Operations Security Flashcards

Question 1

Q

QUESTION NO: 475 The PRIMARY purpose of operations security is A. Protect the system hardware from environment damage. B. Monitor the actions of vendor service personnel. C. Safeguard information assets that are resident in the system. D. Establish thresholds for violation detection and logging.

Answer

A

Answer: C Explanation: I think A or C could be the answers. I am leaning towards the C answer but use your best judgment. “Operations Security can be described as the controls over the hardware in a computing facility, the data media used in a facility, and the operators using these resources in a facility…A Cissp candidate will be expected to know the resources that must be protected, the privileges that must be restricted, the control mechanisms that are available, the potential for access abuse, the appropriate controls, and the principles of good practice.”

Question 2

Q

QUESTION NO: 476 Which of the following is not a component of a Operations Security “triples”? A. Asset B. Threat C. Vulnerability D. Risk

Answer

A

Answer: D

Question 3

Q

QUESTION NO: 477 A periodic review of user account management should not determine: A. Conformity with the concept of least privilege B. Whether active accounts are still being used C. Strength of user-chosen passwords D. Whether management authorizations are up-to-date

Answer

A

Answer: C

Question 4

Q

QUESTION NO: 478 Which of the following functions is less likely to be performed by a typical security administrator? A. Setting user clearances and initial passwords B. Adding and removing system users C. Setting or changing file sensitivity labels D. Reviewing audit data

Answer

A

Answer: B

Question 5

Q

QUESTION NO: 479 Who is responsible for setting user clearances to computer-based information? A. Security administrators B. Operators C. Data owners D. Data custodians

Answer

A

Answer: A

Question 6

Q

QUESTION NO: 480 Who is the individual permitted to add users or install trusted programs? A. Database Administrator B. Computer Manager C. Security Administrator D. Operations Manager

Answer

A

Answer: D Explanation: Typical system administrator or enhanced operator functions can include the following Installing system software Starting up (booting) and shutting down a system Adding and removing system users Performing back-ups and recovery Handling printers and managing print queues

Question 7

Q

QUESTION NO: 481 In Unix, which file is required for you to set up an environment such that every user on the other host is a trusted user that can log into this host without authentication? A. /etc/shadow B. /etc/host.equiv C. /etc/passwd D. None of the choices.

Answer

A

Answer: B Explanation: The /etc/hosts.equiv file is saying that every user on the other host is a trusted user and allowed to log into this host without authentication (i.e. NO PASSWORD). The only thing that must exist for a user to log in to this system is an /etc/passwd entry by the same login name the user is currently using. In other words, if there is a user trying to log into this system whose login name is “bhope”, then there must be a “bhope” listed in the /etc/passwd file.

Question 8

Q

QUESTION NO: 482 For what reason would a network administrator leverage promiscuous mode? A. To screen out all network errors that affect network statistical information. B. To monitor the network to gain a complete statistical picture of activity. C. To monitor only unauthorized activity and use. D. To capture only unauthorized internal/external use.

Answer

A

Answer: B

Question 9

Q

QUESTION NO: 483 Which of the following questions is less likely to help in assessing controls over hardware and software maintenance? A. Is access to all program libraries restricted and controlled? B. Are integrity verification programs used by applications to look for evidences of data tampering, errors, and omissions? C. Is there version control? D. Are system components tested, documented, and approved prior to promotion to production?

Answer

A

Answer: B

Question 10

Q

QUESTION NO: 484 Which of the following correctly describe “good” security practice? A. Accounts should be monitored regularly. B. You should have a procedure in place to verify password strength. C. You should ensure that there are no accounts without passwords. D. All of the choices.

Answer

A

Answer: D Explanation: In many organizations accounts are created and then nobody ever touches those accounts again. This is a very poor security practice. Accounts should be monitored regularly, you should look at unused accounts and you should have a procedure in place to ensure that departing employees have their rights revoke prior to leaving the company. You should also have a procedure in place to verify password strength or to ensure that there are no accounts without passwords.

Question 11

Q

QUESTION NO: 485 Access to the _________ account on a Unix server must be limited to only the system administrators that must absolutely have this level of access. A. Superuser of inetd. B. Manager or root. C. Fsf or root D. Superuser or root.

Answer

A

Answer: D Explanation: Access to the superuser or root account on a server must be limited to only the system administrators that must absolutely have this level of access. Use of programs such as SUDO is recommended to give limited and controlled root access to administrators that have a need for such access.

Question 12

Q

QUESTION NO: 486 Which of the following files should the security administrator be restricted to READ only access? A. Security parameters B. User passwords C. User profiles D. System log

Answer

A

Answer: D

Question 13

Q

QUESTION NO: 487 Root login should only be allowed via: A. Rsh B. System console C. Remote program D. VNC

Answer

A

Answer: B Explanation: The root account must be the only account with a user ID of 0 (zero) that has open access to the UNIX shell. It must not be possible for root to sign on directly except at the system console. All other access to the root account must be via the ‘su’ command.

Question 14

Q

QUESTION NO: 488 What does “System Integrity” mean? A. The software of the system has been implemented as designed. B. Users can’t tamper with processes they do not own C. Hardware and firmware have undergone periodic testing to verify that they are functioning properly D. Design specifications have been verified against the formal top-level specification

Answer

A

Answer: C

Question 15

Q

QUESTION NO: 489 Operations Security seeks to primarily protect against which of the following? A. object reuse B. facility disaster C. compromising emanations D. asset threats

Answer

A

Answer: D

Question 16

Q

QUESTION NO: 490 In order to avoid mishandling of media or information, you should consider using: A. Labeling B. Token C. Ticket D. SLL

Answer

A

Answer: A Explanation: In order to avoid mishandling of media or information, proper labeling must be used. All tape, floppy disks, and other computer storage media containing sensitive information must be externally marked with the appropriate sensitivity classification. All tape, floppy disks, and other computer storage media containing unrestricted information must be externally marked as such. All printed copies, printouts, etc., from a computer system must be clearly labeled with the proper classification.

Question 17

Q

QUESTION NO: 491 In order to avoid mishandling of media or information, which of the following should be labeled? A. All of the choices. B. Printed copies C. Tape D. Floppy disks

Answer

A

Answer: A Explanation: In order to avoid mishandling of media or information, proper labeling must be used. All tape, floppy disks, and other computer storage media containing sensitive information must be externally marked with the appropriate sensitivity classification. All tape, floppy disks, and other computer storage media containing unrestricted information must be externally marked as such. All printed copies, printouts, etc., from a computer system must be clearly labeled with the proper classification. As a rule of thumb, you should have an indication of the classification of the document. The classification is based on the sensitivity of information. It is usually marked at the minimum on the front and back cover, title, and first pages.

