signing
C. Integrity monitoring
D. Whitelisting

Answer: D Application whitelisting requires that administrators specify approved applications, and then the operating system uses this list to allow only known good applications to run.

405

5. What advanced virus technique modifies the malicious code of a virus on each system it infects?

A. Polymorphism
B. Stealth
C. Encryption
D. Multipartitism

Answer: A In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.

406

6. Which one of the following tools provides a solution to the problem of users forgetting complex passwords?

A. LastPass
B. Crack
C. Shadow password files
D. Tripwire

Answer: A LastPass is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all.

407

7. What type of application vulnerability most directly allows an attacker to modify the contents of a system's memory?

A. Rootkit
B. Back door
C. TOC/TOU
D. Buffer overflow

Answer: D Buffer overflow attacks allow an attacker to modify the contents of a system's memory by writing beyond the space allocated for a variable.

408

8. Which one of the following passwords is least likely to be compromised during a dictionary attack?

A. mike
B. elppa
C. dayorange
D. fsas3a1G

Answer: D Except option D, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backward, and dayorange combines two dictionary words. Crack and other utilities can easily see through these "sneaky" techniques. Option D is simply a random string of characters that a dictionary attack would not uncover.

409

9. What file is instrumental in preventing dictionary attacks against Unix systems?

A. /etc/passwd
B. /etc/shadow
C. /etc/security
D. /etc/pwlog

Answer: B Shadow password files move encrypted password information from the publicly readable /etc/passwd file to the protected /etc/shadow file.

410

10. What character should always be treated carefully when encountered as user input on a web form?

A. !
B. &
C. *
D. '

Answer: D The single quote character (') is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.

411

11. What database technology, if implemented for web forms, can limit the potential for SQL injection attacks?

A. Triggers
B. Stored procedures
C. Column encryption
D. Concurrency control

Answer: B Developers of web applications should leverage database stored procedures to limit the application's ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database administrators.

412

12. What type of reconnaissance attack provides attackers with useful information about the services running on a system?

A. Session hijacking
B. Port scan
C. Dumpster diving
D. IP sweep

Answer: B Port scans reveal the ports associated with services running on a machine and available to the public.

413

13. What condition is necessary on a web page for it to be used in a cross-site scripting attack?

A. Reflected input
B. Database-driven content
C. NET technology
D. CGI scripts

Answer: A Cross-site scripting attacks are successful only against web applications that include reflected input.

414

14. What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems?

A. Stealth virus
B. Companion virus
C. Polymorphic virus
D. Multipartite virus

Answer: D Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach.

415

15. What is the most effective defense against cross-site scripting attacks?

A. Limiting account privileges
B. Input validation
C. User authentication
D. Encryption

Answer: B Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML

416

16. What worm was the first to cause major physical damage to a facility?

A. Stuxnet
B. Code Red
C. Melissa
D. rtm

Answer: A Stuxnet was a highly sophisticated worm designed to destroy nuclear enrichment centrifuges attached to Siemens controllers.

417

17. Ben's system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in?

A. Escalation of privilege
B. Back door
C. Rootkit
D. Buffer overflow

Answer: B Back doors are undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions.

418

18. What technology does the Java language use to minimize the threat posed by applets?

A. Confidentiality
B. Encryption
C. Stealth
D. Sandbox

Answer: D The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.

419

19. What HTML tag is often used as part of a cross-site scripting (XSS) attack?

A.


B.
C.
D.

Answer: D

The tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.

420

20. When designing firewall rules to prevent IP spoofing, which of the following principles should you follow?

A. Packets with internal source IP addresses don't enter the network from the outside.
B. Packets with internal source IP addresses don't exit the network from the inside.
C. Packets with public IP addresses don't pass through the router in either direction.
D. Packets with external source IP addresses don't enter the network from the outside.

Answer: A Packets with internal source IP addresses should not be allowed to enter the network from the outside because they are likely spoofed.

421

1. What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately, upon failure of the primary facility?

A. Hot site
B. Warm site
C. Cold site
D. All of the above

Answer: A Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations. Warm sites consist of preconfigured hardware and software to run the business, neither of which possesses the vital business information. Cold sites are simply facilities designed with power and environmental support systems but no configured hardware, software, or services. Disaster recovery services can facilitate and implement any of these sites on behalf of a company.

