CISSP Flashcards

Question

Rob is conducting a penetration test against a wireless network and would like to gather network traffic containing successful authentication attempts but the network is not heavily trafficked and he wants to speed up the information gathering process. What technique can he use? A. Brute force B. Rainbow table C. Disassociation D. Replay

Answer 1

Correct Answer: C Disassociation attacks intentionally disconnect a wireless user from their access point to force a reauthentication that the attacker may collect with a wireless eavesdropping tool. Brute force attacks, rainbow table attacks and replay attacks do not gather network traffic and, therefore, would not be useful in this scenario.

Answer 2

Correct Answer: A In 802.1x authentication, the end user’s system contains a component called the supplicant that initiates the authentication process. The supplicant connects to the authenticator, normally a network switch or wireless access point, that then reaches out to an authentication server to confirm the user’s identity. The communication between the authenticator and authentication server normally takes place using the RADIUS and EAP protocols.

Answer 3

Correct Answer: B Development environments are designed for active use by developers who are creating new code. These environments are the only location where code should be modified. Once code is ready for testing, it is released from the development environment into a test environment for software testing. After the completion of user acceptance testing, the code is moved from the test environment into a staging environment where it is prepared for final deployment into the production environment. Developers should never have permission to move code themselves but should only be able to move code between environments through the use of a managed change control system.

Answer 4

Correct Answer: D Two-person control requires the concurrence of two individuals for sensitive actions. That is the scenario described here. Separation of duties says that an individual should not have both permissions necessary to perform a sensitive action. This is a closely related, but distinct principle. There is no evidence given that supervisors do not have the ability to create payments, so separation of duties is not in play here.

Answer 5

Correct Answer: A Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware, and possible software, to the mix but do not have a current copy of the data running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment’s notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan. They would work well in this scenario because Roger could bring a mobile site to their primary facility and use it to recover operations during the restoration effort at the primary site.

Answer 6

Correct Answer: C Watering hole attacks take advantage of the fact that many people are predictable in their web surfing patterns. They place malicious content at a site likely to attract the target audience (the watering hole) and then wait for a compromise to occur.

Answer 7

Correct Answer: C In a black box attack, the attacker does not have access to any information about the target environment before beginning the attack. In a grey box attack, the attacker has limited information. In a white box attack, the attacker has full knowledge of the target environment before beginning the attack.

Answer 8

Correct Answer: A The Authentication Headers (AH) protocol supports only authentication and integrity for IPsec connections. The Encapsulating Security Payload (ESP) protocol supports confidentiality, integrity, and authentication.

Answer 9

Correct Answer: C While it is possible to perform error handling with a variety of constructs, the most appropriate tool is the use of the try…catch construct. In this approach, developers include the code that might generate an error in the try clause and then provide error handling code in the catch clause.

Answer 10

Correct Answer: D If the password remains known only to authorized individuals, this does not violate the principles of confidentiality or integrity. There is no indication from the scenario that the account has excess privileges, so least privilege is not violated. However, the use of a shared account prevents security staff from determining which individual performed an action, violating the principle of accountability.

Answer 11

Correct Answer: B An intrusion detection system (IDS) has the ability to identify suspicious network traffic but cannot take any preventive action to block the traffic. Therefore, it is best classified as a detective control.

Answer 12

Correct Answer: A In a pass-the-hash attack, the attacker must gain access to hashed Windows account passwords. This is possible by gaining access to a Windows workstation where the target user logs into his or her domain account. Access to a domain controller is not necessary. Access to a network segment or public website is not sufficient because hashed passwords are not generally found in those locations in unencrypted form.

Answer 13

Correct Answer: B Over-the-air (OTA) upgrades occur automatically and without user or administrator intervention, making them the best way to ensure that devices remain current. If Samantha wants to control when these updates occur, she can manage OTA updates through her mobile device management (MDM) platform. Manual installation or sideloading by users or administrators is not likely to keep devices consistently updated.

Answer 14

Correct Answer: D While it may be possible to mitigate this issue by adjusting settings on any of the devices mentioned here, the root cause of a SQL injection vulnerability is faulty input validation in the application’s source code. This root cause may only be addressed by modifying the application code.

Answer 15

Correct Answer: D The proximity card provides the fastest scanning time, as the user simply needs to hold it near the reader. Smart cards and magnetic stripe cards require more time-consuming interaction with the reader. Photo ID cards require scrutiny by a human guard.

Answer 16

Correct Answer: A System administrators are examples of data custodians: individuals who are charged with the safekeeping of information under the guidance of the data owner.

Answer 17

Correct Answer: D In a domain hijacking attack, the attacker changes the registration of a domain with the registrar. DNS and ARP poisoning attacks may redirect web traffic, but they would do so by providing bogus address information, not by hijacking the domain. Network eavesdropping could theoretically be used to steal credentials used to alter information with a registrar, but this is unlikely. The most likely source of a domain hijacking attack is using social engineering with the registrar to gain access to the account used to manage registration information.

Answer 18

Correct Answer: A Tom should deploy an agent-based NAC solution or, more specifically, a permanent agent. This technology leaves software running on the endpoint that may remain in constant contact with the NAC solution. Agentless NAC, captive portal solutions, and dissolvable agents do not maintain a constant presence on the system and would not meet Tom’s requirements.

Answer 19

Correct Answer: C One of the basic server security principles is that each server should support only one primary function. Best practice dictates separating the web server (Apache) from the database server (MySQL). It is normal and standard for a web server to support both unencrypted access on port 80 and encrypted access on port 443. TLS 1.2 is a modern version of the protocol and is secure and acceptable for use.

Answer 20

Correct Answer: D The offboarding process is the area of greatest risk to the organization because failure to execute deprovisioning activities in a prompt manner may mean that employees who have left the organization retain access to sensitive information or systems.

Answer 21

Correct Answer: D After identifying an incident, the team should next move into the containment phase where they seek to limit the damage caused by the incident. Containment occurs prior to the eradication and recovery phases. The preparation phase occurs before incident identification.

Answer 22

Correct Answer: A Security through obscurity is an outdated concept that says that the security of a control may depend upon the secrecy of the details of that control’s inner function. Security professionals should not use controls that rely upon security through obscurity. The principles of least privilege, separation of duties, and defense in depth are all sound security practices.

Answer 23

Correct Answer: D While it is possible that any type of attacker might engage in a zero-day attack, it is most likely to find these vulnerabilities exploited by an advanced persistent threat (APT). APT attackers are more likely to have the technical resources to discover and use zero-day vulnerabilities.

Answer 24

Correct Answer: D Moving the access point or the client may resolve the interference, as might changing the wireless channel/band in use. Increasing bandwidth will only provide more capacity. Additional capacity will not resolve interference.

Answer 25

Correct Answer: B Organizations deploying IPsec for site-to-site VPNs typically use tunnel mode to connect two VPN concentrators to each other and then route traffic through that tunnel in a manner that is transparent to the communicating devices. Transport mode is more commonly used for remote access VPNs. Internet key exchange (IKE) and security associations (SAs) are not modes of IPSec VPN operation.

Answer 26

Correct Answer: B In SAML authentication, the user agent is the web browser, application, or other technology used by the end user. The service provider is the service that the user would like to access. The identity provider is the organization providing the authentication mechanism. The certificate authority issues digital certificates required to secure the connections.

Answer 27

Correct Answer: A During an employee onboarding process, the organization typically conducts a number of start-up activities for the new employee. These commonly include issuing a computer, generating account credentials, and conducting initial security training. Deprovisioning is the removal of user access and accounts and would occur during the offboarding process.

Answer 28

Correct Answer: D Any one of these scenarios is a plausible reason that the digital signature would not verify. Dan cannot draw a specific conclusion other than that the message he received is not the message that was sent by the originator.

Answer 29

Correct Answer: A When registering DNS entries for a load balanced service, administrators should assign the entry to a virtual IP address that maps to the public interface of the load balancer.

Answer 30

Correct Answer: A In a type 1 hypervisor, the hypervisor runs directly on the system hardware, eliminating the need for an underlying operating system and reducing the environment’s attack surface. Type 2 hypervisors require the use of a host operating system. Type 3 and 4 hypervisors do not exist.

Answer 31

Correct Answer: C All of these attacks are authentication attacks. Brute force and rainbow table attacks are generic attacks that may be used against any authentication system that stores hashed passwords. Man-in-the-middle attacks are generally used against web applications. Pass-the-hash attacks are specifically effective against NTLM authentication.

Answer 32

Correct Answer: D Donna’s organization should consider implementing a standard operating procedure (SOP) for data access requests. This procedure could spell out the appropriate approval process for granting access to data stored in another user’s account. A guideline is not mandatory and would not be appropriate in this case. A data classification policy would generally not cover access request procedures, nor would a service level agreement.

Answer 33

Correct Answer: C The ROT13 cipher exchanges each letter of a message for the letter that is 13 places ahead of it in the alphabet. This is an example of a substitution operation. Transposition ciphers rearrange the letters in a message, which is not occurring here. ROT13 is quite weak and would never be considered cryptographically strong. It also does not perform hashing of messages into message digests.

Answer 34

Correct Answer: D Nmap, Nessus, and Metasploit are all active reconnaissance tools that interact with their target environments. Aircrack-ng may be used to passively gather information about a wireless network and crack a pre-shared key.

Answer 35

Correct Answer: A Steganography is a set of techniques used to hide information within other files, in plain sight. The most common application of steganography is hiding information within images.

Answer 36

Correct Answer: B Router access control lists are only capable of performing stateless filtering, which does not take connection status into account. Other firewall technologies, including stateful inspection firewalls, next generation firewalls, and proxy firewalls, all track connection state and typically require dedicated firewall hardware.

Answer 37

Correct Answer: D In a public cloud environment, providers offer services on the same shared computing platform to all customers. Customers do not necessarily have any relationship to, or knowledge of, each other. In a private cloud environment, an organization builds its own computing environment. In a hybrid cloud environment, an organization combines elements of public and private cloud computing. In a community cloud environment, a group of related organizations builds a shared cloud environment that is not open for general public use.

Answer 38

Correct Answer: C In a RAID 5 array, all of the disks contain data except for the parity disk. Therefore, regardless of the number of disks in the array, only a single disk may fail before data is permanently lost.

Answer 39

Correct Answer: A Generic, shared, and guest accounts should not be used on secure servers due to their lack of accountability to an individual user. Service accounts normally exist on all servers and are required for routine operation of services.

Answer 40

Correct Answer: D Guard dogs may be described as either a deterrent or preventive control, depending upon the context. They do serve in a preventive role because they have the ability to corner a potential intruder. However, this is not their primary role. Their main function is to serve as a deterrent to intrusion attempts through their menacing appearance. When taking the exam, remember that you may face questions like this asking you to choose the BEST answer from among several correct possibilities.

Answer 41

Correct Answer: B The most secure implementation of 3DES uses three independent keys. This approach creates a key with 168 (56×3) independent bits. When all three keys are the same, the key length is only 56 bits. When only two keys are independent, the key length is 112 bits.

Answer 42

Correct Answer: D This is a clear example of a distributed denial of service (DDoS) attack. The half-open connections indicate the use of a denial of service attack. The fact that the requests came from all over the world makes it clear that it is more than a standard denial of service attack. There is no indication that there was a web application flaw, such as cross-site request forgery or cross-site scripting.

Answer 43

Correct Answer: C Stateful inspection firewalls monitor connection status by tracking the TCP handshake. They maintain a table of active connections and automatically allow traffic that is part of an established connection without requiring the reevaluation of the ruleset for each packet. The other firewall types listed are more primitive and do not track connection status. They simply reevaluate every packet that they receive.

Answer 44

Correct Answer: A Integration testing occurs after unit testing and is designed to confirm that units of code will work together properly. Functional testing takes place upon the conclusion of requirements development, while design testing occurs after the design is complete. Both functional and design testing should be completed before, not after, unit testing. Acceptance testing occurs as the next step after successful integration testing.

Answer 45

Correct Answer: D In the Challenge Handshake Authentication Protocol (CHAP), the client makes an authentication request and the server responds with a challenge message. The client must then combine its password with the challenge message and hash it, providing this hashed response to the server.

Answer 46

Correct Answer: D The only factor that changed is the user’s location, making a location-based restriction the most likely culprit. This type of restriction can apply even when a user connects to a VPN. We know that it is not a content-based restriction or role-based restriction because the user was able to access the same system when in the office. We also can surmise that it is not likely a time-based restriction because Brenda is able to access the system at the same time.