Question 18

Q

QUESTION NO: 492 Compact Disc (CD) optical media types is used more often for: A. very small data sets B. very small files data sets C. larger data sets D. very aggregated data sets

Answer

A

Answer: A

Question 19

Q

QUESTION NO: 493 At which temperature does damage start occurring to magnetic media? A. 100 degrees B. 125 degrees C. 150 degrees D. 175 degrees

Answer

A

Answer: A

Question 20

Q

QUESTION NO: 494 Which of the following statements pertaining to air conditioning for an information processing facility is correct? A. The AC units must be controllable from outside the area B. The AC units must keep negative pressure in the room so that smoke and other gases are forced out of the room C. The AC units must be on the same power source as the equipment in the room to allow for easier shutdown D. The AC units must be dedicated to the information processing facilities

Answer

A

Answer: D

Question 21

Q

QUESTION NO: 495 Removing unnecessary processes, segregating inter-process communications, and reducing executing privileges to increase system security is commonly called A. Hardening B. Segmenting C. Aggregating D. Kerneling

Answer

A

Answer: A Explanation: What is hardening? Naturally, there is more than one definition, but in general, one tightens control using policies which affect authorization, authentication and permissions. Nothing happens by default. You only give out permission after thinking about it, something like “deny all” to everyone, then “allow” with justification. Shut off everything, then only turn on that which must be turned on. It is not unlike locking every single door, window and access point in your house, then unlocking only those that need to be. It is quite common for users to take all the defaults when their new system gets turned on making for instant vulnerability. A major problem is trying to figure out where all those details are that need to be turned off, without making the system unusable.

Question 22

Q

QUESTION NO: 496 RAID levels 3 and 5 run: A. faster on hardware B. slower on hardware C. faster on software D. at the same speed on software and hardware

Answer

A

Answer: A

Question 23

Q

QUESTION NO: 497 Which of the following RAID levels functions as a single virtual disk? A. RAID Level 7 B. RAID Level 5 C. RAID Level 10 D. RAID Level 2

Answer

A

Answer: D Explanation: RAID level 2 would be our guess, but all of them can function as a single virtual disk, that is what logical drives present.

Question 24

Q

QUESTION NO: 498 Which of the following takes the concept of RAID 1 (mirroring) and applies it to a pair of servers? A. A redundant server implementation B. A redundant client implementation C. A redundant guest implementation D. A redundant host implementation

Answer

A

Answer: A

Question 25

Q

QUESTION NO: 499 Which of the following enables the drive array to continue to operate if any disk or any path to any disk fails? A. RAID Level 7 B. RAID Level 1 C. RAID Level 2 D. RAID Level 5

Answer

A

Answer: A Explanation: “RAID Level 7 is a variation of RAID 5 wherein the array functions as a single virtual disk in the hardware. This is sometimes simulated by software running over a RAID level 5 hardware implementation, which enables the drive array to continue to operate if any disk or any path to any disk fails. It also provides parity protection.” Pg 91 Krutz: CISSP Prep Guide: Gold Edition.

Question 26

Q

QUESTION NO: 500 Depending upon the volume of data that needs to be copied, full backups to tape can take: A. an incredible amount of time B. a credible amount of time C. an ideal amount of time D. an exclusive amount of time

Answer

A

Answer: A

Question 27

Q

QUESTION NO: 501 Which one of the following entails immediately transmitting copies of on-line transactions to a remote computer facility for backup? A. Archival storage management (ASM) B. Electronic vaulting C. Hierarchical storage management (HSM) D. Data compression

Answer

A

Answer: B Explanation: “Electronic vaulting makes an immediate copy of a changed file or transaction and sends it to a remote location where the original backup is stored….Another technology used for automated backups is hierarrchial storage management (HSM). In this situation, the HSM system dynamically manages the storage and covery of files, which are copied to storage media devices that vary in speed and cost. The faster media hold the data that is accessed more often and the seldom-useed files are stored on the slower devices, or near-line devices. The different storage media rang from optical disk, magnetic disks, and tapes.

Question 28

Q

QUESTION NO: 502 When continuous availability (24 hours-a-day processing) is required, which one of the following provides a good alternative to tape backups? A. Disk mirroring B. Backup to jukebox C. Optical disk backup D. Daily archiving

Answer

A

Answer: B Explanation: Hierarchical Storage Management (HSM). HSM provides continuous on-line backup by using optical or tape ‘jukeboxes,’ similar to WORMs. It appears as an infinite disk to the system, and can be configured to provide the closest version of an available real-time backup. This is commonly employed in very large data retrieval systems.”

Question 29

Q

QUESTION NO: 503 Zip/Jaz drives are frequently used for the individual backups of small data sets of: A. specific application data B. sacrificial application data C. static application data D. dynamic application data

Answer

A

Answer: A

Question 30

Q

QUESTION NO: 504 With non-continuous backup systems, data that was entered after the last backup prior to a system crash will have to be: A. recreated B. created C. updated D. deleted

Answer

A

Answer: A

Question 31

Q

QUESTION NO: 505 The alternate processing strategy in a business continuity plan can provide for required backup computing capacity through a hot site, a cold site, or A. A dial-up services program. B. An off-site storage replacement. C. An online backup program. D. A crate and ship replacement.

Answer

A

Answer: C Explanation: What I believe is being wanted here is not the other data center backup alternatives but transaction redundancy implementation. The CISSP candidate should understand the three concepts used to create a level of fault tolerance and redundancy in transaction processing. While these processes are not used solely for disaster recovery, they are often elements of a larger disaster recovery plan. If one or more of these processes are employed, the ability of a company to get back online is greatly enhanced.

Question 32

Q

QUESTION NO: 506 The 8mm tape format is commonly used in Helical Scan tape drives, but was superseded by: A. Digital Linear Tape (DLT) B. Analog Linear Tape (ALT) C. Digital Signal Tape (DST) D. Digital Coded Tape (DCT)

Answer

A

Answer: A Explanation: “8mm Tape. This format was commonly used in Helical Scan tape drives, but was superseded by Digital Linear Tape (DLT).”

Question 33

Q

QUESTION NO: 507 The spare drives that replace the failed drives are usually hot swappable, meaning they can be replaced on the server in which of the following scenarios? A. system is up and running B. system is quiesced but operational C. system is idle but operational D. system is up and in single-user-mode

Answer

A

Answer: A

Question 34

Q

QUESTION NO: 508 Primarily run when time and tape space permits, and is used for the system archive or baselined tape sets is the: A. full backup method B. Incremental backup method C. differential backup method D. tape backup method

Answer

A

Answer: A

Question 35

Q

QUESTION NO: 509 This backup method makes a complete backup of every file on the server every time it is run by: A. full backup method B. incremental backup method C. differential backup method D. tape backup method

Answer

A

Answer: A

Question 36

Q

QUESTION NO: 510 A backup of all files that are new or modified since the last full backup is A. In incremental backup B. A father/son backup C. A differential backup D. A full backup

Answer

A

Answer: C Explanation: “Incremental backup -A procedure that backs up only those files that have been modified since the previous backup of any sort. It does remove the archive attribute. Differential backup - A procedure that backs up all files that have been modified since the last full backup. It does not remove the archive attribute.”

Question 37

Q

QUESTION NO: 511 What two factors should a backup program track to ensure the serviceability of backup tape media? A. The initial usage data of the media and the number of uses. B. The physical characteristics and rotation cycle of the media. C. The manufactured and model number of the tape media. D. The frequency of usage and magnetic composition.

Answer

A

Answer: B Explanation: The answer should be B. The physical charecteristics (what type of tape drive) and rotation cyle. (Frequency of backup cycles and retention timE.)

