P/E 2 Flashcards
1
Q
- What law protects the privacy rights of students?
A. HIPAA
B. SOX
C. GLBA
D. FERPA
A
Answer: D
The Family Educational Rights and Privacy Act (FERPA) protects the rights of students and the parents of minor students.
2
Q
- Which electronic mail security program is based on building a web of trust?
A. PGP
B. S/MIME
C. MOSS
D. PEM
A
Answer: A
Phil Zimmerman’s Pretty Good Privacy (PGP) package relies on the construction of a web of trust between system users.
3
Q
- ___________________ is an attack in which you receive unwanted, inappropriate, or irrelevant email messages.
A. Spamming
B. Impersonation
C. Masquerading
D. Spoofing
A
Answer: A
Spamming is an attack in which you receive unwanted, inappropriate, or irrelevant email messages.
4
Q
- In what scenario would you perform bulk transfers of backup data to a secure offsite location?
A. Incremental backup
B. Differential backup
C. Full backup
D. Electronic vaulting
A
Answer: D
Electronic vaulting describes the transfer of backup data to a remote backup site in a bulk-transfer fashion.
5
Q
- Which one of the following is not a major asset category normally covered by the BCP (business continuity plan)?
A. People
B. Documentation
C. Infrastructure
D. Building/facilities
A
Answer: B
The BCP normally covers three major asset categories: people, infrastructure, and buildings/facilities.
6
Q
- David ran an nmap scan against a server and determined that port 443 is open on the server. What tool would likely provide him the best additional information about the server’s purpose and the identity of the server’s operator?
A. ssh
B. Web browser
C. telnet
D. Ping
A
Answer: B
The server is likely running a secure website on port 443. Using a web browser to access the site may provide important information about the site’s purpose.
7
Q
- What type of intellectual property protection is best suited for computer software?
A. Copyright
B. Trademark
C. Patent
D. Trade secret
A
Answer: D
Trade secrets are one of the best legal protections for computer software.
8
Q
8. What is the value of the logical operation shown here? X: 0 1 1 0 1 0 Y: 0 0 1 1 0 1 \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ X ⨁ Y: ?
A. 0 1 1 1 1 1
B. 0 1 0 1 1 1
C. 0 0 1 0 0 0
D. 1 0 0 0 0 0
A
Answer: B
The ⨁ symbol represents the exclusive OR (XOR) function, which is true when one and only one of the input bits is true.
9
Q
- John found a vulnerability in his code where an attacker can enter too much input and then force the system running the code to execute arbitrary commands. What type of vulnerability has John discovered?
A. TOCTTOU
B. Buffer overflow
C. XSS
D. XSRF
A
Answer: B
Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory.
10
Q
- Which one of the following is also known as the Caesar cipher?
A. ROT2
B. ROT3
C. ROT8
D. ROT11
A
Answer: B
The Caesar cipher, also known as the ROT3 cipher, shifts all characters in the plain text three letters to the right to create the cipher text.
11
Q
- What Japanese cipher system was broken by the United States during World War II?
A. Ultra
B. Purple
C. Enigma
D. VENONA
A
Answer: B
The Japanese Purple cipher system was broken by the Allies and contributed to their victory in World War II. Ultra was the effort to break the German Enigma cipher system. VENONA was an American effort to break a Soviet cipher during the 1940s.
12
Q
- What is the output value of the mathematical function 19 mod 4?
A. 3
B. 4
C. 5
D. 6
A
Answer: A
Nineteen divided by 4 equals 4, with a remainder value of 3.
13
Q
- When a user is attempting to connect to a SNMP service on an internal system that while booted and functioning is not actually running an SNMP server, what information response will their system receive?
A. UDP error
B. TCP RST
C. ICMP Type 3
D. DNS lookup error
A
Answer: C
SNMP is a UDP-based service. UDP does not have any means of sending back errors, because it is a simplex protocol. Thus, when UDP errors occur, the system will switch protocols and use ICMP to send back information. In the case of a non-existing service, the port is thus not available, so an ICMP Type 3 error will be returned.
14
Q
- Matthew receives a digitally signed message from Christopher. What key should Matthew use to verify the digital signature?
A. Christopher’s public key
B. Christopher’s private key
C. Matthew’s public key
D. Matthew’s private key
A
Answer: A
Matthew uses Christopher’s public key to verify the digital signature on the message.
15
Q
- What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately upon failure of the primary facility?
A. Hot site
B. Warm site
C. Cold site
D. All of the above
A
Answer: A
Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations.
16
Q
- In which phase of the business impact assessment do you compute loss expectancies?