Answer 47

Correct Answer: A Smart cards contain an integrated circuit that interactively authenticates with the reader. They do not necessarily contain a magnetic stripe. There is no requirement that a smart card be combined with a PIN/passcode or biometric authentication, although this is often done to achieve multifactor authentication.

Answer 48

Correct Answer: A Full backups always include all data stored on the backed up media and, therefore, are always at least as large as any other backup type. This system is being regularly backed up, so other backup types will be smaller than a full backup.

Answer 49

Correct Answer: D Adding a single bit to a cryptographic key doubles the number of possible keys, making the new key length twice as strong as the previous key length.

Answer 50

Correct Answer: A This is an example of a logic bomb, code that remains dormant until certain logical conditions are met and then releases its payload. In this case, the logic bomb was configured to release if the developer was no longer employed by the organization.

Answer 51

Correct Answer: D The primary risk associated with automated exit motion detectors is that an intruder outside the facility may be able to gain access by triggering the motion detector. For example, if it is possible to slide a piece of paper under the door, it may be possible to forcefully push the paper through so it flies up in the air and triggers the detector.

Answer 52

Correct Answer: C Generally speaking, IoT deployments do not typically require multifactor authentication. They do, however, call for maintenance of the embedded operating systems, network segmentation, and the encryption of sensitive information.

Answer 53

Correct Answer: B Dissolvable NAC uses a temporary agent that is removed immediately after the health check completes. This would be the best solution for Tina to deploy. A captive portal solution does not necessarily have the ability to perform health checking unless it is combined with a dissolvable agent. Permanent NAC would install software that remains on the student computers. Active Directory NAC would not be appropriate because the systems are unmanaged and, therefore, not accessible through AD.

Answer 54

Correct Answer: B All of these tools may be useful in detecting missing patches. However, the most useful tool is a configuration management system. These tools have the ability to directly query the operating system to obtain real-time information on their patch level.

Answer 55

Correct Answer: D Cloud computing environments provide on-demand computing and allow users to pay for resources on an as-needed basis. In that model, Carl can power down servers that are not needed and reduce his costs. Other computing models have high fixed costs that would not be as cost-effective for this type of bursty workload.

Answer 56

Correct Answer: B The digital certificate format is set out in the X.509 standard. RFC 1918 contains the standard for private IP addressing, while RFC 783 defines the TCP standard. IEEE 802.1x is a standard for wireless authentication.

Answer 57

Correct Answer: C The use of different authentication requirements depending upon the circumstances of the user’s request is known as context-based authentication. In this scenario, authentication requirements are changing based upon the user’s IP address, making it an example of context-based authentication.

Answer 58

Correct Answer: A If Brandy’s major concern is a compromised operating system, she can bypass the operating system on the device by booting it from live boot media and running her own operating system on the hardware. Running a malware scan may provide her with some information but may not detect all compromises and Brandy likely does not have the necessary permissions to correct any issues. Using a VPN or accessing secure sites would not protect her against a compromised operating system, as the operating system would be able to view the contents of her communication prior to encryption.

Answer 59

Correct Answer: D In a hot aisle/cold aisle layout, cold air should be distributed at floor level in the front of racks (cold aisle) so that it is pulled into the front of equipment and vented out the back into the hot aisle.

Answer 60

Correct Answer: B Life safety systems should always have a higher impact rating than other systems. Therefore, Matt should prioritize the fire suppression system over other restoration efforts.

Answer 61

Correct Answer: D SQL injection, cross-site scripting, and buffer overflow attacks all occur when applications do not properly screen user-provided input for potentially malicious content. Distributed denial of service attacks use botnets of compromised systems to conduct a brute force resource exhaustion attack against a common target.

Answer 62

Correct Answer: B Satellite communications (SATCOM) have the widest availability, as they may be used from any region of the world with satellite coverage. For large satellite networks, this covers the entire planet. Cellular signals do travel long distances but may not have constant availability in rural areas. WiFi and Bluetooth are only useful over short distances and would not be appropriate for this scenario.

Answer 63

Correct Answer: A Fuzz testing specifically evaluates the performance of applications in response to mutated input combinations. Penetration testing is a manual, not automated, process. Vulnerability scanning may be automated but does not necessarily include the use of mutated input. Decompilation attempts to reverse engineer code.

Answer 64

Correct Answer: B Full backups always include all data stored on the backed up media and, therefore, are always at least as large as any other backup type. This system is being regularly backed up, so other backup types will be smaller than a full backup.

Answer 65

Correct Answer: D Several vulnerabilities exist in different implementations of WPS. Some allow an offline brute force attack known as Pixie Dusk. Others may make it impossible for device administrators to disable WPS. Other may use weak encryption. The risk that applies to all WPS devices is the risk of physical access. If an attacker gains physical access to the device, he or she can join the network.

Answer 66

Correct Answer: A The Health Insurance Portability and Accountability Act (HIPAA) contains security and privacy provisions covering protected health information (PHI). It does not apply to more general personally identifiable information (PII) or payment card information (PCI). PDI is not a common category of information.

Answer 67

Correct Answer: C Privilege creep is the term used to describe the situation where a user moves through various job roles and accumulates permissions over time without having unnecessary permissions revoked. Privilege creep is a violation of the principle of least privilege.

Answer 68

Correct Answer: B NIST’s digital identity security guidelines suggest that organizations set a minimum password length of 8 characters for passwords that are memorized by the user. (NIST SP 800-63B)

Answer 69

Correct Answer: D In a public cloud environment, providers offer services on the same shared computing platform to all customers. Customers do not necessarily have any relationship to, or knowledge of, each other. In a private cloud environment, an organization builds its own computing environment. In a hybrid cloud environment, an organization combines elements of public and private cloud computing. In a community cloud environment, a group of related organizations builds a shared cloud environment that is not open for general public use.

Answer 70

Correct Answer: D In a choose-your-own-device (CYOD) model, the employee is permitted to choose from a selection of approved devices. The company owns the device. In a bring-your-own-device (BYOD) model, the employee owns the device. In corporate-owned, personally-enabled (COPE) and corporate-owned models, the company owns the device but the employee does not necessarily have the ability to choose the device.

Answer 71

Correct Answer: B Faraday cages are enclosures designed to prevent electromagnetic radiation from entering or leaving an area. They are used to shield very sensitive equipment and to prevent electromagnetic signals that might be intercepted from leaving a facility.

Answer 72

Correct Answer: C All employees should receive security awareness training that is tailored to their role in the organization. System administrators are the most technical employees mentioned here, so they should receive the most technical training.

Answer 73

Correct Answer: A Bruce Schneier designed the Blowfish algorithm as an open-source alternative to other patented encryption algorithms. The algorithm does support a 64-bit block size and variable length keys between 32-448 bits. Schneier does not recommend that people use Blowfish today, instead recommending the Twofish algorithm.

Answer 74

Correct Answer: D DNS amplification is a denial of service technique that sends small queries with spoofed source addresses to DNS servers, generating much larger, amplified, responses back to the spoofed address. The purpose is to consume all of the bandwidth available to the target system, resulting in a resource exhaustion denial of service attack.

Answer 75

Correct Answer: B Operating system updates and application updates frequently trigger file integrity alerts, as do system compromises. A CPU failure would result in a system crash, rather than a file integrity alert.

Answer 76

Correct Answer: C PIVs contain four digital certificates. The card authentication certificate is used to verify that the PIV credential was issued by an authorized entity, has not expired, and has not been revoked. The PIV authentication certificate is used to verify that the PIV credential was issued by an authorized entity, has not expired, has not been revoked, and holder of the credential (YOU) is the same individual it was issued to. The digital signature certificate allows the user to digitally sign a document or email, providing both integrity and non-repudiation. The encryption certificate allows the user to digitally encrypt documents or email.

Answer 77

Correct Answer: B Port security restricts the number of unique MAC addresses that may originate from a single switch port. It is commonly used to prevent someone from unplugging an authorized device from the network and connecting an unauthorized device but may also be used to prevent existing devices from spoofing MAC addresses of other devices.

Answer 78

Correct Answer: A Honeynets are networks of decoy systems designed to attract intruders so that security analysts may study their activity. Honeypots are single systems designed for the same purpose. Darknets are unused portions of IP address space designed to detect scanning activity when a scanner attempts to access those unused addresses. Darkpots are what occur when I attempt to cook and leave a pot unattended on the stove for too long.

Answer 79

Correct Answer: D This situation calls for role-based access control, where authorizations are assigned based upon a user’s role in the organization. This approach would allow Gavin to simply change a user’s role when they switch jobs and then the permissions would automatically update based upon the user’s new role.

Answer 80

Correct Answer: B

Answer 81

Correct Answer: D Open source intelligence (OSINT) includes the use of any publicly available information. This would include domain registration records found in WHOIS entries, the contents of public websites, and the use of Google searches. Vulnerability scans are an active reconnaissance technique and would not be considered OSINT.

Answer 82

Correct Answer: C 12.168.1.100 and 129.168.1.100 are valid public IP addresses and should be permitted as inbound source addresses. 278.168.1.100 is not a valid IP address because the first octet is greater than 255. It does not need to be blocked because it is not possible. This leaves 192.168.1.100. This address is a private address and should never be seen as a source address on packets crossing an external network connection.

Answer 83

Correct Answer: A The best source for guidance on passwords and other authentication techniques is NIST Special Publication 800-63B: Digital Identity Guidelines. In the most recent revision of this document, NIST states that users should not be subjected to a maximum password length requirement and should be allowed to choose passwords as lengthy as they would like.

Answer 84

Correct Answer: B The data protection officer (DPO) is a formal designation under GDPR and the individual designated as DPO bears significant responsibilities for GDPR compliance.

Answer 85

Correct Answer: A Discovery scans are designed to identify systems on the network and can be used to detect undocumented assets that are the result of system sprawl.

Answer 86

Correct Answer: C The Protected Extensible Authentication Protocol (PEAP) runs the standard EAP protocol within a TLS session to provide secure communications.

Answer 87

Correct Answer: C. Mobile device management products do typically support remote wiping, application management, and configuration management, among other features. They do not provide carrier unlocking functionality, as this may only be performed by the wireless carrier that activated the device.

Answer 88

Correct Answer: C In an 802.1x wireless network, the wireless access point or wireless controller typically serves as the 802.1x client, sending authentication requests to a back-end authentication server.

Answer 89

Correct Answer: A Burning, shredding, and pulping are all acceptable ways to destroy paper records. Degaussing is a magnetic destruction technique that is only appropriate for digital records.

Answer 90

Correct Answer: B Most security professionals consider eight feet to be the minimum height for a fence protecting critical assets. It is trivial for an intruder to climb a fence of six feet or less. A fence that stands twelve feet high is likely unnecessary and aesthetically unpleasant. For added security, organizations may add barbed wire to the top of the fence.

Answer 91

Correct Answer: D The Secure File Transfer Protocol (SFTP) provides a file transfer capability through a Secure Shell (SSH) connection. The File Transfer Protocol Secure (FTPS) also provides secure file transfers, but does so through a modified version of the FTP protocol and does not use SSH. Dropbox is a proprietary file sharing service that does not use SSH. The HyperText Transfer Protocol Secure (HTTPS) is a secure web protocol that may be used for file transfers but does not leverage SSH.

Answer 92

Correct Answer: A Answering this question is a little tricky because it depends upon you not only recognizing that each of these options are indeed password attacks but also knowing the details of how each one of them works. Let’s start by knocking off two of the more clearly incorrect answers. First, this is not a brute force attack. A brute force attack attempts every possible password against an account and in this case we have a series of common passwords being used against a lot of accounts. Second, it is not a rainbow table attack. That type of attack requires that the attacker have access to a file containing hashed passwords, which is not the case here. That leaves us with password spraying and credential stuffing: two similar attack types. Password spraying attacks take username and password combinations that were compromised on other sites and use them to attempt logging into the target site, based on the presumption that people will reuse passwords from site to site. Credential stuffing attacks use a series of commonly chosen passwords to attempt to log into a series of accounts. That’s what happened in this scenario.

Answer 93

Correct Answer: D This is an example of a private cloud deployment, where the service provider is dedicating hardware to this specific customer. Private clouds may operate in data centers that are dedicated to that single customer or, as in this case, they may operate in shared data centers. The difference is that each customer’s equipment is segregated and customers do not share hardware. That shared hardware approach is the hallmark of public and community cloud models. Hybrid cloud models mix elements of public and private clouds. There is no indication that Tim’s organization intends to do this.

Answer 94

Correct Answer: A Cloud access security brokers (CASB) are designed to enforce security policies across cloud services. Security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms are designed to aggregate, analyze, and react to security events. Virtual desktop infrastructure (VDI) offers desktop computing to end users in a virtualized manner.