Question 38

Q

QUESTION NO: 512 Which of the following virus types changes some of its characteristics as it spreads? A. boot sector B. parasitic C. stealth D. polymorphic

Answer

A

Answer: D

Question 39

Q

QUESTION NO: 513 Which one of the following is a good defense against worms? A. Differentiating systems along the lines exploited by the attack. B. Placing limits on sharing, writing, and executing programs. C. Keeping data objects small, simple, and obvious as to their intent. D. Limiting connectivity by means of well-managed access controls.

Answer

A

Answer: B Explanation: Take as general information regarding worms “Although the worm is not technically malicious, opening the attachment allows the file to copy itself to the user’s PC Windows folder and then send the .pif-based program to any e-mail address stored on the hard drive. Ducklin said the huge risks associated with accepting program files such as .pif, .vbs (visual basic script) or the more common .exe (executable) as attachments via e-mail outweighs the usefulness of distributing such files in this manner. “There’s no business sense for distributing programs via e-mail,” he said. To illustrate the point, Ducklin said six of the top 10 viruses reported to Sophos in April spread as Windows programs inside e-mails.” http://security.itworld.com/4340/030521stopworms/page_1.html

Question 40

Q

QUESTION NO: 514 An active content module, which attempts to monopolize and exploits system resources is called a A. Macro virus B. Hostile applet C. Plug-in worm D. Cookie

Answer

A

Answer: B Explanation: This applet can execute in the network browser and may contain malicious code. The types of downloadable programs are also known as mobile code. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 361 “ActiveX Controls are Microsoft’s answer to Sun’s Java applets. They operate in a very similar fashion, but they are implemented using any on of a variety of languages, including Visual Basic, C, C++ and Java. There are two key distinctions between Java applets and ActiveX controls. First, ActiveX controls use proprietary Microsoft technology and, therefore, can only execute on systems running Microsoft operating systems. Second, ActiveX controls are not subject to the sandbox restrictions placed on Java applets. They have full access to the Windows operating environment and can perform a number of privileged actions. Therefore, special precautions must be taken when deciding which ActiveX controls to download and execute. Many security administrators have taken the somewhat harsh position of prohibiting the download of any ActiveX content from all but a select handful of trusted sites.”

Question 41

Q

QUESTION NO: 515 Macro viruses written in Visual Basic for Applications (VBA) are a major problem because A. Floppy disks can propagate such viruses. B. These viruses can infect many types of environments. C. Anti-virus software is usable to remove the viral code. D. These viruses almost exclusively affect the operating system.

Answer

A

Answer: D Explanation: VBA is typically Windows OS base, so Unlikely many types of environments, but impact the OS (need a real reference source to justify this though).

Question 42

Q

QUESTION NO: 516 What is the term used to describe a virus that can infect both program files and boot sectors? A. Polymorphic B. Multipartite C. Stealth D. Multiple encrypting

Answer

A

Answer: B

Question 43

Q

QUESTION NO: 517 Why are macro viruses easy to write? A. Active contents controls can make direct system calls B. The underlying language is simple and intuitive to apply. C. Only a few assembler instructions are needed to do damage. D. Office templates are fully API compliant.

Answer

A

Answer: B Explanation: Macro Languages enable programmers to edit, delete, and copy files. Because these languages are so easy to use, many more types of macro viruses are possible.

Question 44

Q

QUESTION NO: 518 Which one of the following traits allows macro viruses to spread more effectively than other types? A. They infect macro systems as well as micro computers. B. They attach to executable and batch applications. C. They can be transported between different operating systems. D. They spread in distributed systems without detection

Answer

A

Answer: C Explanation: Macro virus is a virus written in one of these programming languages and is platform independent. They infect and replicate in templates and within documents.

Question 45

Q

QUESTION NO: 519 In what way could Java applets pose a security threat? A. Their transport can interrupt the secure distribution of World Wide Web pages over the Internet by removing SSL and S-HTTP B. Java interpreters do not provide the ability to limit system access that an applet could have on a client system C. Executables from the Internet may attempt an intentional attack when they are downloaded on a client system D. Java does not check the bytecode at runtime or provide other safety mechanisms for program isolation from the client system.

Answer

A

Answer: C Explanation: “Java Security Java applets use a security scheme that employs a sandbox to limit the applet’s access to certain specific areas within the user’s system and protects the system from malicious or poorly written applets. The applet is supposed to run only within the sandbox. The sandbox restricts the applet’s environment by restricting access to a user’s hard drives and system resources. If the applet does not go outside the sandbox, it is considered safe. However, as with many other things in the computing world, the bad guys have figured out how to escape their confines and restrictions. Programmers have figured out how to write applets that enable the code to access hard drives and resources that are supposed to be protected by the Java security scheme. This code can be malicious in nature and cause destruction and mayhem to the user and her system. Java employs a sandbox in its security scheme, but if an applet can escape the confines of the sandbox, the system can be easily compromised.” Pg 726 Shon Harris: All-In-One CISSP Certification Guide.

Question 46

Q

QUESTION NO: 520 What setup should an administrator use for regularly testing the strength of user passwords? A. A networked workstation so that the live password database can easily be accessed by the cracking program B. A networked workstation so the password database can easily be copied locally and processed by the cracking program C. A standalone workstation on which the password database is copied and processed by the cracking program D. A password-cracking program is unethical; therefore it should not be used.

Answer

A

Answer: C

Question 47

Q

QUESTION NO: 521 On UNIX systems, passwords shall be kept: A. In any location on behalf of root. B. In a shadow password file. C. In the /etc/passwd file. D. In root.

Answer

A

Answer: B Explanation: When possible, on UNIX systems, passwords shall not be kept in the /etc/passwd file, but rather in a shadow password file which can be modified only by root or a program executing on behalf of root.

Question 48

Q

QUESTION NO: 522 Which of the following would constitute the best example of a password to use for access to a system by a network administrator? A. holiday B. Christmas12 C. Jenny&30 D. TrZc&45g

Answer

A

Answer: D

Question 49

Q

QUESTION NO: 523 Which of the following is not a media viability control used to protect the viability of data storage media? A. clearing B. marking C. handling D. storage

Answer

A

Answer: A Explanation: Handling – how it can be transported / under what controls Storage – where and how it can be stored Marking – how the media should be labeled

Question 50

Q

QUESTION NO: 524 Which of the following refers to the data left on the media after the media has been erased? A. remanence B. recovery C. sticky bits D. semi-hidden

Answer

A

Answer: A

Question 51

Q

QUESTION NO: 525 What is the main issue with media reuse? A. Degaussing B. Data remanence C. Media destruction D. Purging

Answer

A

Answer: B

Question 52

Q

QUESTION NO: 526 What should a company do first when disposing of personal computers that once were used to store confidential data? A. Overwrite all data on the hard disk with zeroes B. Delete all data contained on the hard disk C. Demagnetize the hard disk D. Low level format the hard disk

Answer

A

Answer: C

Question 53

Q

QUESTION NO: 527 Which of the following is not a critical security aspect of Operations Controls? A. Controls over hardware B. data media used C. Operations using resources D. Environment controls

Answer

A

Answer: D Explanation: Handling – how it can be transported / under what controls Storage – where and how it can be stored Marking – how the media should be labeled

Question 54

Q

QUESTION NO: 528 What tool is being used to determine whether attackers have altered system files of executables? A. File Integrity Checker B. Vulnerability Analysis Systems C. Honey Pots D. Padded Cells

Answer

A

Answer: A Explanation: Although File Integrity Checkers are most often used to determine whether attackers have altered system files or executables, they can also help determine whether vendor-supplied bug patches or other desired changes have been applied to system binaries. They are extremely valuable to those conducting a forensic examination of systems that have been attacked, as they allow quick and reliable diagnosis of the footprint of an attack. This enables system managers to optimize the restoration of service after incidents occur.