422

2. What type of detected incident allows the most time for an investigation?

A. Compromise
B. Denial of service
C. Malicious code
D. Scanning

Answer: D Scanning incidents are generally reconnaissance attacks. The real damage to a system comes in the subsequent attacks, so you may have some time to react if you detect the scanning attack early.

423

3. Which of the following represent natural events that can pose a threat or risk to an organization?

A. Earthquake
B. Flood
C. Tornado
D. All of the above

Answer: D Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornados, wildfires, and other acts of nature as well. Thus options A, B, and C are correct because they are natural and not man made.

424

4. Which one of the following vulnerabilities would best be countered by adequate parameter checking?

A. Time of check to time of use
B. Buffer overflow
C. SYN flood
D. Distributed denial of service

Answer: B Parameter checking is used to prevent the possibility of buffer overflow attacks.

425

5. Which of the following is considered a denial of service attack?

A. Pretending to be a technical manager over the phone and asking a receptionist to change their password
B. While surfing the Web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU
C. Intercepting network traffic by copying the packets as they pass through a specific subnet
D. Sending message packets to a recipient who did not request them simply to be annoying

Answer: B Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering and sniffing are typically not considered DoS attacks.

426

6. The collection of components in the TCB that work together to implement reference monitor functions is called the _____________.

A. Security perimeter
B. Security Kernel
C. Access matrix
D. Constrained interface

Answer: B The collection of components in the TCB that work together to implement reference monitor functions is called the security kernel.

427

7. Why are military and intelligence attacks among the most serious computer crimes?

A. The use of information obtained can have far-reaching detrimental strategic effects on national interests in an enemy's hands.
B. Military information is stored on secure machines, so a successful attack can be embarrassing.
C. The long-term political use of classified information can impact a country's leadership.
D. The military and intelligence agencies have ensured that the laws protecting their information are the most severe.

Answer: A The purpose of a military and intelligence attack is to acquire classified information. The detrimental effect of using such information could be nearly unlimited in the hands of an enemy. Attacks of this type are launched by very sophisticated attackers. It is often very difficult to ascertain what documents were successfully obtained. So when a breach of this type occurs, you sometimes cannot know the full extent of the damage.

428

8. What is the length of a message digest produced by the MD5 algorithm?

A. 64 bits
B. 128 bits
C. 256 bits
D. 384 bits

Answer: B The MD5 algorithm produces a 128-bit message digest for any input.

429

9. Auditing is a required factor to sustain and enforce what?

A. Accountability
B. Confidentiality
C. Accessibility
D. Redundancy

Answer: A Auditing is a required factor to sustain and enforce accountability.

430

10. Which of the following is not a defense against collusion?

A. Separation of duties
B. Restricted job responsibilities
C. Group user accounts
D. Job rotation

Answer: C Group user accounts allow for multiple people to log in under a single user account. This allows collusion because it prevents individual accountability.

431

11. What type of malware uses social engineering to trick a victim into installing it?

A. Viruses
B. Worms
C. Trojan horse
D. Logic bomb

Answer: C A Trojan horse is a form of malware that uses social engineering tactics to trick a victim into installing it—the trick is to make the victim believe that the only thing they have downloaded or obtained is the host file, when it fact it has a malicious hidden payload.

432

12. Which of the following is a procedure designed to test and perhaps bypass a system's security controls?

A. Logging usage data
B. War dialing
C. Penetration testing
D. Deploying secured desktop workstations

Answer: C Penetration testing is the attempt to bypass security controls to test overall system security.

433

13. Which of the following is not a composition theory related to security models?

A. Cascading
B. Feedback
C. Iterative
D. Hookup

Answer: C Iterative is not one of the composition theories related to security models. Cascading, feedback, and hookup are the three composition theories.

434

14. A VPN can be established over which of the following?

A. Wireless LAN connection
B. Remote access dial-up connection
C. WAN link
D. All of the above

Answer: D A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an Internet connection used by a client for access to the office LAN.

435

15. Which of the following statements is true?

A. The less complex a system, the more vulnerabilities it has.
B. The more complex a system, the less assurance it provides.
C. The less complex a system, the less trust it provides.
D. The more complex a system, the less attack surface it generates.