Answer 95

Correct Answer: C Firewalls serve to block attempted access to the organization’s networks and systems. Therefore, they are best described as preventative controls. The purpose of a detective control is to identify attacks that are currently taken place or have taken place in the past. The purpose of a deterrent control is to discourage an attacker from attempting to undermine security. The purpose of a corrective control is to help the organization recover after a security incident.

Answer 96

Correct Answer: C In this case, the attack depended upon the fact that the victim was already logged into the shopping website. The attacker knew that some portion of the visitors to the message board would be logged into that site and took advantage of that trust relationship to send commands through the user’s browser to the shopping site. That’s an example of a cross-site request forgery attack. Cross-site scripting attacks work in a similar manner but they do not leverage those trust relationships. Server-side request forgery attacks target the web server itself rather than the end user. Phishing attacks attempt to trick the user into sharing sensitive information, but this attack took place without the victim’s knowledge.

Answer 97

Correct Answer: B Input validation should always be performed on the web server. Database servers do not see the full input provided by the user and are not well-situated to perform input validation. Input validation should never be performed at the web browser because a malicious user can disable that validation code.

Answer 98

Correct Answer: D The following address ranges are available for use on private networks and subnets: 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255. Three of the subnets presented in this question fall into these ranges while the fourth, 181.10.0.0/16 does not. That subnet is a public address range assigned to a particular user and should not be used on a private subnet.

Answer 99

Correct Answer: B Tcpdump is a command-line packet capture utility. Wireshark is also a packet capture utility but it is designed for interactive use through a GUI. FTK and dd are forensic utilities used to capture disk images, not network packets.

Answer 100

Correct Answer: C Security orchestration, automation, and response (SOAR) platforms are specifically designed to react to security information and perform workflows across a variety of other systems, which would make it the best choice. Security information and event management (SIEM) platforms are capable of doing this to some degree, but they are not as well suited to the task as SOAR platforms, so while SIEM might be a good answer, it’s not the best possible answer. When you take a security certification exam, it’s very important to remember that questions may have one or more possible answers. You always want to choose the best of those choices. That’s why it’s very important to read the entire question carefully!

Answer 101

Correct Answer: B This environment, where customers supply code and vendors supply managed infrastructure, is known as platform as a service (PaaS) computing. In infrastructure as a service (IaaS) computing, the vendor offers access to the basic building blocks of a computing infrastructure, such as servers, storage, and networking and the customer assembles those building blocks to create their own solutions. In the software as a service (SaaS) model, the vendor provides a fully functional application to the customer. Anything as a service (XaaS) is a term describing the fact that virtually any computing service may be delivered in a cloud model and it is not a good description of this specific scenario.

Answer 102

Correct Answer: A It is possible that an intrusion prevention system (IPS) or next generation firewall (NGFW) could provide this functionality. However, a secure web gateway (SWG) is purpose-built for filtering user web traffic and, therefore, would be the best solution in this scenario. Cloud access security brokers (CASB) do not perform web content filtering.

Answer 103

Answer: B Explanation: The following is the correct answer: the item's classification and category set. A Sensitivity label must contain at least one classification and one category set. Category set and Compartment set are synonyms, they mean the same thing. The sensitivity label must contain at least one Classification and at least one Category. It is common in some environments for a single item to belong to multiple categories. The list of all the categories to which an item belongs is called a compartment set or category set.

Answer 104

Answer: C Explanation: Kerberos depends on secret keys (symmetric ciphers). Kerberos is a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys.

Answer 105

Answer: B Explanation: Is correct because that is exactly what Kerberos is. The

Answer 106

Answer: B Explanation: Kerberos depends on Secret Keys or Symmetric Key cryptography. Kerberos a third party authentication protocol. It was designed and developed in the mid 1980's by MIT. It is considered open source but is copyrighted and owned by MIT. It relies on the user's secret keys. The password is used to encrypt and decrypt the keys.

Answer 107

Answer: C Explanation: In 1973 Bell and LaPadula created the first mathematical model of a multi-level security system.

Answer 108

Answer: D Explanation: The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits impulses through the optic nerve to the brain - the equivalent of film in a camera. Blood vessels used for biometric identification are located along the neural retina, the outermost of retina's four cell layers.

Answer 109

Answer: B Explanation: A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame.

Answer 110

Answer: C Explanation: non-repudiation. Since Kerberos deals primarily with symmetric cryptography, it does not help with non-repudiation

Answer 111

Answer: C Explanation: A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not the key.

Answer 112

Answer: A Explanation: Details: The Answer: Bell-LaPadula model The Bell-LAPadula model is also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications. Developed by the US Military in the 1970s.

Answer 113

Answer: A Explanation: Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support. Reference:

Answer 114

Answer: A Explanation: In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

Answer 115

Answer: B Explanation: Today implementation of fast, accurate reliable and user-acceptable biometric identification systems is already taking place. Unique physical attributes or behavior of a person are used for that purpose.

Answer 116

A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Administrative Pairing

Answer 117

Answer: B Explanation: The question is explict in asking *easily*. With TCP connection establishment there is a distinct state or sequence that can be expected. Consult the references for further details

Answer 118

Answer: A Explanation: A TCP Segment is the group of TCP data transmitted at the Transport Layer. TCP is segment based network technology. The message is sent to the transport layer, where TCP does its magic on the data. The bundle of data is now a segment. If the message is being transmitted over TCP, it is referred to as a “segment.”

Answer 119

Answer: B Explanation: The network layer contains the Internet Protocol (IP), the Internet Control Message Protocol (ICMP), and the Internet Group Management Protocol (IGMP)

Answer 120

Answer: A Explanation: TCP Wrappers can control when a UDP server starts but has little control afterwards because UDP packets can be sent randomly.

Answer 121

Answer: B Explanation: If the protocol field has a value of 1 then it would indicate it was ICMP.

Answer 122

Answer: D Explanation: If the protocol field has a value of 2 then it would indicate it was IGMP.

Answer 123

Answer: B Explanation: IP is a datagram based technology

Answer 124

Answer: C Explanation: A series of the same control, hexidecimal, characters imbedded in the string is usually an indicator of a buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal equivalent is 0x90)

Answer 125

Answer: C Explanation: Each Class C network address has a 24-bit network prefix, with the three highest order bits set to 1-1-0

Answer 126

Answer: A Transport layer: The Transport layer handles computer-to computer communications, rather than application-to-application communications like RPC. Data link Layer: The Data Link layer protocols can be divided into either Logical Link Control (LLC) or Media Access Control (MAC) sublayers. Protocols like SLIP, PPP, RARP and L2TP are at this layer. An application-to-application protocol like RPC would not be addressed at this layer. Network layer: The Network Layer is mostly concerned with routing and addressing of information, not application-to-application communication calls such as an RPC call.

Answer 127

Answer: C Explanation: Frame relay and X.25 are both examples of packet-switching technologies. In packet-switched networks there are no dedicated connections between endpoints, and data is divided into packets and reassembled on the receiving end

Answer 128

Answer: A Explanation: RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over pointto- point links. PPP is comprised of three main components: 1 A method for encapsulating multi-protocol datagrams. 2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. 3 A family of Network Control Protocols (NCPs) for establishing and configuring different networklayer protocols.

Answer 129

Answer: A Explanation: The following answers are incorrect: Network. The Network layer moves information between hosts that are not physically connected. It deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not reside at the Layer 3 Network Layer in the OSI Reference Model. Presentation. The Presentation Layer is concerned with the formatting of data into a standard presentation such as ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model. Application. The Application Layer is a service for applications and Operating Systems data transmission, for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the OSI Reference Model.

Answer 130

Answer: A Explanation: CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link (LCP), and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password). After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer. The peer responds with a value calculated using a one-way hash function on the challenge and the secret combined. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection. At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.

Answer 131

Answer: B Explanation: Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication which are either pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. Internet Key Exchange (IKE) Internet key exchange allows communicating partners to prove their identity to each other and establish a secure communication channel, and is applied as an authentication component of IPSec.

Answer 132

Answer: C Explanation: S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail exchanges that makes it possible to guarantee the confidentiality and nonrepudiation of electronic messages. S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text files to electronic messages. The MIME standard therefore makes it possible to attach all types of files to e-mails. S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633.

Answer 133

Answer: C Explanation: Misuse detectors compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack. As the patterns corresponding to known attacks are called signatures, misuse detection is sometimes called "signature-based detection."

Answer 134

Answer: D Explanation: A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be at the highest level of the protocol stack.

Answer 135

Answer: B Explanation: Although it may cause a denial of service to the victim's system, this type of attack is a Smurf attack. A SYN Flood attack uses up all of a system's resources by setting up a number of bogus communication sockets on the victim's system. A Ping of Death attack is done by sending IP packets that exceed the maximum legal length (65535 octets).

Answer 136

Correct Answer: C Jan is helping her team research tactics to attack systems, which is an example of an offensive operation. During a cybersecurity exercise, the red team is responsible for conducting offensive operations, while the blue team conducts defensive operations. The white team consists of the officials who moderate the exercise and arbitrate rules disputes. Purple teaming occurs after the exercise when the red and blue teams come together to discuss tactics and lessons learned.

Answer 137

Answer: C Explanation: IPSec provide replay protection that ensures data is not delivered multiple times, however IPsec does not ensure that data is delivered in the exact order in which it is sent. IPSEC uses TCP and packets may be delivered out of order to the receiving side depending which route was taken by the packet.

Answer 138

Answer: C Explanation: L2TP is affected by packet header modification and cannot cope with firewalls and network devices that perform NAT. "PPTP can run only on top of IP networks." is correct as PPTP encapsulates datagrams into an IP packet, allowing PPTP to route many network protocols across an IP network. "PPTP is an encryption protocol and L2TP is not." is correct. When using PPTP, the PPP payload is encrypted with Microsoft Point-to-Point Encryption (MPPE) using MSCHAP or EAP-TLS. "L2TP supports AAA servers" is correct as L2TP supports TACACS+ and RADIUS.

Answer 139

Answer: D Explanation: According to the AIO 3rd edition, these are the necessary steps for a proper classification program: 1. Define classification levels. 2. Specify the criteria that will determine how data is classified. 3. Have the data owner indicate the classification of the data she is responsible for. 4. Identify the data custodian who will be responsible for maintaining data and its security level. 5. Indicate the security controls, or protection mechanisms, that are required for each classification level. 6. Document any exceptions to the previous classification issues. 7. Indicate the methods that can be used to transfer custody of the information to a different data owner. 8. Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian. 9. Indicate termination procedures for declassifying the data. 10. Integrate these issues into the security-awareness program so that all employees understand how to handle data at different classification levels.

Answer 140

Answer: C Explanation: Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). SNMP V3 Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic security, it looks much different due to new textual conventions, concepts, and terminology. SNMPv3 primarily added security and remote configuration enhancements to SNMP. Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used.

Answer 141

Answer: A Explanation: Securing the data manipulated by computing systems has been a challenge in the past years. Several methods to limit the information disclosure exist today, such as access control lists, firewalls, and cryptography. However, although these methods do impose limits on the information that is released by a system, they provide no guarantees about information propagation. For example, access control lists of file systems prevent unauthorized file access, but they do not control how the data is used afterwards. Similarly, cryptography provides a means to exchange information privately across a non-secure channel, but no guarantees about the confidentiality of the data are given once it is decrypted. In low level information flow analysis, each variable is usually assigned a security level. The basic model comprises two distinct levels: low and high, meaning, respectively, publicly observable information, and secret information. To ensure confidentiality, flowing information from high to low variables should not be allowed. On the other hand, to ensure integrity, flows to high variables should be restricted. More generally, the security levels can be viewed as a lattice with information flowing only upwards in the lattice.

Answer 142

Answer: B Explanation: This question refers specifically to the LAND Attack. This question is testing your ability to recognize common attacks such as the Land Attack and also your understanding of what would be an acceptable action taken by your Intrusion Detection System. You must remember what is a LAND ATTACK for the purpose of the exam. You must also remember that an IDS is not only a passive device. In the context of the exam it is considered an active device that is MOSTLY passive. It can take some blocking actions such as changing a rule on a router or firewall for example. In the case of the Land Attack and this specific question. It must be understand that most Operating System TCP/IP stack today would not be vulnerable to such attack. Many of the common firewall could also drop any traffic with same Source IP/Port as the Destination IP/Port as well. So there is multiple layers where such an attack could be stopped. The downfall of IDS compared with IPS is the fact they are usually reacting after the packets have been sent over the network. A single packet attack should as the Land Attack could be detected but would still complete and affect the destination target. This is where IPS could come into play and stop the attack before it completes.