Question 55

Q

QUESTION NO: 529 A system file that has been patched numerous times becomes infected with a virus. The anti-virus software warns that disinfecting the file can damage it. What course of action should be taken? A. Replace the file with the original version from master media B. Proceed with automated disinfection C. Research the virus to see if it is benign D. Restore an uninfected version of the patched file from backup media

Answer

A

Answer: A

Question 56

Q

QUESTION NO: 530 In an on-line transaction processing system, which of the following actions should be taken when erroneous or invalid transactions are detected? A. The transactions should be dropped from processing B. The transactions should be processed after the program makes adjustments C. The transactions should be written to a report and reviewed D. The transactions should be corrected and reprocessed

Answer

A

Answer: C

Question 57

Q

QUESTION NO: 531 Which of the following is a reasonable response from the intrusion detection system when it detects Internet Protocol (IP) packets where the IP source address is the same as the IP destination address? A. Allow the packet to be processed by the network and record the event. B. Record selected information about the item and delete the packet. C. Resolve the destination address and process the packet. D. Translate the source address and resend the packet.

Answer

A

Answer: B Explanation: RFC 1918 and RFC 2827 state about private addressing and ip spoofing using the same source address as destination address. Drop the packet.

Question 58

Q

QUESTION NO: 532 Which of the following is not a good response to a detected intrusion? A. Collect additional information about the suspected attack B. Inject TCP reset packets into the attacker’s connection to the victim system C. Reconfigure routers and firewalls to block packets from the attacker’s apparent connection D. Launch attacks or attempt to actively gain information about the attacker’s host

Answer

A

Answer: D

Question 59

Q

QUESTION NO: 533 Once an intrusion into your organizations information system has been detected, which of the following actions should be performed first? A. Eliminate all means of intruder access B. Contain the intrusion C. Determine to what extent systems and data are compromised D. Communicate with relevant parties

Answer

A

Answer: B

Question 60

Q

QUESTION NO: 534 After an intrusion has been contained and the compromised systems having been reinstalled, which of the following need not be reviewed before bringing the systems back to service? A. Access control lists B. System services and their configuration C. Audit trails D. User accounts

Answer

A

Answer: C

Question 61

Q

QUESTION NO: 535 Which of the following includes notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident’s effects? A. Intrusion Evaluation (IE) and Response B. Intrusion Recognition (IR) and Response C. Intrusion Protection (IP) and Response D. Intrusion Detection (ID) and Response

Answer

A

Answer: D Explanation: “Intrusion Detection (ID) and Response is the task of monitoring systems for evidence of an intrusion or an inappropriate usage. This includes notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident’s effects.”

Question 62

Q

QUESTION NO: 536 Which of the following is used to monitor network traffic or to monitor host audit logs in order to determine violations of security policy that have taken place? A. Intrusion Detection System B. Compliance Validation System C. Intrusion Management System D. )Compliance Monitoring System

Answer

A

Answer: A

Question 63

Q

QUESTION NO: 537 Which of the following is not a technique used for monitoring? A. Penetration testing B. Intrusion detection C. Violation processing (using clipping levels) D. Countermeasures testing

Answer

A

Answer: D

Question 64

Q

QUESTION NO: 538 Which one of the following is NOT a characteristic of an Intrusion Detection System? (IDS) A. Determines the source of incoming packets. B. Detects intruders attempting unauthorized activities. C. Recognizes and report alterations to data files. D. Alerts to known intrusion patterns.

Answer

A

Answer: C Explanation: Software employed to monitor and detect possible attacks and behaviors that vary from the normal and expected activity. The IDS can be network-based, which monitors network traffic, or host-based, which monitors activities of a specific system and protects system files and control mechanisms.

Answer 65

A

Answer: C

Answer 66

A

Answer: A

Answer 67

A

Answer: A Explanation: Intrusion Detection is a quickly evolving domain of expertise. In the past year we have seen giant steps forward in this area. We are now seeing IDS engines that will detect anomalies, and that have some built-in intelligence. It is no longer a simple game of matching signatures in your network traffic.

Answer 68

A

Answer: C Explanation: IDSs verify, itemize, and characterize the threat from both outside and inside your organization’s network, assisting you in making sound decisions regarding your allocation of computer security resources. Using IDSs in this manner is important, as many people mistakenly deny that anyone (outsider or insider) would be interested in breaking into their networks. Furthermore, the information that IDSs give you regarding the source and nature of attacks allows you to make decisions regarding security strategy driven by demonstrated need, not guesswork or folklore.

Answer 69

A

Answer: D Explanation: Many IDSs can be described in terms of three fundamental functional components: Information Sources - the different sources of event information used to determine whether an intrusion has taken place. These sources can be drawn from different levels of the system, with network, host, and application monitoring most common. Analysis - the part of intrusion detection systems that actually organizes and makes sense of the events derived from the information sources, deciding when those events indicate that intrusions are occurring or have already taken place. The most common analysis approaches are misuse detection and anomaly detection. Response - the set of actions that the system takes once it detects intrusions. These are typically grouped into active and passive measures, with active measures involving some automated intervention on the part of the system, and passive measures involving reporting IDS findings to humans, who are then expected to take action based on those reports.

Answer 70

A

Answer: A,C Explanation: Although there are many goals associated with security mechanisms in general, there are two overarching goals usually stated for intrusion detection systems. Accountability is the capability to link a given activity or event back to the party responsible for initiating it. This is essential in cases where one wishes to bring criminal charges against an attacker. The goal statement associated with accountability is: “I can deal with security attacks that occur on my systems as long as I know who did it (and where to find them.)” Accountability is difficult in TCP/IP networks, where the protocols allow attackers to forge the identity of source addresses or other source identifiers. It is also extremely difficult to enforce accountability in any system that employs weak identification and authentication mechanisms. Response is the capability to recognize a given activity or event as an attack and then taking action to block or otherwise affect its ultimate goal. The goal statement associated with response is “I don’t care who attacks my system as long as I can recognize that the attack is taking place and block it.” Note that the requirements of detection are quite different for response than for accountability.

Answer 71

A

Answer: A Explanation: The most common way to classify IDSs is to group them by information source. Some IDSs analyze network packets, captured from network backbones or LAN segments, to find attackers. Other IDSs analyze information sources generated by the operating system or application software for signs of intrusion.

Answer 72

A

Answer: B Explanation: The majority of commercial intrusion detection systems are network-based. These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts.