Answer: B The more complex a system, the less assurance it provides. More complexity means more areas for vulnerabilities to exist and more areas that must be secured against threats. More vulnerabilities and more threats mean that the subsequent security provided by the system is less trustworthy.

436

16. System architecture, system integrity, covert channel analysis, trusted facility management, and trusted recovery are elements of what security criteria?

A. Quality assurance
B. Operational assurance
C. Life cycle assurance
D. Quantity assurance

Answer: B Assurance is the degree of confidence you can place in the satisfaction of security needs of a computer, network, solution, and so on. Operational assurance focuses on the basic features and architecture of a system that lend themselves to supporting security.

437

17. Which one of the following is a layer of the ring protection scheme that is not normally implemented in practice?

A. Layer 0
B. Layer 1
C. Layer 3
D Layer 4

Answer: B Layers 1 and 2 contain device drivers but are not normally implemented in practice. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist.

438

18. What is the last phase of the TCP/IP three-way handshake sequence?

A. SYN packet
B. ACK packet
C. NAK packet
D. SYN/ACK packet

Answer: B The SYN packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK packet. The initiating host sends an ACK packet, and the connection is then established.

439

19. Which type of firewall automatically adjusts its filtering rules based on the content of the traffic of existing sessions?

A. Static packet filtering
B. Application-level gateway
C. Stateful inspection
D. Dynamic packet filtering

Answer: D Dynamic packet-filtering firewalls enable the real-time modification of the filtering rules based on traffic content.

440

20. Ring 0, from the design architecture security mechanism known as protection rings, can also be referred to as all but which of the following?

A. Privileged mode
B. Supervisory mode
C. System mode
D. User mode

Answer: D Ring 0 has direct access to the most resources; thus user mode is not an appropriate label because user mode requires restrictions to limit access to resources.

441

21. If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike?

A. Renee's public key
B. Renee's private key
C. Mike's public key
D. Mike's private key

Answer: C Any recipient can use Mike's public key to verify the authenticity of the digital signature.

442

22. Spamming attacks occur when numerous unsolicited messages are sent to a victim. Because enough data is sent to the victim to prevent legitimate activity, it is also known as what?

A. Sniffing
B. Denial of service
C. Brute-force attack
D. Buffer overflow attack

Answer: B A spamming attack (sending massive amounts of unsolicited email) can be used as a type of denial-of-service attack. It doesn't use eavesdropping methods so isn't sniffing. Brute force methods attempt to crack passwords. Buffer overflow attacks send strings of data to a system in an attempt to cause it to fail.

443

23. In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures utilized to gain a detailed understanding of the software development process?

A. Repeatable
B. Defined
C. Managed
D. Optimizing

Answer: C The Managed phase of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management.

444

24. Audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclic redundancy checks (CRCs) are examples of what?

A. Directive controls
B. Preventive controls
C. Detective controls
D. Corrective controls

Answer: C Examples of detective controls are audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and CRCs.

445

25. In what type of cipher are the letters of the plain-text message rearranged to form the cipher text?

A. Substitution cipher
B. Block cipher
C. Transposition cipher
D. One-time pad

Answer: C Transposition ciphers use an encryption algorithm to rearrange the letters of the plain-text message to form a cipher text message.

446

26. Define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices.

A. Difficult to guess or unpredictable
B. Meet minimum length requirements
C. Meet specific complexity requirements
D. All of the above

Answer: D Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and utilize all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn't be transmitted in the clear.

447

27. What is the first step of the business impact assessment process?

A. Identification of priorities
B. Likelihood assessment
C. Risk identification
D. Resource prioritization

Answer: A Identification of priorities is the first step of the business impact assessment process.

448

28. At which layer of the OSI model does a router operate?

A. Network layer
B. Layer 1
C. Transport layer
D. Layer 5

Answer: A Network hardware devices, including routers, function at layer 3, the Network layer.

449

29. Which type of intrusion detection system (IDS) can be considered an expert system?

A. Host-based
B. Network-based
C. Knowledge-based
D. Behavior-based

Answer: D A behavior-based IDS can be labeled an expert system or a pseudo-artificial intelligence system because it can learn and make assumptions about events. In other words, the IDS can act like a human expert by evaluating current events against known events. A knowledge-based IDS uses a database of known attack methods to detect attacks. Both host-based and network-based systems can be either knowledge-based, behavior-based, or a combination of both.