Answer 143

Answer: B Explanation: Pivoting refers to method used by penetration testers that uses compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multilayered attacks. Pivoting is also known as island hopping.

Answer 144

Answer: A Explanation: Authenticity refers to the characteristic of a communication, document or any data that ensures the quality of being genuine or not corrupted from the original.

Answer 145

Answer: D Explanation: This is a tricky question, the keyword in the question is Internal users. There are two possible answers based on how the question is presented, this question could either apply to internal users or ANY anonymous/external users. Internal users should always have a written agreement first, then logon banners serve as a constant reminder. Banners at the log-on time should be used to notify external users of any monitoring that is being conducted. A good banner will give you a better legal stand and also makes it obvious the user was warned about who should access the system, who is authorized and unauthorized, and if it is an unauthorized user then he is fully aware of trespassing. Anonymous/External users, such as those logging into a web site, ftp server or even a mail server; their only notification system is the use of a logon banner.

Answer 146

Answer: A Explanation: Archive bit 1 = On (the archive bit is set). Archive bit 0 = Off (the archive bit is NOT set). When the archive bit is set to ON, it indicates a file that has changed and needs to be backed up. Differential backups backup all files changed since the last full. To do this, they don't change the archive bit value when they backup a file. Instead the differential let's the full backup make that change. An incremental only backs up data since the last incremental backup. Thus is does change the archive bit from 1 (On) to 0 (Off).

Answer 147

Answer: A Explanation: Discussion: Since computer program code is written by humans and there are proper and improper ways of writing software code it is clear that human errors create the conditions for buffer overflows to exist.

Answer 148

Answer: A Explanation: The data link layer, or Layer 2, of the OSI model is responsible for adding a header and a trailer to a packet to prepare the packet for the local area network or wide area network technology binary format for proper line transmission. Layer 2 is divided into two functional sublayers. The upper sublayer is the Logical Link Control (LLC) and is defined in the IEEE 8022 specification. It communicates with the network layer, which is immediately above the data link layer. Below the LLC is the Media Access Control (MAC) sublayer, which specifies the interface with the protocol requirements of the physical layer.

Answer 149

Answer: D Explanation: Single sign-on (SSO)is a Session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session.

Answer 150

Answer: B Explanation: The keyword PRIMARY is used in the question. Accountability should be the primary concern if critical servers can be accessed only by using shared user id and password. It would be very difficult to track the changes done by employee on critical server.

Answer 151

Answer: A Explanation: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system–level test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements.

Answer 152

Answer: D Explanation: The following answers are incorrect: A bridge simply connects multiple networks, a router examines each packet to determine which network to forward it to. Is incorrect because both forward packets this is not distinctive enough.

Answer 153

Answer: B Explanation: This is not a benefit of a firewall. Most firewalls are limited when it comes to preventing the spread of viruses.

Answer 154

Answer: A Explanation: RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP is comprised of three main components: 1 A method for encapsulating multi-protocol datagrams. 2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. 3 A family of Network Control Protocols (NCPs) for establishing and configuring different network layer protocols.

Answer 155

Answer: B Explanation: Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication which are either pre-shared or distributed using DNS (preferably with DNSSEC) and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. Internet Key Exchange (IKE) Internet key exchange allows communicating partners to prove their identity to each other and establish a secure communication channel, and is applied as an authentication component of IPSec.

Answer 156

Answer: C Explanation: S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail exchanges that makes it possible to guarantee the confidentiality and nonrepudiation of electronic messages. S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text files to electronic messages. The MIME standard therefore makes it possible to attach all types of files to e-mails. S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633. How S/MIME works The S/MIME standard is based on the principle of public-key encryption. S/MIME therefore makes it possible to encrypt the content of messages but does not encrypt the communication.

Answer 157

Answer: D Explanation: A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be at the highest level of the protocol stack.

Answer 158

Answer: B Explanation: Although it may cause a denial of service to the victim's system, this type of attack is a Smurf attack. A SYN Flood attack uses up all of a system's resources by setting up a number of bogus communication sockets on the victim's system. A Ping of Death attack is done by sending IP packets that exceed the maximum legal length (65535 octets).

Answer 159

Answer: B Explanation: Coaxial cable is called "coaxial" because it includes one physical channel that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running along the same axis.

Answer 160

Answer: B Explanation: The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and Characteristics Standard model for network communications enables dissimilar networks to communicate, Defines 7 protocol layers (a.k.a. protocol stack) Each layer on one workstation communicates with its respective layer on another workstation using protocols (i.e. agreed-upon communication formats) "Mapping" each protocol to the model is useful for comparing protocols.

Answer 161

Answer: C Explanation: IPSec provide replay protection that ensures data is not delivered multiple times, however IPsec does not ensure that data is delivered in the exact order in which it is sent. IPSEC uses TCP and packets may be delivered out of order to the receiving side depending which route was taken by the packet.

Answer 162

Answer: C Explanation: Configuration management isn't about preventing change but ensuring the integrity of IT resources by preventing unauthorized or improper changes. According to the Official ISC2 guide to the CISSP exam, a good CM process is one that can: (1) accommodate change; (2) accommodate the reuse of proven standards and best practices; (3) ensure that all requirements remain clear, concise, and valid; (4) ensure changes, standards, and requirements are communicated promptly and precisely; and (5) ensure that the results conform to each instance of the product.

Answer 163

Answer: C Explanation: L2TP is affected by packet header modification and cannot cope with firewalls and network devices that perform NAT. "PPTP can run only on top of IP networks." is correct as PPTP encapsulates datagrams into an IP packet, allowing PPTP to route many network protocols across an IP network. "PPTP is an encryption protocol and L2TP is not." is correct. When using PPTP, the PPP payload is encrypted with Microsoft Point-to-Point Encryption (MPPE) using MSCHAP or EAP-TLS. "L2TP supports AAA servers" is correct as L2TP supports TACACS+ and RADIUS.

Answer 164

Answer: D Explanation: In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident. Triage is incorrect as triage is about determining the seriousness of the incident and filtering out false positives

Answer 165

Answer: C Explanation: This is wrong which makes this the correct choice. This statement is not true as stateful matching scans for attack signatures by analyzing traffic streams rather than individual packets. Stateful matching intrusion detection takes pattern matching to the next level. As networks become faster there is an emerging need for security analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers.

Answer 166

Answer: D Explanation: This is not a correct notation for an IPv6 address because the "::" can only appear once in an address.

Answer 167

Answer: C EAL 1: The product is functionally tested; this is sought when some assurance in accurate operation is necessary, but the threats to security are not seen as serious. EAL 2: Structurally tested; this is sought when developers or users need a low to moderate level of independently guaranteed security. EAL 3: Methodically tested and checked; this is sought when there is a need for a moderate level of independently ensured security. EAL 4: Methodically designed, tested, and reviewed; this is sought when developers or users require a moderate to high level of independently ensured security. EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured security. EAL 6: Semiformally verified, designed, and tested; this is sought when developing specialized TOEs for high-risk situations. EAL 7: Formally verified, designed, and tested; this is sought when developing a security TOE for application in extremely high-risk situations.

Answer 168

Answer: A Explanation: RAID Level 0 creates one large disk by using several disks. This process is called striping

Answer 169

Answer: A Explanation: Alternative routing is a method of routing information via an alternate medium such as copper cable or fiber optics. This involves use of different networks, circuits or end points should the normal network be unavailable. Diverse routing routes traffic through split cable facilities or duplicate cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and therefore subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual entrance facilities. This type of access is time-consuming and costly. Long haul network diversity is a diverse long-distance network utilizing T1 circuits among the major long-distance carriers. It ensures long-distance access should any one carrier experience a network failure. Last mile circuit protection is a redundant combination of local carrier T1s microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local carrier routing is also utilized.

Answer 170

Answer: C Explanation: The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The range for assigned "Well Known" ports managed by the IANA (Internet Assigned Numbers Authority) is 0-1023.

Answer 171

Answer: D Explanation: This is the second protocol in TLS. "Transport Layer Security (TLS) Internet Protocol" is incorrect. There is no such protocol. "Transport Layer Security (TLS) Data Protocol" is incorrect. There is no such protocol. "Transport Layer Security (TLS) Link Protocol" is incorrect. There is no such protocol.

Answer 172

Answer: A Explanation: SSL provides for Peer Authentication. Though peer authentication is possible, authentication of the client is seldom used in practice when connecting to public e-commerce web sites. Once authentication is complete, confidentiality is assured over the session by the use of symmetric encryption in the interests of better performance.

Answer 173

Answer: D Explanation: A keyed hash also called a MAC (message authentication code) is used for integrity protection and authenticity. In cryptography, a message authentication code (MAC) is a generated value used to authenticate a message. A MAC can be generated by HMAC or CBC-MAC methods. The MAC protects both a message’s integrity (by ensuring that a different MAC will be produced if the message has changed) as well as its authenticity, because only someone who knows the secret key could have modified the message.

Answer 174

Answer: A Explanation: This is the usual term to describe the destination for a TCP/UDP packet. "Dedicated service" is incorrect. This is an "almost right sounding" term meant to confuse the unwary. "Delayed service" is incorrect. This is a nonsense term to confuse you. "Distributed service" is incorrect. While network services can certainly be distributed, the usual term is "desired service" or "destination service."

Answer 175

Answer: A Explanation: Since the circuit level proxy does not analyze the application content of the packet in making its decisions, it has lower overhead than an application level proxy

Answer 176

Answer: C Explanation: The dynamic packet filtering firewall is able to create ACL's on the fly to allow replies on dynamic ports (higher than 1023). Packet filtering is incorrect. The packet filtering firewall usually requires that the dynamic ports be left open as a group in order to handle this situation. Circuit level proxy is incorrect. The circuit level proxy builds a conduit between the trusted and untrusted hosts and does not work by dynamically creating ACL's. Application level proxy is incorrect. The application level proxy "proxies" for the trusted host in its communications with the untrusted host. It does not dynamically create ACL's to control traffic.

Answer 177

Answer: A Explanation: While the purpose of systems in the DMZ is to allow public access to certain internal network resources (EMAIL, DNS, Web), it is a good practice to restrict that access to the minimum necessary to provide those services through use of a firewall.

Answer 178

Answer: A Explanation: This is another name for the demilitarized zone (DMZ) of a network.

Answer 179

Answer: A Explanation: The two current conceptual approaches to Intrusion Detection methodology are knowledge-based ID systems and behavior-based ID systems, sometimes referred to as signature-based ID and statistical anomaly-based ID, respectively.

Answer 180

Answer: A Explanation: RAID Level 1 often implemented by a one-for-one disk to disk ratio.

Answer 181

Answer: C Explanation: Frame relay uses a public switched network to provide Wide Area Network (WAN) connectivity.

Answer 182

Answer: A Explanation: Redundant array of inexpensive disks (RAID) are primarily used to improve speed, availability, and redundancy, not integrity. They provide fault tolerance and protection against file server hard disk crashes.

Answer 183

Answer: B Explanation: RAID 1 (Mirroring) is usually used to create Server Fault Tolerance Redundant server implementations take the concept of RAID 1 (mirroring) and applies it to a pair of servers to provide server fault tolerance. Each of the two servers have 100% of the data and the data is maintained in synch all the time.

Answer 184

Answer: D Explanation: A differential backup is a partial backup that copies a selected file to tape only if the archive bit for that file is turned on, indicating that it has changed since the last full backup. A differential backup leaves the archive bits unchanged on the files it copies.

Answer 185

Answer: D Explanation: Unauthorized access of restricted network services by the circumvention of security access controls is known as logon abuse. This type of abuse refers to users who may be internal to the network but access resources they would not normally be allowed.

Answer 186

Answer: C Explanation: The network layer (layer 3) defines how packets are routed and relayed between end systems on the same network or on interconnected networks. Message routing, error detection and control of node traffic are managed at this level.

Answer 187

Answer: C Explanation: IP operates at the network layer (layer 3).

Answer 188

Answer: D Explanation: The physical layer (layer 1) defines the X.24, V.35, X.21 and HSSI standard interfaces.

Answer 189

Answer: C Explanation: In the TCP/IP protocol model, the Internet layer defines the IP datagram and handles the routing of data across networks.

Answer 190

Answer: D Explanation: The Internet layer corresponds to the OSI's network layer. It handles the routing of packets among multiple networks.

Answer 191

Answer: B Explanation: Whereas the host-to-host layer (equivalent to the OSI's transport layer) provides end-to-end data delivery service, flow control, to the application layer.

Answer 192

Answer: A Explanation: The reverse address resolution protocol (RARP) sends out a packet including a MAC address and a request to be informed of the IP address that should be assigned to that MAC.