Answer 73

A

Answer: A Explanation: Network-based IDSs cannot analyze encrypted information. This problem is increasing as more organizations (and attackers) use virtual private networks. Most network-based IDSs cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated.

Answer 74

A

Answer: A Explanation: Host-based IDSs normally utilize information sources of two types, operating system audit trails, and system logs. Operating system audit trails are usually generated at the innermost (kernel) level of the operating system, and are therefore more detailed and better protected than system logs. However, system logs are much less obtuse and much smaller than audit trails, and are furthermore far easier to comprehend. Some host-based IDSs are designed to support a centralized IDS management and reporting infrastructure that can allow a single management console to track many hosts. Others generate messages in formats that are compatible with network management systems.

Answer 75

A

Answer: A Explanation: Host-based IDSs are unaffected by switched networks. When Host-based IDSs operate on OS audit trails, they can help detect Trojan horse or other attacks that involve software integrity breaches. These appear as inconsistencies in process execution.

Answer 76

A

Answer: D Explanation: Host-based IDSs are harder to manage, as information must be configured and managed for every host monitored. Since at least the information sources (and sometimes part of the analysis engines) for host-based IDSs reside on the host targeted by attacks, the IDS may be attacked and disabled as part of the attack. Host-based IDSs are not well suited for detecting network scans or other such surveillance that targets an entire network, because the IDS only sees those network packets received by its host. Host-based IDSs can be disabled by certain denial-of-service attacks.

Answer 77

A

Answer: B Explanation: Host-based IDSs use the computing resources of the hosts they are monitoring, therefore inflicting a performance cost on the monitored systems.

Answer 78

A

Answer: D Explanation: Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software application. The most common information sources used by application-based IDSs are the application’s transaction log files.

Answer 79

A

Answer: D Explanation: Once IDSs have obtained event information and analyzed it to find symptoms of attacks, they generate responses. Some of these responses involve reporting results and findings to a pre-specified location. Others involve more active automated responses. Though researchers are tempted to underrate the importance of good response functions in IDSs, they are actually very important. Commercial IDSs support a wide range of response options, often categorized as active responses, passive responses, or some mixture of the two.

Answer 80

A

Answer: A Explanation: Alarms and notifications are generated by IDSs to inform users when attacks are detected. Most commercial IDSs allow users a great deal of latitude in determining how and when alarms are generated and to whom they are displayed. The most common form of alarm is an onscreen alert or popup window. This is displayed on the IDS console or on other systems as specified by the user during the configuration of the IDS. The information provided in the alarm message varies widely, ranging from a notification that an intrusion has taken place to extremely detailed messages outlining the IP addresses of the source and target of the attack, the specific attack tool used to gain access, and the outcome of the attack. Another set of options that are of utility to large or distributed organizations are those involving remote notification of alarms or alerts. These allow organizations to configure the IDS so that it sends alerts to cellular phones and pagers carried by incident response teams or system security personnel.

Answer 81

A

Answer: A Explanation: Several tools exist that complement IDSs and are often labeled as intrusion detection products by vendors since they perform similar functions. They are Vulnerability Analysis Systems, File Integrity Checkers, Honey Pots, and Padded Cells. “IDS-Related Tools Intrusion detection systems are often deployed in concert with several other components. These IDS-related tools expand the usefulness and capabilities of IDSs and make IDSs more efficient and less prone to false positives. These tools include honey pots, padded cells, and vulenerability scanners.”

Answer 82

A

Answer: A

Answer 83

A

Answer: B Explanation: Padded cells take a different approach. Instead of trying to attract attackers with tempting data, a padded cell operates in tandem with traditional IDS. When the IDS detect attackers, it seamlessly transfers then to a special padded cell host.

Answer 84

A

Answer: B Explanation: Disadvantages of Knowledge-based ID systems: This system is resources-intensive; the knowledge database continually needs maintenance and updates New, unique, or original attacks often go unnoticed.Disadvantages of Behavior-based ID systems: The system is characterized by high false alarm rates. High positives are the most common failure of ID systems and can create data noise that makes the system unusable. The activity and behavior of the users while in the networked system might not be static enough to effectively implement a behavior-based ID system.

Answer 85

A

Answer: A

Answer 86

A

Answer: A Explanation: There are two primary approaches to analyzing events to detect attacks: misuse detection and anomaly detection. Misuse detection, in which the analysis targets something known to be “bad”, is the technique used by most commercial systems. Anomaly detection, in which the analysis looks for abnormal patterns of activity, has been, and continues to be, the subject of a great deal of research. Anomaly detection is used in limited form by a number of IDSs. There are strengths and weaknesses associated with each approach, and it appears that the most effective IDSs use mostly misuse detection methods with a smattering of anomaly detection components.

Answer 87

A

Answer: B Explanation: Misuse detectors analyze system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack. As the patterns corresponding to known attacks are called signatures, misuse detection is sometimes called “signature-based detection.” The most common form of misuse detection used in commercial products specifies each pattern of events corresponding to an attack as a separate signature. However, there are more sophisticated approaches to doing misuse detection (called “state-based” analysis techniques) that can leverage a single signature to detect groups of attacks.

Answer 88

A

Answer: C Explanation: Misuse detectors can only detect those attacks they know about - therefore they must be constantly updated with signatures of new attacks. Many misuse detectors are designed to use tightly defined signatures that prevent them from detecting variants of common attacks. Statebased misuse detectors can overcome this limitation, but are not commonly used in commercial IDSs.

Answer 89

A

Answer: C Explanation: Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network. They function on the assumption that attacks are different from “normal” (legitimate) activity and can therefore be detected by systems that identify these differences. Anomaly detectors construct profiles representing normal behavior of users, hosts, or network connections. These profiles are constructed from historical data collected over a period of normal operation. The detectors then collect event data and use a variety of measures to determine when monitored activity deviates from the norm.

Answer 90

A

Answer: B

Answer 91

A

Answer: A Explanation: “A network-based IDS has little negative affect on overall network performance, and because it is deployed on a single-purpose system, it doesn’t adversely affect the performance of any other computer.”

Answer 92

A

Answer: A

Answer 93

A

Answer: A

Answer 94

A

Answer: A

Answer 95

A

Answer: D Explanation: To make violation tracking effective, clipping levels must be established. A clipping level is a baseline of user activity that is considered a routine level of user errors. When a clipping level is exceeded, a violation record is then produced. Clipping levels are also used for variance detection.

Answer 96

A

Answer: B Explanation: Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails that record events on the system and on the network. Audit trails can be used for intrusion detection and for the reconstruction of past events.

Answer 97

A

Answer: C Explanation: “Auditing capabilities ensure that users are accountable for their actions, verify that the security polices are enforced, and are used as investigation tools.” Pg 161 Shon Harris: All-in- One CISSP Certification

Answer 98

A

Answer: D Explanation: Auditing capabilities ensure that users are accountable for their actions, verify that the security policies are enforced, worked as a deterrent to improper actions, and are used as investigation tools.