450

30. What is the value of the logical operation shown here?

X: 0 1 1 0 1 0
Y: 0 0 1 1 0 1
___________________________
X ˅ Y: ?

A. 0 1 1 1 1 1
B. 0 1 1 0 1 0
C. 0 0 1 0 0 0
D. 0 0 1 1 0 1

Answer: A

The ~OR symbol represents the OR function, which is true when one or both of the input bits are true.

451

31. What type of evidence refers to written documents that are brought into court to prove a fact?

A. Best evidence
B. Payroll evidence
C. Documentary evidence
D. Testimonial evidence

Answer: C Written documents brought into court to prove the facts of a case are referred to as documentary evidence.

452

32. A data custodian is responsible for securing resources after _________________ has assigned the resource a security label.

A. Senior management
B. Data owner
C. Auditor
D. Security staff

Answer: B The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately.

453

33. If you want to restrict access into or out of a facility, which would you choose?

A. Gate
B. Turnstile
C. Fence
D. Mantrap

Answer: B A turnstile is a form of gate that prevents more than one person from gaining entry at a time and often restricts movement to one direction. It is used to gain entry but not exit, or vice versa.

454

34. Which of the following is most likely to detect DoS attacks?

A. Host-based IDS
B. Network-based IDS
C. Vulnerability scanner
D. Penetration testing

Answer: B Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including denial of service, or DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don't detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool.

455

35. What is the formula used to compute the ALE?

A. ALE = AV * EF * ARO
B. ALE = ARO * EF
C. ALE = AV * ARO
D. ALE = EF * ARO

Answer: A The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE*ARO. The other formulas displayed here do not accurately reflect this calculation.

456

36. Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity?

A. Preventive
B. Deterrent
C. Detective
D. Corrective

Answer: C Detective access controls are used to discover (and document) unwanted or unauthorized activity.

457

37. The CIA Triad comprises what elements?

A. Contiguousness, interoperable, arranged
B. Authentication, authorization, accountability
C. Capable, available, integral
D. Availability, confidentiality, integrity

Answer: D The components of the CIA Triad are confidentiality, availability, and integrity.

458

38. What form of intellectual property is used to protect words, slogans, and logos?

A. Patent
B. Copyright
C. Trademark
D. Trade secret

Answer: C Trademarks are used to protect the words, slogans, and logos that represent a company and its products or services.

459

39. Which of the following is not a required component in the support of accountability?

A. Auditing
B. Privacy
C. Authentication
D. Authorization

Answer: B Privacy is not necessary to provide accountability.

460

40. What is the point of a secondary verification system?

A. To verify the identity of a user
B. To verify the activities of a user
C. To verify the completeness of a system
D. To verify the correctness of a system

Answer: D Secondary verification mechanisms are set in place to establish a means of verifying the correctness of detection systems and sensors. This often means combining several types of sensors or systems (CCTV, heat and motion sensors, and so on) to provide a more complete picture of detected events.

461

1. _________________ employs a digital multicarrier modulation scheme that allows for a moretightly compacted transmission. The modulated signals are perpendicular and thus do notcause interference with each other.

A. DSSS
B. OCSP
C. OFDM
D. CCMP

C. OFDM employs a digital multicarrier modulation scheme that allows for a more tightlycompacted transmission. The modulated signals are perpendicular (orthogonal) and thus donot cause interference with each other.

462

2. What is the IEEE standard for Bluetooth?

A. 802.3
B. 802.11
C. 802.20
D. 802.15

D. IEEE 802.15 is the standard for Bluetooth. IEEE 802.3 defines Ethernet, 802.11 defineswireless networking, and 802.20 defines LTE.

463

3. What means of transmission involves the use of a discontinuous electrical signal and a statechange or on‐off pulses?

A. Asynchronous communications
B. Digital signals
C. Broadband connections
D. Half‐duplex links

B. Digital signals are a means of transmission that involves the use of a discontinuouselectrical signal and a state change or on‐off pulses. Asynchronous communications, broadbandconnections, and half‐duplex links can be digital or analog.