Answer 193

Answer: A Explanation: All the previous protocols operate at the transport layer except for Secure HTTP (SHTTP), which operates at the application layer. S-HTTP has been replaced by SSL and TLS.

Answer 194

Answer: B Explanation: One the most secure implementations of firewall architectures is the screened subnet firewall. It employs two packet-filtering routers and a bastion host. Like a screened host firewall, this firewall supports both packet-filtering and proxy services.

Answer 195

Answer: A Explanation: PPTP operates at the data link layer (layer 2) of the OSI model and uses native PPP authentication and encryption services. Designed for individual client to server connections, it enables only a single point-to-point connection per session.

Answer 196

Answer: C Explanation: L2TP and PPTP were both designed for individual client to server connections; they enable only a single point-to-point connection per session. Dial-up VPNs use L2TP often. Both L2TP and PPTP operate at the data link layer (layer 2) of the OSI model. PPTP uses native PPP authentication and encryption services and L2TP is a combination of PPTP and Layer 2 Forwarding protocol (L2F).

Answer 197

Answer: B Explanation: In tunnel mode, the entire packet is encrypted and encased into an IPSec packet. In transport mode, only the datagram (payload) is encrypted, leaving the IP address visible within the IP header.

Answer 198

Answer: A Explanation: Media contention occurs when two or more network devices have data to send at the same time. Because multiple devices cannot talk on the network simultaneously, some type of method must be used to allow one device access to the network media at a time. This is done in two main ways: carrier sense multiple access collision detect (CSMA/CD) and token passing.

Answer 199

Answer: A Explanation: LAN transmission methods refer to the way packets are sent on the network and are either unicast, multicast or broadcast.

Answer 200

Answer: C Explanation: The IEEE 802.5 standard defines the token ring media access method. 802.3 refers to Ethernet's CSMA/CD, 802.11 refers to wireless communications and 802.2 refers to the logical link control.

Answer 201

Answer: B Explanation: Serial Line IP (SLIP) was developed in 1984 to support TCP/IP networking over low speed serial interfaces.

Answer 202

Answer: C Explanation: Asymmetric digital subscriber line (ADSL) is designed to provide more bandwidth downstream (1 to 8 Mbps) than upstream (16 to 800Kb).

Answer 203

Answer: D Explanation: Secure RPC provides authentication services. Secure RPC (Remote Procedure Call) protects remote procedures with an authentication mechanism. The Diffie-Hellman authentication mechanism authenticates both the host and the user who is making a request for a service. The authentication mechanism uses Data Encryption Standard (DES) encryption. Applications that use Secure RPC include NFS and the naming services, NIS and NIS+.

Answer 204

Answer: B Explanation: A static packet filtering firewall is the simplest and least expensive type of firewalls, offering minimum security provisions to a low-risk computing environment. A static packet filter firewall examines both the source and destination addresses of the incoming data packet and applies ACL’s to them. They operates at either the Network or Transport layer. They are known as the First generation of firewall.

Answer 205

Answer: A Explanation: Although TACACS+ provides better audit trails, event logging is a service that is provided with TACACS.

Answer 206

Answer: C Explanation: In link encryption, each entity has keys in common with its two neighboring nodes in the transmission chain. Thus, a node receives the encrypted message from its predecessor, decrypts it, and then re-encrypts it with a new key, common to the successor node. Obviously, this mode does not provide protection if anyone of the nodes along the transmission path is compromised.

Answer 207

Answer: B Explanation: Wireless Transport Layer Security (WTLS) is a communication protocol that allows wireless devices to send and receive encrypted information over the Internet. S-WAP is not defined. WSP (Wireless Session Protocol) and WDP (Wireless Datagram Protocol) are part of Wireless Access Protocol (WAP).

Answer 208

Answer: C Explanation: An e-mail message's confidentiality is protected when encrypted with the receiver's public key, because he is the only one able to decrypt the message. The sender is not supposed to have the receiver's private key. By encrypting a message with its private key, anybody possessing the corresponding public key would be able to read the message. By encrypting the message with its public key, not even the receiver would be able to read the message.

Answer 209

Answer: B Asynchronous Communication transfers data by sending bits of data in irregular timing patterns. In asynchronous transmission each character is transmitted separately, that is one character at a time. The character is preceded by a start bit, which tells the receiving end where the character coding begins, and is followed by a stop bit, which tells the receiver where the character coding ends. There will be intervals of ideal time on the channel shown as gaps. Thus there can be gaps between two adjacent characters in the asynchronous communication scheme. In this scheme, the bits within the character frame (including start, parity and stop bits) are sent at the baud rate.

Answer 210

Answer: A Explanation: Asynchronous Communication is the basic language of modems and dial-up remote access systems.

Answer 211

Answer: A | An Ethernet address is a 48-bit address that is hard-wired into the Network Interface Cards (NIC) of the network node.

Answer 212

Answer: B Explanation: The RARP protocol sends out a packet, which includes its MAC address and a request to be informed of the IP address that should be assigned to that MAC address. ARP does the opposite by broadcasting a request to find the Ethernet address that matches a known IP address.

Answer 213

Answer: D Explanation: Simple Mail Transfer Protocol (SMTP) is a protocol for sending e-mail messages between servers. POP is a protocol used to retrieve e-mail from a mail server.

Answer 214

Answer: B Explanation: Secure Electronic Transaction (SET). Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. SET operates at the application layer which distinguishes it from SSL. SSL operates at the Transport layer.

Answer 215

Answer: D Explanation: An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual messages securely.

Answer 216

Answer: C Explanation: IPS is a preventive and proactive mechanism whereas an IDS is detective and after the fact technology.

Answer 217

Answer: C Explanation: Password management is an example of preventive control. Proper passwords prevent unauthorized users from accessing a system. There are literally hundreds of different access approaches, control methods, and technologies, both in the physical world and in the virtual electronic world. Each method addresses a different type of access control or a specific access need.

Answer 218

Answer: C Explanation: The main difference between memory cards and smart cards is their capacity to process information. A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information.

Answer 219

Answer: B Explanation: Many important issues in computer security involve human users, designers, implementers, and managers. Operational controls are put in place to improve security of a particular system (or group of systems). They often require specialized expertise and often rely upon management activities as well as technical controls. Implementing dual control and making sure that you have more than one person that can perform a task would fall into this category as well.

Answer 220

Answer: B Explanation: The Clark-Wilson model addresses integrity. It incorporates mechanisms to enforce internal and external consistency, a separation of duty, and a mandatory integrity policy.

Answer 221

Answer: C The Bell–LaPadula model focuses on data confidentiality and controlled access to classified information, in contrast to the Biba Integrity Model which describes rules for the protection of data integrity. In this formal model, the entities in an information system are divided into subjects and objects.

Answer 222

Answer: B Explanation: Security testing makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems

Answer 223

Answer: D Explanation: During the Functional Requirements Definition the project management and systems development teams will conduct a comprehensive analysis of current and possible future functional requirements to ensure that the new system will meet end-user needs. The teams also review the documents from the project initiation phase and make any revisions or updates as needed. For smaller projects, this phase is often subsumed in the project initiation phase. At this point security requirements should be formalized.

Answer 224

Answer: C Explanation: Security testing and trusted distribution are required for Life-Cycle Assurance.

Answer 225

Answer: C Explanation: This is a requirement starting as low as C1 within the TCSEC rating.

Answer 226

Answer: C Explanation: One of the first accepted evaluation standards was the Trusted Computer Security Evaluation Criteria or TCSEC. The Orange Book was part of this standard that defines four security divisions consisting of seven different classes for security ratings.

Answer 227

Answer: C Explanation: S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail exchanges that makes it possible to guarantee the confidentiality and nonrepudiation of electronic messages.

Answer 228

Answer: D Explanation: IT auditors determine whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction and other requirements" and "provide top company management with an independent view of the controls that have been designed and their effectiveness."

Answer 229

Answer: A Explanation: Management controls focus on the management of the IT security system and the management of risk for a system. SECURITY CONTROLS: The management, operational, and technical controls (i.e.,safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Answer 230

Answer: A Explanation: From the official Guide, second edition: Bell LaPadula is a Security Model. "In general, most security models will focus on defining allowed interactions between subjects (active parties) and objects (passive parties) at a particular moment in time." The remaining three listed would all be classified as frameworks.

Answer 231

Answer: A Explanation: The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators. COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives. These include: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring.

Answer 232

Answer: C Explanation: Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.

Answer 233

Answer: A Explanation: Confidentiality supports the principle of “least privilege” by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis.

Answer 234

Answer: B Explanation: The correct answer is "control evaluator & consultant". During any system development or acquisition, the security staff should evaluate security controls and advise (or consult) on the strengths and weaknesses with those responsible for making the final decisions on the project.

Answer 235

Answer: D Explanation: Structured Query Language (SQL) is a standard programming language used to allow clients to interact with a database. Although SQL can be used to access the data dictionary, it is NOT a part of the data dictionary.

Answer 236

Answer: C Explanation: The security controls and mechanisms that are in place must have a degree of transparency.

Answer 237

Answer: A Explanation: The questions specifically said: "within a different function" which eliminate Job Rotation as a choice.

Answer 238

Answer: D Explanation: All of the above are considered technical controls except for locks, which are physical controls.

Answer 239

Answer: C Explanation: The effectiveness of security controls is measured by the probability of detection at the point where there is enough time for a response team to interrupt an adversary. The critical path is the adversary path with the lowest probability of interruption.

Answer 240

Answer: B Explanation: Access controls are meant to protect facilities and computers as well as people.

Answer 241

Answer: C Explanation: The *- (star) property of the Bell-LaPadula access control model states that writing of information by a subject at a higher level of sensitivity to an object at a lower level of sensitivity is not permitted (no write down).

Answer 242

Answer: D Explanation: The *- (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up).

Answer 243

Answer: B Explanation: The simple integrity axiom of the Biba access control model states that a subject at one level of integrity is not permitted to observe an object of a lower integrity (no read down).

Answer 244

Answer: C Explanation: Complex Instruction Set Computer (CISC) uses instructions that perform many operations per instruction. It was based on the fact that in earlier technologies, the instruction fetch was the longest part of the cycle. Therefore, by packing more operations into an instruction, the number of fetches could be reduced. Pipelining involves overlapping the steps of different instructions to increase the performance in a computer. Reduced Instruction Set Computers (RISC) involve simpler instructions that require fewer clock cycles to execute. Scalar processors are processors that execute one instruction at a time.

Answer 245

Answer: C Explanation: In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions).

Answer 246

Answer: C Explanation: The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity

Answer 247

Answer: A Explanation: Level B is the first to require Mandatory Protection. Because the higher levels also inherit the requirements of all lower levels, level A also requires Mandatory Protection.

Answer 248

Answer: B Explanation: Because the Reference Monitor is responsible for access control to the objects by the subjects it compares the security labels of a subject and an object.

Answer 249

Answer: A Explanation: In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security.

Answer 250

Answer: A Explanation: The CPU, storage devices and peripherals each have specialized roles in the security archecture. The CPU, or microprocessor, is the brains behind a computer system and performs calculations as it solves problemes and performs system tasks. Storage devices provide both long- and short-term stoarge of information that the CPU has either processed or may process. Peripherals (scanners, printers, modems, etc) are devices that either input datra or receive the data output by the CPU.

Answer 251

Answer: C Explanation: Internal consistency ensures that internal data is consistent, the subtotals match the total number of units in the data base. Internal Consistency, External Consistency, Well formed transactions are all terms related to the Clark-Wilson Model.

Answer 252

Answer: C Explanation: A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system’s security policy.

Answer 253

Answer: D Explanation: The Biba model was developed after the Bell-LaPadula model. It is a state machine model and is very similar to the Bell-LaPadula model but the rules are 100% the opposite of Bell-LaPadula.

Answer 254

Answer: A Explanation: The reference monitor refers to abstract machine that mediates all access to objects by subjects.

Answer 255

Answer: C Explanation: In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions). The Clark–Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.

Answer 256

Answer: C Explanation: The goal of a noninterference model is to strictly separate differing security levels to assure that higher-level actions do not determine what lower-level users can see. This is in contrast to other security models that control information flows between differing levels of users, By maintaining strict separation of security levels, a noninterference model minimizes leakages that might happen through a covert channel.

Answer 257

Answer: C Explanation: This class ("Structured Protection") requires more stringent authentication mechanisms and well-defined interfaces between layers. Subjects and devices require labels and the system must not allow covert channels. A1 is incorrect. A1 is also called "Verified Design" and requires formal verification of the design and specifications. B3 is incorrect. B3 is also called "Security Domains" and imposes more granularity in each protection mechanism. B1 is incorrect. B1 is also called "Labeled Security" and each data object must have a classification label and each subject a clearance label. On each access attempt, the classification and clearance are checked to verify that the access is permissible.