Answer 99

A

Answer: C

Answer 100

A

Answer: B

Answer 101

A

Answer: C Explanation: Keep audit trail of password usage; log all Successful logon, Unsuccessful logon, Date, Time, ID, Login name. Control maximum logon attempt rate where possible.Where possible users must be automatically logged off after 30 minutes of inactivity.

Answer 102

A

Answer: B Explanation: Auditing tools are technical controls that track activity within a network on a network device or on a specific computer. Even though auditing is not an activity that will deny an entity access to a network or computer, it will track activities so a network administrator can understand the types of access that took place, identify a security breach, or warn the administrator of suspicious activity. This can be used to point out weakness of their technical controls and help administrators understand where changes need to be made to preserve the necessary security level within the environment.

Answer 103

A

Answer: D Explanation: The level of logging will be according to your company requirements. Below is a list of items that could be logged, please note that some of the items may not be applicable to all operating systems. What is being logged depends on whether you are looking for performance problems or security problems. However you have to be careful about performance problems that could affect your security.

Answer 104

A

Answer: A Explanation: The level of logging will be according to your company requirements. Below is a list of items that could be logged, please note that some of the items may not be applicable to all operating systems. What is being logged depends on whether you are looking for performance problems or security problems. However you have to be careful about performance problems that could affect your security.

Answer 105

A

Answer: B Explanation: Request for the following services should be logged: systat, bootp, tftp, sunrpc, snmp, snmp-trap, nfs.

Answer 106

A

Answer: D Explanation: “Testing of software modules or unit testing should be addressed when the modules are being designed. Personnel separate from the programmers should conduct this testing. The test data is part of the specifications. Testing should not only check the modules using normal and valid input data, but it should also check for incorrect types, out-of-range values, and other bounds and/or conditions. Live or actual field data is not recommended for use in the testing procedures because both data types might not cover out-of-range situations and the correct outputs of the test are unknown. Special test suites of data that exercise all paths of the software to the fullest extent possible and whose corrected resulting outputs are known beforehand should be used.”

Answer 107

A

Answer: D Explanation: Logs must be secured to prevent modification, deletion, and destruction. Only authorized persons should have access or permission to read logs. A person is authorized if he or she is a member of the internal audit staff, security staff, system administration staff, or he or she has a need for such access to perform regular duties.

Answer 108

A

Answer: C Explanation: All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time. This period of time will be determined by your company policies. This allows the use of logs for regular and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

Answer 109

A

Answer: C Explanation: All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time. This period of time will be determined by your company policies. This allows the use of logs for regular and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

Answer 110

A

Answer: C Explanation: All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time. This period of time will be determined by your company policies. This allows the use of logs for regular and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

Answer 111

A

Answer: A Explanation: The following pre-requisite must be met to ensure dependable and secure logging: All computers must have their clock synchronized to a central timeserver to ensure accurate time on events being logged. If possible all logs should be centralized for easy analysis and also to help detect patterns of abuse across servers. Logging information traveling on the network must be encrypted if possible. Log files are stored and protected on a machine that has a hardened shell. Log files must not be modifiable without a trace or record of such modification.

Answer 112

A

Answer: B Explanation: The following pre-requisite must be met to ensure dependable and secure logging: All computers must have their clock synchronized to a central timeserver to ensure accurate time on events being logged. If possible all logs should be centralized for easy analysis and also to help detect patterns of abuse across servers. Logging information traveling on the network must be encrypted if possible. Log files are stored and protected on a machine that has a hardened shell. Log files must not be modifiable without a trace or record of such modification.

Answer 113

A

Answer: A Explanation: Logging is the activity that consists of collecting information that will be used for monitoring and auditing. Detailed logs combined with active monitoring allow detection of security issues before they negatively affect your systems.

Answer 114

A

Answer: B Explanation: Usually logging is done 24 hours per day, 7 days per week, on all available systems and services except during the maintenance window where some of the systems and services may not be available while maintenance is being performed.

Answer 115

A

Answer: A Explanation: The following file changes, conditions, and events are logged: rhosts. UNIX Kernel. /etc/password. rc directory structure. bin files. lib files. Use of Setuid. Use of Setgid. Change of permission on system or critical files.

Answer 116

A

Answer: B Explanation: The following firewall configuration problem are logged: Reboot of the firewall. Proxies that cannot start (e.g. Within TIS firewall).Proxies or other important services that have died or restarted. Changes to firewall configuration file. A configuration or system error while firewall is running.

Answer 117

A

Answer: A

Answer 118

A

Answer: B Explanation: The principle of accountability has been described in many references; it is a principle by which specific action can be traced back to an individual. As mentioned by Idrach, any significant action should be traceable to a specific user. The definition of “Significant” is entirely dependant on your business circumstances and risk management model. It was also mentioned by Rino that tracing the actions of a specific user is fine but we must also be able to ascertain that this specific user was responsible for the uninitiated action.

Answer 119

A

Answer: C Explanation: The principle of accountability has been described in many references; it is a principle by which specific action can be traced back to an individual. As mentioned by Idrach, any significant action should be traceable to a specific user. The definition of “Significant” is entirely dependant on your business circumstances and risk management model. It was also mentioned by Rino that tracing the actions of a specific user is fine but we must also be able to ascertain that this specific user was responsible for the uninitiated action.

Answer 120

A

Answer: D Explanation: The principle of accountability has been described in many references; it is a principle by which specific action can be traced back to an individual. As mentioned by Idrach, any significant action should be traceable to a specific user. The definition of “Significant” is entirely dependant on your business circumstances and risk management model. It was also mentioned by Rino that tracing the actions of a specific user is fine but we must also be able to ascertain that this specific user was responsible for the uninitiated action.

Answer 121

A

Answer: A Explanation: “Identification is the process by which a subject professes an identify and accountability is initiated.” Pg 149 Tittel: CISSP Study Guide “Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identify to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time.”

Answer 122

A

Answer: B

Answer 123

A

Answer: A

Answer 124

A

Answer: D Explanation: Three types of computer attacks are most commonly reported by IDSs: system scanning, denial of service (DOS), and system penetration. These attacks can be launched locally, on the attacked machine, or remotely, using a network to access the target. An IDS operator must understand the differences between these types of attacks, as each requires a different set of responses.

Answer 125

A

Answer: A

Answer 126

A

Answer: D

Answer 127

A

Answer: D

Answer 128

A

Answer: D Explanation: “Official Definition of Configuration Management Identifying, controlling, accounting for and auditing changes made to the baseline TCB, which includes changes to hardware, software, and firmware. A System that will control changes and test documentation through the operational life cycle of a system.” “[B3] The security administrator role is clearly defined, and the system must be able to recover from failures without its security level being compromised.”

Answer 129

A

Answer: B Explanation: “The primary security goal of configuration management is to ensure that changes to the system do not unintentionally diminish security.” Pg 306 Krutz: CISSP Prep Guide: Gold Edition.

Answer 130

A

Answer: D Explanation: Configuration management is the process of tracking and approving changes to a system. It involves identifying, controlling, and auditing all changes made to the system.

Answer 131

A

Answer: A Explanation: If the computer system being used or to which a user is connected contains sensitive or confidential information, users must not leave their computer, terminal, or workstation without first logging off. Users should be reminded frequently to follow this rule.