A. Risk assessment
B. Likelihood assessment
C. Impact assessment
D. Resource prioritization
A
Answer: C
Loss expectancies are a measure of impact and are calculated during the impact assessment phase.
17
Q
- What type of virus always loads itself automatically when the system starts?
A. MBR virus
B. File infector virus
C. Stealth virus
D. Polymorphic virus
A
Answer: A
Master boot record (MBR) viruses infect the system’s boot sector and load when the system is started.
18
Q
- What government agency is responsible for developing standards and guidelines for federal computer systems?
A. NIST
B. CIA
C. FBI
D. NSA
A
Answer: A
The National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines for federal computer systems. They may draw on the technical expertise of the National Security Agency for assistance.
19
Q
- Who administers the European Union safe harbor provisions in the United States?
A. Department of State
B. Department of Education
C. Department of Commerce
D. Department of Defense
A
Answer: C
The Department of Commerce maintains the EU safe harbor provisions for American companies.
20
Q
- The ____________ data model has data stored in more than one database, but the data is still logically connected. The user perceives the database as a single entity, even though it comprises numerous parts interconnected over a network.
A. Hierarchical
B. Normalized
C. Distributed
D. Relational
A
Answer: C
The distributed data model has data stored in more than one database, but the data is still logically connected. The user perceives the database as a single entity, even though it comprises numerous parts interconnected over a network.
21
Q
- When someone launches a typical software product, such as a web browser or a text editor, it is executed in what mode of operation managed by the OS?
A. Privileged mode
B. User mode
C. Supervisory mode
D. Kernel mode
A
Answer: B
User mode is the basic mode used by the CPU when executing user applications. In this mode, the CPU allows the execution of only a portion of its full instruction set. This is designed to protect users from accidentally damaging the system through the execution of poorly designed code or the unintentional misuse of that code.
22
Q
- What is qualitative risk analysis based on?
A. Dollar values
B. Concrete percentages
C. Historical logs and records
D. Opinions
A
Answer: D
The process of performing qualitative risk analysis involves judgment, intuition, and experience—in other words, opinions.
23
Q
- Which of the following is not a requirement for the use of a one-time pad?
A. The encryption key must be at least one-half the length of the message to be encrypted.
B. The encryption key must be randomly generated.
C. Each one-time pad must be used only once.
D. The one-time pad must be physically protected against disclosure.
A
Answer: A
The encryption key must be at least as long as the message to be encrypted. This is because each key element is used to encode only one character of the message. The three other facts listed are all characteristics of one-time pad systems.
24
Q
- An organization wants to ensure that users can run only specific applications. Which of the following techniques is the best choice to support this goal?
A. Whitelisting
B. Blacklisting
C. Sampling
D. Watermarking
A
Answer: A
Whitelisting allows administrators to specify a list of authorized applications. Any applications not on the list cannot run. Blacklisting is a list of unauthorized applications. Sampling is a form of data reduction and not related to running applications. Watermarking embeds an image or other mark on printed documents and files and helps prevent data loss.
25
25. Which one of the following is not a basic requirement for the admissibility of evidence?
A. Timely
B. Relevant
C. Material
D. Competent
Answer: A
To be admissible, evidence must be relevant, material, and competent.
26
26. Which one of the following business impact assessment variables is used to estimate the amount of damage an organization incurs each time an event occurs?
A. AV
B. SLE
C. ARO
D. MTD
Answer: B
The single loss expectancy (SLE) estimates the amount of damage that occurs each time a risk materializes for an organization.
27
27. Which one of the following pieces of BCP (business continuity plan) documentation would provide procedures for notifying executives of a potential disruption?
A. Vital records program
B. Emergency-response guidelines
C. Business impact assessment
D. Statement of urgency
Answer: B
The emergency-response guidelines outline organizational and individual responsibilities for immediate response to an emergency situation. These include executive notification procedures.
28
28. Your database administrators recommend performing bulk transfer backups to a remote site on a daily basis. What type of strategy are they recommending?
A. Transaction logging
B. Electronic vaulting
C. Remote journaling
D. Remote mirroring
Answer: B
Electronic vaulting uses bulk transfers to copy database contents to a remote site on a periodic basis.
29
29. What database backup technology applies database transactions in real time at both primary and alternate sites?
A. Remote mirroring
B. Electronic vaulting
C. Remote journaling
D. Fault tolerance
Answer: A
Remote mirroring technology maintains mirrored images of servers at both the primary and alternate sites.