Answer 258

Answer: C Explanation: The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity. The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.

Answer 259

Answer: A Explanation: A protection domain consists of the execution and memory space assigned to each process. The purpose of establishing a protection domain is to protect programs from all unauthorized modification or executional interference. The security perimeter is the boundary that separates the Trusted Computing Base (TCB) from the remainder of the system. Security labels are assigned to resources to denote a type of classification. Abstraction is a way to protect resources in the fact that it involves viewing system components at a high level and ignoring its specific details, thus performing information hiding.

Answer 260

Answer: C Explanation: The Clark Wilson integrity model addresses the three following integrity goals: 1) data is protected from modification by unauthorized users; 2) data is protected from unauthorized modification by authorized users; and 3) data is internally and externally consistent. It also defines a Constrained Data Item (CDI), an Integrity Verification Procedure (IVP), a Transformation Procedure (TP) and an Unconstrained Data item. The Bell-LaPadula and Take-Grant models are not integrity models.

Answer 261

Answer: C Explanation: A security kernel is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. A protection domain consists of the execution and memory space assigned to each process. The use of protection rings is a scheme that supports multiple protection domains.

Answer 262

Answer: A Explanation: This question is asking you to consider the effects of object reuse. Object reuse is "reassigning to subject media that previously contained information. Object reuse is a security concern because if insufficient measures were taken to erase the information on the media, the information may be disclosed to unauthorized personnel."

Answer 263

Answer: A Explanation: A trusted shell means that someone who is working in that shell cannot "bust out of it", and other processes cannot "bust into it".

Answer 264

Answer: A Explanation: This is a detailed oriented question to test if you are paying attention to both the question and answer. While the answer sounds legitimate, it is not truly the case in these types of devices. Just remember, even if you have one service running, that does not mean you are secure if the service itself has not been secured.

Answer 265

Answer: A Explanation: From the official guide: "The publication of the Common Criteria as the ISO/IEC 15408 standard provided the first truly international product evaluation criteria. It has largely superseded all other criteria, although there continue to be products in general use that were certified under TCSEC, ITSEC and other criteria. It takes a very similar approach to ITSEC by providing a flexible set of functional and assurance requirements, and like ITSEC, it is not very proscriptive as TCSEC had been. Instead, it is focused on standardizing the general approach to product evaluation and providing mutual recognition of such evaluations all over the world."

Answer 266

Answer: B Explanation: The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers and Characteristics Standard model for network communications enables dissimilar networks to communicate, Defines 7 protocol layers (a.k.a. protocol stack) Each layer on one workstation communicates with its respective layer on another workstation using protocols (i.e. agreed-upon communication formats) "Mapping" each protocol to the model is useful for comparing protocols.

Answer 267

Answer: C Explanation: Configuration management isn't about preventing change but ensuring the integrity of IT resources by preventing unauthorized or improper changes.

Answer 268

Answer: C Explanation: L2TP is affected by packet header modification and cannot cope with firewalls and network devices that perform NAT.

Answer 269

Answer: D Explanation: According to the AIO 3rd edition, these are the necessary steps for a proper classification program: 1. Define classification levels. 2. Specify the criteria that will determine how data is classified. 3. Have the data owner indicate the classification of the data she is responsible for. 4. Identify the data custodian who will be responsible for maintaining data and its security level. 5. Indicate the security controls, or protection mechanisms, that are required for each classification level. 6. Document any exceptions to the previous classification issues. 7. Indicate the methods that can be used to transfer custody of the information to a different data owner. 8. Create a procedure to periodically review the classification and ownership. Communicate any changes to the data custodian. 9. Indicate termination procedures for declassifying the data. 10. Integrate these issues into the security-awareness program so that all employees understand how to handle data at different classification levels.

Answer 270

Answer: C Explanation: This is wrong which makes this the correct choice. This statement is not true as stateful matching scans for attack signatures by analyzing traffic streams rather than individual packets. Stateful matching intrusion detection takes pattern matching to the next level. As networks become faster there is an emerging need for security analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers.

Answer 271

Answer: A Explanation: A HIDS does not consume large amounts of system resources is the correct choice. HIDS can consume inordinate amounts of CPU and system resources in order to function effectively, especially during an event

Answer 272

Answer: A Explanation: If any server in the cluster crashes, processing continues transparently, however, the cluster suffers some performance degradation. This implementation is sometimes called a "server farm."

Answer 273

Answer: A Explanation: Full Backup/Archival Backup - Complete/Full backup of every selected file on the system regardless of whether it has been backup recently.. This is the slowest of the backup methods since it backups all the data. It’s however the fastest for restoring data. Incremental Backup - Any backup in which only the files that have been modified since last full back up are backed up. The archive attribute should be updated while backing up only modified files, which indicates that the file has been backed up. This is the fastest of the backup methods, but the slowest of the restore methods.

Answer 274

``` Answer: A Explanation: The other answers are not correct because of the following protocol/port numbers matrix: Post Office Protocol (POP2) 109 Network News Transfer Protocol 119 NetBIOS 139 ```

Answer 275

Answer: A Explanation: The first types of firewalls were packet filtering firewalls. It is the most basic firewall making access decisions based on ACL's. It will filter traffic based on source IP and port as well as destination IP and port. It does not understand the context of the communication and inspects every single packet one by one without understanding the context of the connection.

Answer 276

Answer: B Explanation: RAID systems are mostly concerned with availability and performance.

Answer 277

Answer: A Explanation: Redundant array of inexpensive disks (RAID) are primarily used to improve speed, availability, and redundancy, not integrity. They provide fault tolerance and protection against file server hard disk crashes.

Answer 278

Answer: D Explanation: The actual IP address (IPv4) is composed of 32 bits. An IPv6 address is composed of 128 bits.

Answer 279

Answer: B Explanation: A Network Architecture refers to the communications products and services, which ensure that the various components of a network (such as devices, protocols, and access methods) work together.

Answer 280

Answer: B Explanation: Some sites choose not to implement Trivial File Transfer Protocol (TFTP) due to the inherent security risks. TFTP is a UDP-based file transfer program that provides no security. There is no user authentication.

Answer 281

Answer: B Explanation: IPSec provides confidentiality and integrity to information transferred over IP networks through network (not transport) layer encryption and authentication. All other statements are correct.

Answer 282

Answer: D Explanation: Packet filtering firewalls use routers with packet filtering rules to grant or deny access based on source address, destination address, and port. They offer minimum security but at a very low cost, and can be an appropriate choice for a low-risk environment.

Answer 283

Answer: C Explanation: DNS relies on connectionless UDP whereas services like FTP, Telnet and SMTP rely on TCP.

Answer 284

Answer: A Explanation: An important point with packet filtering firewalls is their speed and flexibility, as well as capacity to block some denial-of-service and related attacks, makes them ideal for placement at the outermost boundary with an untrusted network.

Answer 285

Answer: B Explanation: Static network address translation offers the most flexibility, but it is not normally practical given the shortage of IP version 4 addresses. Hiding network address translation is was an interim step in the development of network address translation technology, and is seldom used because port address translation offers additional features above and beyond those present in hiding network address translation while maintaining the same basic design and engineering considerations. PAT is often the most convenient and secure solution.

Answer 286

Answer: B Explanation: TFTP (Trivial File Transfer Protocol) is sometimes used to transfer configuration files from equipment such as routers but the primary difference between FTP and TFTP is that TFTP does not require authentication. Speed and ability to automate are not important. Both of these protocols (FTP and TFTP) can be used for transferring files across the Internet. The differences between the two protocols are explained below:

Answer 287

Answer: B Explanation: Once the merchant server has been authenticated by the browser client, the browser generates a master secret that is to be shared only between the server and client. This secret serves as a seed to generate the session (private) keys. The master secret is then encrypted with the merchant's public key and sent to the server. The fact that the master secret is generated by the client's browser provides the client assurance that the server is not reusing keys that would have been used in a previous session with another client.

Answer 288

Answer: D Explanation: PPTP is an encapsulation protocol based on PPP that works at OSI layer 2 (Data Link) and that enables a single point-to-point connection, usually between a client and a server. While PPTP depends on IP to establish its connection.

Answer 289

Answer: D Explanation: As it is very clearly state in NIST SP 800-41-Rev1: New firewalls should be tested and evaluated before deployment to ensure that they are working properly. Testing should be completed on a test network without connectivity to the production network. This test network should attempt to replicate the production network as faithfully as possible, including the network topology and network traffic that would travel through the firewall.

Answer 290

Answer: A Explanation: Simple Mail Transfer Protocol (SMTP) is a host-to-host email protocol. An SMTP server accepts email messages from other systems and stores them for the addressees. Stored email can be read in various ways. Users with interactive accounts on the email server machine can read the email using local email applications. Users on other systems can download their email via email clients using POP or IMAP email retrieval protocols. Sometimes mail can also be read through a web-based interface (using HTTP or HTTPS). MIME is a standard defining the format of e-mail messages, as stated in RFC2045.

Answer 291

Answer: B Explanation: The Land attack involves the perpetrator sending spoofed packet(s) with the SYN flag set to the victim's machine on any open port that is listening. The packet(s) contain the same destination and source IP address as the host, causing the victim's machine to reply to itself repeatedly. In addition, most systems experience a total freeze up, where as CTRL-ALT-DELETE fails to work, the mouse and keyboard become non operational and the only method of correction is to reboot via a reset button on the system or by turning the machine off.

Answer 292

Answer: D Explanation: Packet filtering is used in the first generation of firewalls and does not keep track of the state of a connection. Stateful packet filtering does.

Answer 293

Answer: C Explanation: Statistical multiplexing is a type of communication link sharing, very similar to dynamic bandwidth allocation (DBA). In statistical multiplexing, a communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. The link sharing is adapted to the instantaneous traffic demands of the data streams that are transferred over each channel. This is an alternative to creating a fixed sharing of a link, such as in general time division multiplexing (TDM) and frequency division multiplexing (FDM). When performed correctly, statistical multiplexing can provide a link utilization improvement, called the statistical multiplexing gain.

Answer 294

Answer: C Explanation: Infrared is generally considered to be more secure to eavesdropping than multidirectional radio transmissions because infrared requires direct line-of-sight paths.

Answer 295

Answer: D Explanation: AH provides integrity, authentication, and non-repudiation. AH does not provide encryption which means that NO confidentiality is in place if only AH is being used. You must make use of the Encapsulating Security Payload if you wish to get confidentiality. IPSec uses two basic security protocols: Authentication Header (AH) and Encapsulation Security Payload.

Answer 296

Answer: A Explanation: Transport mode is established when the endpoint is a host. If the gateway in a gateway-to-host communication was to use transport mode, it would act as a host system, which is acceptable for direct protocols to that gateway. Otherwise, TUNNEL mode is required for gateway services... This is the most common mode of operation and is required for gateway-to-gateway and host-to-gateway communications.

Answer 297

Answer: A No explanation

Answer 298

Answer: C Explanation: Encrypted authentication is a firewall feature that allows users on an external network to authenticate themselves to prove that they are authorized to access resources on the internal network. Encrypted authentication is convenient because it happens at the transport layer between a client software and a firewall, allowing all normal application software to run without hindrance.

Answer 299

Answer: C Explanation: The Point-to-Point Protocol (PPP) was designed to support multiple network types over the same serial link, just as Ethernet supports multiple network types over the same LAN. PPP replaces the earlier Serial Line Internet Protocol (SLIP) that only supports IP over a serial link. PPTP is a tunneling protocol.

Answer 300

Answer: B Explanation: A routing table is used when a destination IP address is not located on the current LAN segment. It consists of a list of station and network addresses and a corresponding gateway IP address further along to which a routing equipment should send packets that match that station or network address. A list of IP addresses and corresponding MAC addresses is an ARP table. A DNS is used to match host names and corresponding IP addresses. The last choice is a distracter.

Answer 301

Answer: C Explanation: DNS is a service that must be allowed through an organization's firewall because without it, network users won't be able to find anything unless they remember IP addresses for any sites they wish to connect to.

Answer 302

Answer: B Explanation: BootP was developed as a simple mechanism for allowing simple network terminals to load their operating system from a server over the LAN. Over time, it has expanded to allow centralized configuration of many aspects of a host's identity and behavior on the network. Note that DHCP, more complex, has replaced BootP over time.

Answer 303

Answer: B Explanation: Remote Procedure Call (RPC, UDP port 111) is a protocol that allows two computers to coordinate in executing software. RPC can be used by a program on one computer to transfer execution of a subroutine to another computer, and have the results returned to the first. RPC is a fragile service, and most operating systems cannot handle arbitrary data being sent to an RPC port. It is best used in trusted LAN environments and should not usually be allowed through the organization's firewall. RPC is being replaced by Secure-RPC.

Answer 304

Answer: D Explanation: In many organizations, the HTTP proxy is used as a means to implement content filtering, for instance, by logging or blocking traffic that has been defined as, or is assumed to be nonbusiness related for some reason.

Answer 305

Answer: A Explanation: There are two complementary pproaches to detecting intrusions, knowledge-based approaches and behavior-based approaches. This entry describes the second approach. It must be noted that very few tools today implement such an approach, even if the founding Denning paper {D. Denning, An Intrusion Detection Model, IEEE transactions on software engineering} recognizes this as a requirement for IDS systems.

Answer 306

Answer: C Explanation: It is responsible for taking information from the "Application layer protocols" and putting it in a form suitable for the application to process. Transport: Responsible for providing end to end data transport services and establish the logical connection between COMPUTERS for example TCP and UDP Session: Responsible for maintaing the connection between two APPLICATIONS during the data transfer for example NFS , RPC protocol Application : Works closest to the application , it does not itself contain applications but rather the protocols that support the applications. for example HTTP work at this layer but the application it support is IE , Mozilla , opera , chrome ...

Answer 307

Answer: A Explanation: The Answer: Port knocking is where the client will attempt to connect to a predefined set of ports to identify him as an authorized client. The port knocking sequence is used to identify the client as a legitimate user.

Answer 308

Answer: A Explanation: The Urgent Pointer is used when some information has to reach the server ASAP. When the TCP/IP stack at the other end sees a packet using the Urgent Pointer set, it is duty bound to stop all ongoing activities and immediately send this packet up the stack for immediate processing. Since the packet is plucked out of the processing queue and acted upon immediately, it is known as an Out Of Band (OOB) packet and the data is called Out Of Band (OOB) data.

Answer 309

Answer: C Explanation: Computer networks use a tunneling protocol when one network protocol (the delivery protocol) encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network.

Answer 310

Answer: C Explanation: SSL resides in the transport layer.

Answer 311

Answer: A Explanation: Back in the time when network hubs were commonly used in networks all sent packets were received by all stations but only the intended destination MAC address was supposed to listen. (Sniffers respond to all destination MAC addresses and can save those packets for examination.) Hub did not provide for any security or privacy. CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) is a protocol for carrier transmission in 802.11 networks. Unlike CSMA/CD (Carrier Sense Multiple Access/Collision Detect) which deals with transmissions after a collision has occurred, CSMA/CA acts to prevent collisions before they happen

Answer 312

Answer: C Explanation: ARP table poisoning, also referred to as ARP cache poisoning, is the process of altering a system's ARP table so that it contains incorrect IP to MAC address mappings. This allows requests to be sent to a different device instead of the one it is actually intended for. It is an excellent way to fool systems into thinking that a certain device has a certain address so that information can be sent to and captured on an attacker's computer.

Answer 313

Answer: A Explanation: Discussion: TFTP is a curious protocol that doesn't use authentication and is often used to transfer configuration files between an administrator's computer and switch or router

Answer 314

Answer: A Explanation: The Smurf Attack is a denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address.

Answer 315

Answer: C Explanation: Pharming is a cyber attack intended to redirect a website's traffic to another, bogus site. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.

Answer 316

Answer: B Explanation: Test equipment must be secured. There are equipment and other tools that if in the wrong hands could be used to "sniff" network traffic and also be used to commit fraud. The storage and use of this equipment should be detailed in the security policy for this reason.

Answer 317