Answer 132

A

Answer: C Explanation: Separation of duties is considered valuable in deterring fraud since fraud can occur if an opportunity exists for collaboration between various jobs related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set. The most commonly used examples are the separate transactions needed to initiate a payment and to authorize a payment. No single individual should be capable of executing both transactions.

Answer 133

A

Answer: C Explanation: Separation of duties is considered valuable in deterring fraud since fraud can occur if an opportunity exists for collaboration between various jobs related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set. The most commonly used examples are the separate transactions needed to initiate a payment and to authorize a payment. No single individual should be capable of executing both transactions.

Answer 134

A

Answer: D Explanation: Separation of duty can be either static or dynamic. Compliance with static separation requirements can be determined simply by the assignment of individuals to roles and allocation of transactions to roles. The more difficult case is dynamic separation of duty where compliance with requirements can only be determined during system operation. The objective behind dynamic separation of duty is to allow more flexibility in operations.

Answer 135

A

Answer: C Explanation: Mandatory vacations are another type of administrative control that may sound a bit odd at first. Chapter 3 touches on reasons to make sure that employees take their vacations; this has to do with being able to identify fraudulent activities and enable job rotation to take place.

Answer 136

A

Answer: B Explanation: Reasons why a user won’t report an incident (page 882 of Shon Harris 5th edition) - Afraid of being pulled into something - afraid of being accused Logically, they may be unaware of the procedure No reason that reporting incidents to a centralized location would be a problem so that leaves that as the answer.

Answer 137

A

Answer: C Explanation: “Before the employee is released, all organization-specific identification, access, or security badges as well as cards, keys, and access tokens should be collected.”

Answer 138

A

Answer: A Explanation: “In the concept of two-man control, two operators review and approve the work of each other. The purpose of two-man control is to provide accountability and to minimize fraud in highly sensitive or high-risk transactions. The concept of dual control means that both operators are needed to complete a sensitive task.”

Answer 139

A

Answer: B

Answer 140

A

Answer: C

Answer 141

A

Answer: C Explanation: Each user assigned directory (home directory) is not to be shared with others. None of the choices is correct.

Answer 142

A

Answer: B Explanation: A record of user logins with time and date stamps must be kept. User accounts shall be disabled and data kept for a specified period of time as soon as employment is terminated. All users must log on to gain network access.

Answer 143

A

Answer: C Explanation: “Separation of duties (also called segregation of duties) assigns parts of tasks to different personnel. Thus if no single person has total control of the system’s security mechanisms, the theory is that no single person can completely compromise the system.”

Answer 144

A

Answer: A Explanation: Job assignments should be changed periodically so that it is more difficult for users to collaborate to exercise complete control of a transaction and subvert it for fraudulent purposes. This principle is effective when used in conjunction with a separation of duties. Problems in effectively rotating duties usually appear in organizations with limited staff resources and inadequate training programs. Rotation of duties will protect you against fraud; provide cross training to your employees, as well as assuring trained backup in case of emergencies.

Answer 145

A

Answer: A

Answer 146

A

Answer: D

Answer 147

A

Answer: A Explanation: Security Administration and Quality Assurance are the most similar tasks. Administrative Management: Administrative management is a very important piece of operational security. One aspect of administrative management is dealing with personnel issues. This includes separation of duties and job rotation. The objective of separation of duties is to ensure that one person acting alone cannot compromise the company’s security in any way. High-risk activities should be broken up into different parts and distributed to different individuals. This way the company does not need to put a dangerously high level of trust on certain individuals and if fraud were to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity. Separation of duties also helps to prevent many different types of mistakes that can take place if one person is performing a task from the beginning to the end. For instance, a programmer should not be the one to test her own code. A different person with a different job and agenda should perform functionality and integrity testing on the programmer’s code because the programmer may have a focused view of what the program is supposed to accomplish and only test certain functions, input values, and in certain environments. Another example of separation of duties is the difference between the functions of a computer operator versus the functions of a system administrator. There must be clear cut lines drawn between system administrator duties and computer operator duties. This will vary from environment to environment and will depend on the level of security required within the environment. The system administrators usually have responsibility of performing backups and recovery procedures, setting permissions, adding and removing users, setting user clearance, and developing user profiles. The computer operator on the other hand, may be allowed to install software, set an initial password, alter desktop configurations, and modify certain system parameters. The computer operator should not be able to modify her own security profile, add and remove users globally, or set user security clearance. This would breach the concept of separation of duties.

Answer 148

A

Answer: A Explanation: The two most similar jobs are Data Entry and Job Scheduling, so they need not be segregated. Administrative Management: Administratative management is a very important piece of operational security. One aspect of administrative management is dealing with personnel issues. This includes separation of duties and job rotation. The objective of separation of duties is to ensure that one person acting alone cannot compromise the company’s security in any way. Highrisk activities should be broken up into different parts and distributed to different individuals. This way the company does not need to put a dangerously high level of trust on certain individuals and if fraud were to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity. Separation of duties also helps to prevent many different types of mistakes that can take place if one person is performing a task from the beginning to the end. For instance, a programmer should not be the one to test her own code. A different person with a different job and agenda should perform functionality and integrity testing on the programmer’s code because the programmer may have a focused view of what the program is supposed to accomplish and only test certain functions, input values, and in certain environments. Another example of separation of duties is the difference between the functions of a computer operator versus the functions of a system administrator. There must be clear cut lines drawn between system administrator duties and computer operator duties. This will vary from environment to environment and will depend on the level of security required within the environment. The system administrators usually have responsibility of performing backups and recovery procedures, setting permissions, adding and removing users, setting user clearance, and developing user profiles. The computer operator on the other hand, may be allowed to install software, set an initial password, alter desktop configurations, and modify certain system parameters. The computer operator should not be able to modify her own security profile, add and remove users globally, or set user security clearance. This would breach the concept of separation of duties.

Answer 149

A

Answer: D Explanation: If you think about it, System development and system maintenance are perfectly compatible, you can develop in the systems for certain time, and when it time for a maintenance, you stop the development process an make the maintenance. It’s a pretty straight forward process. The other answer do not provide the simplicity and freedom of this option. Incorrect answer: Access authorization and database administration are NEVER compatible.

Answer 150

A

Answer: C

Answer 151

A

Answer: D

Answer 152

A

Answer: C

Answer 153

A

Answer: C Explanation: “In addition to the CIA Triad, there is a plethora of other security-related concepts, principles, and tenants that should be considered and addressed when designing a security policy and deploying a security solution. This section discusses privacy, identification, authentication, authorization, accountability, nonrepudiation, and auditing.”

Answer 154

A

Answer: B Explanation: Detective Technical Controls warn of technical Access Control violations. Under this category you would find the following: Audit trails Violation reports Intrusion detection system Honeypot

Answer 155

A

Answer: B Explanation: Detective Technical Controls warn of technical Access Control violations. Under this category you would find the following: Audit trails Violation reports Intrusion detection system Honeypot

Answer 156

A

Answer: B

Answer 157

A

Answer: C Explanation: C is the one that makes the most sense. [Operation Security] Detective Controls are used to detect an error once it has occurred. Unlike preventative controls, these controls operate after the fact and can be used to track an unauthorized transaction for prosecution, or to lessen an error’s impact on the system by identifying it quickly. An example of this type of control is an audit trail.