30
30. What is the maximum effective key length of the Triple DES (3DES) encryption algorithm?
A. 56 bits
B. 64 bits
C. 112 bits
D. 168 bits
Answer: D
When run in DES-EEE3 mode, Triple DES has an effective key length of 168 bits.
31
31. Which of the following is not a physical control for physical security?
A. Fencing
B. Closed-circuit TV (CCTV)
C. Lighting
D. Locks or keypads
Answer: B
Physical controls for physical security include fencing, lighting, locks, construction materials, mantraps, dogs, and guards. CCTV is a technical physical security control and also has deterrent and detective elements, but it is not a physical control for direct physical security itself.
32
32. _________________ is a technology that can allow an automated tool to interact with a human interface.
A. Remote control
B. Virtual desktops
C. Remote node operation
D. Screen scraping
Answer: D
Screen scraping is a technology that can allow an automated tool to interact with a human interface.
33
33. When conducting an internal investigation, what is the most common source of evidence?
A. Historical data
B. Search warrant
C. Subpoena
D. Voluntary surrender
Answer: D
Internal investigations usually operate under the authority of senior managers, who grant access (i.e., voluntary surrender) to all information and resources necessary to conduct the investigation.
34
34. Which form of access abuse simply involves following authorized personnel through security gateways or passages?
A. Injection
B. Masquerading
C. Intrusion
D. Piggybacking
Answer: D
Piggybacking is a method of gaining unauthorized access to computer facilities by following an authorized employee through a controlled door.
35
35. What phase of the Electronic Discovery Reference Model puts evidence in a format that may be shared with others?
A. Production
B. Processing
C. Review
D. Presentation
Answer: A
Production places the information in a format that may be shared with others.
36
36. What type of contract provision requires a vendor to provide a specified level of service to clients?
A. ERP
B. ARO
C. SLA
D. MTD
Answer: C
A service-level agreement (SLA) specifies the terms of service provided by a vendor to a client and may include penalties for noncompliance.
37
37. While performing network packet capture analysis, you discover packets that seem odd. By looking into the packet's raw hex display, you see that the byte offset position 0x2F has the value of 0x08. What was this packet attempting to make occur?
A. Abruptly disconnect a session
B. Confirm the receipt of a data set
C. Start a graceful hang-up process
D. Initiate a new session connection
Answer: A
The raw hex value of 0x08 in offset position 0x2F represents the binary number of 00000100. When this binary number is compared to the TCP header flag (i.e., the offset position 0x2F) layout of XXUAPRSF, it is clear the Reset flag is set. Thus, this packet is attempting to abruptly disconnect a session.
38
38. What is the best way to understand the meaning of the term 500-year flood?
A. A flood that occurs once every 500 years
B. A flood larger than any recorded in the past 500 years
C. A very serious but very unlikely flood event
D. A very serious flood that has a probability of 1 in 500 (0.2%) of occurring in any single calendar year
Answer: D
Flood levels rated in years (100-year, 500-year, 1,000-year, and so forth) basically reflect estimates of the probability of their occurrence. A 100-year flood has a 1 in 100 chance of occurring in any given calendar year (1%), a 500-year flood has a 1 in 500 chance of occurring in any given calendar year, and so forth. Options A and B misrepresent the meaning of the 500-year interval mentioned, while option C fails to address its probabilistic intent.
39
39. Information flow models are designed to prevent ______________________ information flow, often between different levels of security.
A. Old, outdated, or obsolete
B. New, untested, and out-of-the-ordinary
C. Unauthorized, insecure, or restricted
D. Fast, efficient, and prompt
Answer: C
Information flow models are designed to prevent unauthorized, insecure, or restricted information flow, often between different levels of security.
40
40. Which one of the following data roles is responsible for classifying data?
A. Administrator
B. Custodian
C. Owner
D. User
Answer: C
Owners have ultimate responsibility for the data and ensuring that is classified properly. The administrator assigns permissions based on the principles of least privilege and need to know. A custodian protects the integrity and security of the data. Users simply access the data.
41
41. What action usually closes the identification phase of incident response?
A. Publishing an incident report
B. Gathering evidence of the incident
C. Notifying the incident response team
D. Isolating compromised systems
Answer: C
The identification phase usually concludes with the notification of the incident response team.
42
42. How many rounds of encryption take place when the Data Encryption Standard (DES) is used?
A. 1
B. 3
C. 16
D. 32
Answer: C
DES utilizes 16 rounds of exclusive OR (XOR) operations to encrypt or decrypt a single block of each message encountered.
43
43. What rule of evidence states that a written agreement is assumed to contain all terms of the agreement?
A. Real evidence
B. Best evidence
C. Parol evidence
D. Chain of evidence
Answer: C
The parol evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.