``` Answer: A THE CONTENTS OF ISO 27001 The content sections of the standard are: Management Responsibility Internal Audits ISMS Improvement ```

Answer 318

Answer: C Explanation: The security officer would be the best person to oversea the development of such policies.

Answer 319

Answer: D By notifying the appropriate company staff about the termination, they would in turn initiate account termination, ask the employee to return company property, and all credentials would be withdrawn for the individual concerned. This answer is more complete than simply disabling account.

Answer 320

Answer: A Explanation: It is considered to be a technical control. Logical is synonymous with Technical Control. That was the easy answer. There are three broad categories of access control: Administrative, Technical, and Physical. Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.

Answer 321

Answer: C Explanation: It is considered to be a 'Physical Control'

Answer 322

Answer: A Explanation: Information classification should be based on the value of the information to the organization and its sensitivity (reflection of how much damage would accrue due to disclosure).

Answer 323

Answer: D Explanation: IT auditors determine whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction and other requirements" and "provide top company management with an independent view of the controls that have been designed and their effectiveness."

Answer 324

Answer: D Explanation: The Operations Security domain is concerned with triples - threats, vulnerabilities and assets.

Answer 325

Answer: B Explanation: Computer security should be first and foremost cost-effective.

Answer 326

Answer: C Explanation: Risk management consists of two primary and one underlying activity; risk assessment and risk mitigation are the primary activities and uncertainty analysis is the underlying one. After having performed risk assessment and mitigation, an uncertainty analysis should be performed. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. A documented uncertainty analysis allows the risk management results to be used knowledgeably. A vulnerability analysis, likelihood assessment and threat identification are all parts of the collection and analysis of data part of the risk assessment, one of the primary activities of risk management.

Answer 327

Answer: C Explanation: Management is responsible for protecting all assets that are directly or indirectly under their control.

Answer 328

Answer: C Explanation: In order to offer more independence and get more attention from management, an IT security function should be independent from IT and report directly to the CEO. Having it report to a specialized business unit (e.g. legal) is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else's problem.

Answer 329

Answer: C Explanation: The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own. IT security practitioners are responsible for proper implementation of security requirements in their IT systems.

Answer 330

Answer: A Explanation: The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. It does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-analysis of any recommended controls difficult. Since it involves a consensus of export and some guesswork based on the experience of Subject Matter Experts (SME's), it can not be easily automated.

Answer 331

Answer: A Explanation: Management controls focus on the management of the IT security system and the management of risk for a system.

Answer 332

Answer: B Explanation: A security policy would NOT define how hardware and software should be used throughout the organization. A standard or a procedure would provide such details but not a policy.

Answer 333

Answer: D Explanation: The Internet Security Glossary (RFC2828) defines add-on security as "The retrofitting of protection mechanisms, implemented by hardware or software, after the [automatic data processing] system has become operational."

Answer 334

Answer: C Explanation: The keyword within the question is: preliminary This means that you are starting your effort, you cannot audit if your infrastructure is not even in place

Answer 335

Answer: C Explanation: The owner of a system should have the confidence that the system will behave according to its specifications. This is termed as Assurance

Answer 336

Answer: B Explanation: The practice of Job Rotation can reduce the risk of collusion of activities between individuals. Job Rotation can be used to detect illegal activities or fraud within the system by having a new person filling up specific roles at regular interval. It is often times combined with Separation of duties as well.

Answer 337

Answer: A "The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators. COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives. These include (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The COSO internal control model has been adopted as a framework by some organizations working toward Sarbanes—Oxley Section 404 compliance."

Answer 338

Answer: C Explanation: Common Criteria 15408 generally outlines assurance and functional requirements through a security evaluation process concept of Protection Profile (PP), Target of Evaluation (TOE), and Security Target (ST) for Evaluated Assurance Levels (EALs) to certify a product or system.

Answer 339

Answer: A Explanation: The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators.

Answer 340

Answer: B Explanation: All of the answers except Development of test procedures would all be part of the contingency planning phase.

Answer 341

Answer: A Explanation: There are four common ways for addressing risk: Avoidance, Acceptance, Transference and Mitigation.

Answer 342

Answer: C Explanation: System Integrity means that all components of the system cannot be tampered with by unauthorized personnel and can be verified that they work properly. Users can't tamper with processes they do not own. Is incorrect because this would fall under Configuration Management.

Answer 343

Answer: A Explanation: If you are "retrofitting" that means you are adding to an existing database management system (DBMS). You could go back and redesign the entire DBMS but the cost of that could be expensive and there is no telling what the effect will be on existing applications, but that is redesigning and the question states retrofitting. The most cost effective way with the least effect on existing applications while adding a layer of security on top is through a trusted front-end.

Answer 344

Answer: D Explanation: The Answer: "acceptance phase". Note the question asks about an "evaluation report" - which details how the system evaluated, and an "accreditation statement" which describes the level the system is allowed to operate at. Because those two activities are a part of testing and testing is a part of the acceptance phase, the only answer above that can be correct is "acceptance phase".

Answer 345

Answer: B Explanation: The correct answer to this "security". It is a major factor in deciding if a centralized or decentralized environment is more appropriate.

Answer 346

Answer: D Explanation: The other answers are not correct because: You are always looking for the "best" answer. While each of the answers listed here could be considered correct in that each of them require input from the security staff, the best answer is for that input to happen at all phases of the project.

Answer 347

Answer: A Explanation: A Pseudo flaw is something that looks like it is vulnerable to attack, but really acts as an alarm or triggers automatic actions when an intruder attempts to exploit the flaw.

Answer 348

Answer: B Explanation: SQL is a relational database Query language. SQL stands for structured query language. Schemas describe how the tables and views are structured - careful design is required so that the SQL database runs in an efficient manner. Tables are made up of rows and columns and contain the actual data. Views represent how you want to look at the data. They are not concerned with where the data is, but rather what data you want to view and how you want to see it. You can even join more than one table together. However, the less efficient the views, the longer it takes to retrieve your report. Sub-schemas may be used to establish user privileges to see data.

Answer 349

Answer: B Validation determines if the product provides the necessary solution intended real-world problem. It validates whether or not the final product is what the user expected in the first place and whether or not it solve the problem it intended to solve. In large projects, it is easy to lose sight of overall goal. This exercise ensures that the main goal of the project is met.

Answer 350

Answer: B Explanation: Verification vs. Validation: Verification determines if the product accurately represents and meets the specifications. A product can be developed that does not match the original specifications. This step ensures that the specifications are properly met. Validation determines if the product provides the necessary solution intended real-world problem. In large projects, it is easy to lose sight of overall goal. This exercise ensures that the main goal of the project is met.

Answer 351

Answer: D Explanation: The object-relational and object-oriented models are better suited to managing complex data such as required for computer-aided design and imaging.

Answer 352

Answer: D Explanation: The Three Parts of the Relational Model The relational model can be considered as having three parts and these are covered in sequence below: 1. Structural: defines the core of the data and the relationships involved. The model structure is described in terms of relations , tuples , attributes and domains . 2. Manipulative: defines how the data in the model will be accessed and manipulated. This concerns how relations in the model will be manipulated to produce other relations, which in turn provide the answer to some question posed by a user of the data. The manipulation is achieved though relational algebra or relational calculus . 3. Constraints: defines limits on the model. The constraints determine valid ranges and values of data to be included in the model.

Answer 353

Answer: B Explanation: The relational models is based on set theory and predicate logic and provide a high level of abstraction. The use of set theory allows data to be structured in a series of table that have columns representing the variables and rows that contain specific instances of data.

Answer 354

Answer: D Five operations are primitives (Select, Project, Union, Difference and Product) and the other operations can be defined in terms of those five. A View is defined from the operations of Join, Project, and Select. Tuple = Row, Entry Attribute = Column Relation or Based relation = Table

Answer 355

Answer: A Explanation: Bind variables are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server.

Answer 356

Answer: A Explanation: The SQL Data Definition Language (DDL) is used to create, modify, and delete views and relations (tables).

Answer 357

Answer: A Explanation: OODB has the characteristics of ease of reusing code and analysis, reduced maintenance, and an easier transition from analysis of the problem to design and implementation.

Answer 358

Answer: B Explanation: Interpreters translate one command at a time during execution, as opposed to compilers and assemblers where source code for the whole application is transformed to executable code before being executed. A translator is a generic term for the others.

Answer 359

Answer: C Explanation: DCE does provide the same functionality as DCOM, but DCE is an open standard developed by the Open Software Foundation (OSF) and DCOM was developed by Microsoft, DCOM is more proprietary in nature

Answer 360

Answer: B Explanation: A database is denormalized when there is a need to improve processing efficiency.