Answer 158

A

Answer: C Explanation: “Operation controls are the mechanisms and daily procedures that provide protection for systems.” When designing a protection scheme for resources, it is important to keep the following aspects or elements of the IT infrastructure in mind: Communication hardware/software Boundary devices Processing equipment Password files Application program libraries Application source code Vendor software Operating System System Utilities Directories and address tables Proprietary packages Main storage Removable storage Sensitive/critical data System logs/audit trails Violation reports Backup files and media Sensitive forms and printouts Isolated devices, such as printers and faxes Telephone network”

Answer 159

A

Answer: B Explanation: Audit Trails are under Operations Security Auditing opposed to Operations Security Operations Controls. “Operations Controls embody the day-to-day procedures used to protect computer operations. The concepts of resource protection, hardware/software control, and privileged entity must be understood by the CISSP candidate.”

Answer 160

A

Answer: B Explanation: Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system.

Answer 161

A

Answer: A Explanation: Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (Usually through physical and system-based controls). Computer-based access controls can prescribe not only who or what process may have access to a specific system resource, but also the type of access that is permitted. These controls may be implemented in the computer system or in external devices.

Answer 162

A

Answer: A Explanation: Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (Usually through physical and system-based controls). Computer-based access controls can prescribe not only who or what process may have access to a specific system resource, but also the type of access that is permitted. These controls may be implemented in the computer system or in external devices.

Answer 163

A

Answer: C Explanation: There are several different categories of access control. The main categories are: –Physical Access Control –Administrative Access Control –Logical Access Control –Data Access Control

Answer 164

A

Answer: D Explanation: Access control is a bit like the four legs of a chair. Each of the legs must be equal or else an imbalance will be created. If you have very strict Physical Access controls but very poor Logical Access Controls then you may not succeed in securing your environment.

Answer 165

A

Answer: D Explanation: Detective Technical Controls warn of technical Access Control violations. Under this category you would find the following: Audit trails Violation reports Intrusion detection system Honeypot

Answer 166

A

Answer: A

Answer 167

A

Answer: D Explanation: Detective Technical Controls warn of technical Access Control violations. Under this category you would find the following: Audit trails Violation reports Intrusion detection system Honeypot

Answer 168

A

Answer: A Explanation: By technical controls we mean some or all of the following: Access Control software Antivirus Software Passwords Smart Cards Encryption Call-back systems Two factor authentication Note: logical & technical controls are used interchangeably

Answer 169

A

Answer: B Explanation: By technical controls we mean some or all of the following: Access Control software Antivirus Software Passwords Smart Cards Encryption Call-back systems Two factor authentication

Answer 170

A

Answer: D Explanation: Preventive Technical Controls are the technical ways of restricting who or what can access system resources and what type of access is permitted. Its purpose is to protect the OS and other systems from unauthorized modification or manipulation. It is usually built into an operating system, or it can be a part of an application or program, or an add-on security package, or special components to regulate communication between computers. It also protects the integrity and availability by limiting the number of users and/or processes. These controls also protect confidential information from being disclosed to unauthorized persons.

Answer 171

A

Answer: C Explanation: Separation of duties is a PREVENTIVE Administrative Control. The other 3 are DETECTIVE Administrative Controls. Detective Administrative Controls Detective administrative controls are used to determine how well security policies and procedures are complied with, to detect fraud, and to avoid employing persons that represent an unacceptable security risk. This type of control includes: • Security reviews and audits. • Performance evaluations. • Required vacations. • Background investigations. • Rotation of duties.

Answer 172

A

Answer: B Explanation: Preventive Technical Controls are the technical ways of restricting who or what can access system resources and what type of access is permitted. Its purpose is to protect the OS and other systems from unauthorized modification or manipulation. It is usually built into an operating system, or it can be a part of an application or program, or an add-on security package, or special components to regulate communication between computers. It also protects the integrity and availability by limiting the number of users and/or processes. These controls also protect confidential information from being disclosed to unauthorized persons.

Answer 173

A

Answer: D Explanation: Preventive Technical Controls are the technical ways of restricting who or what can access system resources and what type of access is permitted. Its purpose is to protect the OS and other systems from unauthorized modification or manipulation. It is usually built into an operating system, or it can be a part of an application or program, or an add-on security package, or special components to regulate communication between computers. It also protects the integrity and availability by limiting the number of users and/or processes. These controls also protect confidential information from being disclosed to unauthorized persons.

Answer 174

A

Answer: D Explanation: Preventive Technical Controls are the technical ways of restricting who or what can access system resources and what type of access is permitted. Its purpose is to protect the OS and other systems from unauthorized modification or manipulation. It is usually built into an operating system, or it can be a part of an application or program, or an add-on security package, or special components to regulate communication between computers. It also protects the integrity and availability by limiting the number of users and/or processes. These controls also protect confidential information from being disclosed to unauthorized persons.

Answer 175

A

Answer: A Explanation: There are different types of access control. Access controls can be categorized as follows: Preventive (in order to avoid occurrence) Detective (in order to detect or identify occurrences) Deterrent (in order to discourage occurrences) Corrective (In order to correct or restore controls) Recovery (in order to restore resources, capabilities, or losses)

Answer 176

A

Answer: A Explanation: There are different types of access control. Access controls can be categorized as follows: Preventive (in order to avoid occurrence) Detective (in order to detect or identify occurrences) Deterrent (in order to discourage occurrences) Corrective (In order to correct or restore controls) Recovery (in order to restore resources, capabilities, or losses)

Answer 177

A

Answer: C Explanation: There are different types of access control. Access controls can be categorized as follows: Preventive (in order to avoid occurrence) Detective (in order to detect or identify occurrences) Deterrent (in order to discourage occurrences) Corrective (In order to correct or restore controls) Recovery (in order to restore resources, capabilities, or losses)

Answer 178

A

Answer: C Explanation: There are different types of access control. Access controls can be categorized as follows: Preventive (in order to avoid occurrence) Detective (in order to detect or identify occurrences) Deterrent (in order to discourage occurrences) Corrective (In order to correct or restore controls) Recovery (in order to restore resources, capabilities, or losses)

Answer 179

A

Answer: C Explanation: There are different types of access control. Access controls can be categorized as follows: Preventive (in order to avoid occurrence) Detective (in order to detect or identify occurrences) Deterrent (in order to discourage occurrences) Corrective (In order to correct or restore controls) Recovery (in order to restore resources, capabilities, or losses)

Answer 180

A

Answer: A Explanation: There are different types of access control. Access controls can be categorized as follows: Preventive (in order to avoid occurrence) Detective (in order to detect or identify occurrences) Deterrent (in order to discourage occurrences) Corrective (In order to correct or restore controls) Recovery (in order to restore resources, capabilities, or losses)

Answer 181

A

Answer: B Explanation: Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining influence over the behavior, use, and content of a system. It permits management to specify what users can do, which resources they can access, and what operations they can perform on a system.

Brainscape's Knowledge GenomeTM

Operations Security Flashcards

Brainscape's Knowledge Genome^TM