464

4. What technique is the most effective means of protecting against SQL injection attacks?

A. Acceptance testing
B. Code review
C. Firewall rules
D. Input validation

D. Input validation protects against a wide variety of web‐based attacks, including SQLinjection.

465

5. In a relational database, what type of key is used to uniquely identify a record in a table andcan have multiple instances per table?

A. Candidate key
B. Primary key
C. Unique key
D. Foreign key

A. A candidate key is a subset of attributes that can be used to uniquely identify any recordin a table. No two records in the same table will ever contain the same values for all attributescomposing a candidate key. Each table may have one or more candidate keys, whichare chosen from column headings.

466

6. What characteristic of database transactions ensures that transactions are executed in an“all‐or‐nothing” fashion?

A. Atomicity
B. Consistency
C. Isolation
D. Durability

A. Database transactions must be atomic—that is, they must be an “all‐or‐nothing” affair.If any part of the transaction fails, the entire transaction must be rolled back as if it neveroccurred.

467

7. What type of alternate processing facility contains a full complement of computing equipmentin working order with copies of data ready to go?

A. Hot site
B. Warm site
C. Cold site
D. Cloud site

A. Hot sites are ready to assume full operational capacity at a moment’s notice.

468

8. The absence of which of the following can result in the perception that due care is not being maintained?

A. Periodic security audits
B. Deployment of all available controls
C. Performance reviews
D. Audit reports for shareholders

A. Failing to perform periodic security audits can result in the perception that due careis not being maintained. Such audits alert personnel that senior management is practicingdue diligence in maintaining system security. An organization should not indiscriminatelydeploy all available controls but should choose the most effective ones based on risks. Performancereviews are useful managerial practices but not directly related to due care. Auditreports should not be shared with the public.

469

9. An employee retained access to sensitive data from previous job assignments. Investigatorslater caught him selling some of this sensitive data to competitors. What could have preventedthe employee from stealing and selling the secret data?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. User entitlement audit

D. A user entitlement audit can detect when employees have excessive privileges. Assetvaluation identifies the value of assets. Threat modeling identifies threats to valuable assets.Vulnerability analysis detects vulnerabilities or weaknesses that can be exploited by threats.

470

10. Which of the following can detect outgoing sensitive data based on specific data patterns?

A. Anti‐malware software
B. Data loss prevention systems
C. Security Information and Event Management systems
D. Intrusion prevention systems

B. Network‐based data loss prevention (DLP) systems can scan outgoing data and look forspecific keywords and/or data patterns. DLP systems can block these outgoing transmissions.Anti‐malware software detects malware. Security Information and Event Management(SIEM) provide real‐time analysis of events occurring on systems throughout anorganization but don’t necessarily scan outgoing traffic. Intrusion prevention systems (IPS)scan incoming traffic to prevent unauthorized intrusions.

471

11. An employee is suspected of embedding classified data within picture files and sending it toa competitor. If true, what is this employee using to do so?

A. Hashing
B. Sandboxing
C. Steganography
D. Watermarking

C. Steganography is the practice of embedding data within other files so it is possible foran employee to embed classified data within picture files. Security professionals use hashingtechniques to discover files that have other data embedded within them. Sandboxing runs applications in isolated memory to observe them and detect potential malicious activity.Watermarking is the process of embedding an image or pattern in paper or a file but is notdone maliciously.

472

12. Which of the following represents a primary benefit of a patch management system?

A. Prevents outages from new attacks
B. Prevents outages from known attacks
C. Provides updates to operating systems and applications
D. Eliminates vulnerabilities

B. A patch management system prevents outages from known attacks by ensuring systemsare patched. Patches aren’t available for new attacks. Patches provide updates to operatingsystems and applications. However, the patch management system doesn’t provide theupdates. Ensuring systems are patched reduces vulnerabilities but it does not eliminate vulnerabilities.

473

13. What is the purpose of the Common Vulnerabilities and Exposures (CVE) dictionary?

A. To identify methods of mitigating vulnerabilities
B. To provide a standard convention used to identify vulnerabilities
C. To identify methods of discovering vulnerabilities
D. To provide a standard method of announcing vulnerabilities

B. The Common Vulnerabilities and Exposures dictionary provides a standard conventionused to identify vulnerabilities. The CVE does include information on mitigating anddiscovering vulnerabilities, but that isn’t the primary purpose. The CVE doesn’t announcevulnerabilities.