Answer 361

Answer: A Explanation: In most projects the conditions for failure are established at the beginning of the project. Thus risk management should be established at the commencement of the project with a risk assessment during project initiation

Answer 362

Answer: A Before an attacker can perform an attack against an organization, they must first gather information about that organization and its network and computers. Easily available sources, such as search engines, can already be used to gather information about an organization and its resources. However, attackers can use more sophisticated methods for gathering information. SSIs allow developers to include the same content in multiple web documents. This involves an include statement in the code and within a file on the server computer. However, these SSI files can sometimes contain sensitive information that could be viewed by an attacker. If SSI files must be used, you must avoid sensitive code in the files.

Answer 363

Answer: C The Cleanroom model is a process used for the development of high-quality software. This model puts an emphasis on the earlier phases of the model, such as design, over the later phases, such as testing. The assumption being that spending more time on design and development should reduce the time necessary for testing. The Cleanroom model focuses on preventing defects in the software over the removal of defections.

Answer 364

Answer: A In cryptography, zero knowledge proof can be represented by encrypting something with your private key. To decrypt something that was encrypted using a private key, you will need to use the corresponding public key. In this case, you know that the item was encrypted using the private key, but you never actually view or are given the public key. Only the owner of the private key can prove they have the key.

Answer 365

Answer: B The change control process is used to control changes that occur during the life cycle of a software product. This process needs to be in place at the beginning of a project so changes can be dealt with properly. A typical change control process involves several steps, with the first step being a formal request is made for a change. After the formal request is made, the next step is to analyze the request. Analyzing the request involves developing an implementation strategy, calculating costs, and reviewing any implications the change may have on security.

Answer 366

Answer: C Structural testing is also known as code based testing or white box testing. Structural tests are designed based on knowledge of the source code, design specifications, and any other pertinent information contained in the design documentation. It is classed as white box testing because the tester has extensive knowledge of the software that is being tested.

Answer 367

Answer: C A circuit level proxy creates a communication path between a trusted host and an untrusted host. One benefit of using a circuit level proxy is that it is not application aware, which means it can be used to forward any type of traffic to any TCP or UDP ports. One of the main disadvantages of circuit level proxies is that they are not able to detect malicious content within the communication path.

Answer 368

Answer: A All cryptographic algorithms and protocols eventually age and become compromised. IS professionals must test the cryptographic systems of their organization and replace the systems that are outdated. The governance of cryptographic algorithms and systems should address the following at a minimum: Transition plans for replacing outdated algorithms and keys Procedures for the use of cryptographic systems Approved cryptographic algorithms and key sizes Key generation, escrow, and destruction guidelines Incident reporting guidelines

Answer 369

Answer: D Developers should disable debugging mode on publicly accessible servers and applications. While detailed error messages are vital for debugging code, they can often contain sensitive internal information, such as system details and session identifiers. If left exposed, attackers could use these to launch an attack.

Answer 370

Answer: C Application level firewalls are designed to filter traffic based on the application layer protocol that is being used, such as HTTP or FTP. Many application level firewalls run proxy software. A web proxy server provides the ability to mask the origin of the data by making a copy of it and then sending it to the destination. As a result, the data looks like it came from the proxy server instead of the original sender.

Answer 371

Answer: B Keys should be escrowed in case of emergencies refers to the handling of the private key's data by a trusted third party. These parties store a copy of the private key that can be retrieved in the event your private key is lost.

Answer 372

Answer: B XKMS 2.0 has two key components: XML Key Registration Service Specification (X-KRSS) and XML Key Information Service Specification (X-KISS). The X-KRSS specification defines the protocols needed to register public key information. X-KRSS can generate the key material, making key recovery simpler than when created manually. Applications can be coded to bind information, such as a me or identifier, to a public key. Once registered, the key can be used with X-KISS or a Public Key Infrastructure (PKI).

Answer 373

Answer: A Teardrop attacks occur when an attacker sends packets that are too small and result in a system locking up or rebooting. This type of attack takes advantage of the fact that systems do not check to see if a received packet is too small. The attacker creates these small packets in such a way that when the receiving system attempts to recombine the fragments, they cannot be reassembled properly. There are three common methods used to protect a system from this type of attack. Firstly, keep the operating system patched and up-to-date. Secondly, use a router to disallow any malformed packets from entering into the network environment. Filly, use a router to attempt to combine all fragments into the associated packet before sending them on to the destination system.

Answer 374

Answer: B A stateful firewall uses context-dependent access control. Context-dependent access control involves using a collection of information for making access decisions. A stateful firewall using context-dependent access control will review a TCP connection and ensure that all of the correct steps are followed before allowing any packets to be transmitted through the firewall.

Answer 375

Answer: C Fail-secure is the advised failure state for most environments. It locks an application in a high level of security to prevent unauthorized access to information and. Once in a fail-secure state, the system may automatically reboot or require an administrator to manually restore it.

Answer 376

Answer: A PKI is a set of policies, processes, server platforms, software, and workstations to administer certificates and public-private key pairs. PKI has the ability to issue, maintain, and revoke public key certificates. PKI provides security services for confidentiality, integrity, authentication, nonrepudiation, and access control, based on using private and public key cryptography. The key pairs are obtained through a trusted authority, a certificate authority (CA), and this enables PKI to provide digital certificates. When making a request for a digital certificate, there is a series of steps that are performed. After making the request for the certificate, the next step is for identity information to be processed. This is typically performed by a registration authority (RA) but can be performed by a CA if an RA is not being used. Once the certificate request is received by the RA, it requests identification information from the user that sent the request and verifies this information.

Answer 377

Answer: C Content distribution networks (CDNs) provide the ability to host content in the cloud and then distribute the content through a geographically dispersed network. The content can then be accessed by multiple device form factors and operating system platforms. This poses risks that have not yet been fully analyzed by most industries.

Answer 378

Answer: D Java is an object-oriented language that is used to write small programs, called applets. Applets are executed autonomously from the server that sent them. Poorly written and malicious applets pose a threat. They may restrict access to your computer's system resources, erase confidential information, send data to an unknown location on the network, or write malicious code into the processor. Java applets, which are downloaded and executed from remote computers, are untrusted programs. They have limited access to a computer's memory, processor, and resources. Java provides a security mechanism called sandbox, which is a security boundary within which an untrusted Java applet is executed. The sandbox restricts the amount of memory and processor resources required to execute the program. If the program exceeds these limits, the browser termites the program. Applets you write are secured and trusted, and so reside outside the sandbox.

Answer 379

Answer: A Integration testing is performed to determine whether the combined components of an application and the hardware it is running on are working correctly, not interface testing. For example, application integration testing would be performed to ensure the software is able to properly integrate with the system's hardware to perform the tasks for which it was designed.

Answer 380

Answer: B When the system is in operation, it needs to be constantly monitored. In the operations/maintenance phase of the SDLC, the performance of the new system is followed to make sure that it stays constant. If any inconsistencies become evident, the system can be adapted to resolve them. By following the system operation, the development team can also identify areas where improvements could be made.

Answer 381

Answer: B A ciphertext-only attack happens when an attacker has only encrypted data or ciphertext to work with. This type of attack is easy to initiate, as all that is needed is a single piece of ciphertext. However, it is also very difficult to produce results because so little information is known about the encryption process. The more data or pieces of ciphertext attackers have, the more likely they are to find a trend or statistical data that will help them crack the cipher.

Answer 382

Answer: D Latent defects in a software product are defects that are not found during initial testing; they are typically found after the software has been released into the marketplace. Software branching refers to the capability of the software to execute different commands based on differing inputs. Due to the sheer number of potential inputs to many software programs, it is very difficult to test all possible combinations. This can cause latent defects in a software program that pose security risks to remain hidden. This risk needs to be identified when designing a software assessment strategy, and measures taken to prevent the defects from remaining hidden.

Answer 383

Answer: B Open Web Application Security Project (OWASP) is an organization dedicated to improving web application security. It provides resources and tools for web developers to detect and protect against web-based system vulnerabilities. The OWASP web site is organized into three distinct categories: Protect, Detect, and Life Cycle. Information and tools found under Protect can be used to protect against design and implementation flaws related to security. Information and tools found under Detect can be used to locate design and implementation flaws related to security. Information and tools found under Life Cycle can be used to add activities to the Software Development Life Cycle (SDLC) that address security. OWASP might be best known for maintained list of the top ten web application security risks.

Answer 384

Answer: C OCSP is a method used to ease the maintenance of CRLs. If this protocol is used, it performs the certificate validation and updates of the CRL automatically in the background. OCSP can make the maintenance of CRLs must easier, but it is not a required component of PKI.

Answer 385

Answer: A Java contains multiple security mechanisms, including a sandbox. The sandbox is a specified virtual area that limits access to the operating system, memory, and network, and in which you can run Java applets without risk to the system. Developers can adjust settings for the sandbox to suit specific security needs. Java also features a garbage collection feature that can leave classified data in deallocated memory locations, unless the programmer specifies otherwise.

Answer 386

Answer: D Buffer overflows are caused when the size limit of the user input, on a web form field, for example, is not validated in the code. Input that is too long creates a surplus of data that can corrupt the data in the system's memory. This allows an attacker to overwrite system commands or could cause the system to crash.

Answer 387

Answer: A ITSEC is a standard used by European countries to evaluate the security attributes of computer systems. It evaluates two main attributes of a system's protection mechanisms: functionality and assurance. Functionality is evaluated by testing the protection mechanisms available to the subjects in a system. Assurance refers to the ability of protection mechanisms to perform consistently. Assurance is evaluated by reviewing the development practices, documentation, configuration management, and testing mechanisms of a system. The ITSEC functionality ratings go from F1 to F10. The ITSEC assurance ratings go from E0 to E6. The F9 functionality rating is for systems required to meet a high level of data confidentiality.

Answer 388

Answer: D TCSEC provides a graded classification of systems that is divided into assurance levels. There are four divisions of assurance levels: A: verified protection B: mandatory protection C: discretionary protection D: minimal security Some of these divisions can also be further divided into one or more numbered classes. Division B evaluates the MACs and the reference monitor mechanisms used in a system. For the organization's systems to meet the B1 assurance level, security labels must be used by the subjects and objects of the systems. These security levels must be enforced by a MAC mechanism.

Answer 389

Answer: D CMMI is a set of repeatable guidelines meant for developing software or products through their life cycle. It is integrated throughout the software development life cycle, starting with concept definition and requirements analysis, and ending with operations and maintenance. The CMMI consists of five maturity levels: Initial, Repeatable, Defined, Managed, and Optimizing.

Answer 390

Answer: A Blue bug attack is a Bluetooth vulnerability that allows an attacker to issue AT commands on a victim's mobile device. These AT commands can be used to initiate calls or send SMS messages from the victim's device.

Answer 391

Answer: D Anti-passback is a security strategy that involves using a card reader on both sides of a door used for access to a highly secure area. By requiring that a user present their credentials to both enter and leave the secured area, it makes it easier to keep track of who is in the area at any time and for what duration. In some configurations, if a user fails to properly provide their credentials to exit the secured area, the entrance can be locked and access denied.

Answer 392

Answer: B Virtualization allows you to use the hardware for a single physical server and host multiple virtual guests. These virtual guests share the resources of this computer, which are managed through a hypervisor. Each virtual guest can provide an isolated environment to test untrusted applications. This provides a secure environment to test applications downloaded from the Internet or from an unknown source.

Answer 393

Answer: A For an information system to be secure, various protection mechanisms must be used. These protection mechanisms must protect memory, machine code instructions, and registers from unauthorized external access. To provide memory protection, every address reference can be checked for valid protection.

Answer 394

Answer: C In this case as there is likely an intermediary device configured to control access between the two networks, it is likely that a man in the middle attack is being conducted. The firewall that passes information between the two networks has likely been rooted, or a third-party machine has been configured to spoof the firewall. You may want to consider running intrusion detection on each network to try to find the culprit.

Answer 395

Answer: C Embedded devices consist of a small form factor, with limited processing power. Typically, embedded systems use a minimal operating system with the basic functionality to meet low requirements. While there are advantages to embedded devices, there are definitely security vulnerabilities that exist. Embedded devices are limited to a few basic security services. This is because embedded devices have limited hardware and resources to help protect privileged access to memory.

Answer 396

Answer: B Fibre Channel over Ethernet (FCoE) does not work with routable protocols such as TCP or IP. Since FCoE cannot be routed, it can only be used within the data center.

Answer 397

Answer: D The Bell-LaPadula security model was developed to address the ongoing concerns of confidentiality with classified government information. The development of this model was funded by the U.S. government. The main goal was to produce a framework for the storage and processing of sensitive information that would be used by computers to ensure that confidentiality was maintained. It also ensures that users are properly authenticated before they can gain access to the information. The three rules that are used to enforce this are the simple security rule, the *-property rule, and the strong star property rule.

CISSP Flashcards

(423 cards)