44
44. Which of the following should be generally worker/user accessible?
A. Mission-critical data center
B. Main workspaces
C. Server vault
D. Wiring closet
Answer: B
Only the main workspaces should be generally worker/user accessible. The mission-critical data center, server vault, and wiring closets should be restricted to administrators and other specialized and authorized personnel.
45
45. Which one of the following backup types does not alter the archive bit on backed-up files?
A. Full backup
B. Remote journaling
C. Incremental backup
D. Differential backup
Answer: D
Differential backups store all files that have been modified since the time of the most recent full backup. They do not alter the archive bit.
46
46. Which of the following is not an important reason to implement physical layers of security in an installation to protect areas where sensitive information is stored and used?
A. Because access to sensitive areas can then be monitored and controlled
B. Because additional checks on identity and authorization can be required before allowing entry
C. Because visitors or other unclassified staff can be kept away from sensitive areas
D. Because access from public or low-security areas to sensitive areas never occurs
Answer: D
Access into sensitive areas from public or low-security areas actually occurs frequently and is one of the primary reasons solid physical security is necessary.
47
47. Alarms, CCTV, and monitoring devices are useful tools that fall under what form of access control?
```
A. Technical access control
B. Administrative access control
C. Logical access control
D. Physical access control
q
```
Answer: A
Technical physical security controls include access controls; intrusion detection; alarms; closed-circuit television (CCTV); monitoring; heating, ventilating, and air conditioning (HVAC); power supplies; and fire detection and suppression.
48
48. Juniper Enterprises' data center lies in a 500-year FEMA flood plain. What is the likelihood that a flood will affect the data center in any given year?
A. 1%
B. 5%
C. 0.2%
D. 0.1%
Answer: C
Flooding is expected once every 500 years in a 500-year flood plain. This is equivalent to a 0.2% annual risk of flood.
49
49. Which of the following represents a natural disaster for which little or no warning is common?
A. Earthquake
B. Hurricane or typhoon
C. Flood
D. Tsunami
Answer: A
Of the natural disasters listed for this question, predictive techniques are least understood for earthquakes, which can (and do) happen with little or no notice. Big storms and potential flooding are carefully monitored and reported on by media and government channels, often days in advance of anticipated events. Tsunami reporting and warnings are now widespread around the globe, with warning of hours or more increasingly typical in the wake of the 2005 Indian Ocean tsunami that devastated so many areas in southern Asia and its archipelagos.
50
50. RSA encryption relies on the use of two ___________________.
A. One-way functions
B. Prime numbers
C. Hash functions
D. Elliptic curves
Answer: B
The strength of RSA encryption relies on the difficulty of factoring the two large prime numbers used to generate the encryption key.
51
51. What procedure returns business facilities and environments to a working state?
A. Reparation
B. Restoration
C. Respiration
D. Recovery
Answer: B
Disaster restoration involves restoring a business facility and environment to a workable state.
52
52. What is the goal of a business continuity program?
A. Ensure that MTDs and RTOs are equal
B. Ensure that MTDs and RTOs do not coexist
C. Ensure that MTDs are less than RTOs
D. Ensure that RTOs are less than MTDs
Answer: D
The goal of a business continuity program is to ensure that recovery time objectives are shorter than maximum tolerable downtime measures.
53
53. Which of the following definitions best explains the purpose of an intrusion detection system?
A. A product that inspects incoming and outgoing traffic across a network boundary to deny transit to unwanted, unauthorized, or suspect packets
B. A device that provides secure termination or aggregation for IP phones, VoIP handsets, and softphones
C. A device that, using complex content categorization criteria and content inspection, prevents potentially dangerous content from entering a network
D. A product that automates the inspection of audit logs and real-time event information to detect intrusion attempts and possibly also system failures
Answer: D
An intrusion detection system (IDS) is a product that automates the inspection of audit logs and real-time event information to detect intrusion attempts. Option A defines a firewall, option B defines an IP telephony security gateway, and option C defines a content filtering system.
54
54. Of the following choices, what is a primary goal of change management?
A. Personnel safety
B. Allowing rollback of changes
C. Ensuring that changes do not reduce security
D. Auditing privilege access
Answer: C
The goal of change management is to ensure that any change does not lead to unintended outages or reduce security. Change management doesn't affect personnel safety. A change management plan will commonly include a rollback plan, but that isn't a specific goal of the program. Change management doesn't perform any type of auditing.
55
55. What law makes it a crime to cause malicious damage to a "federal interest" computer?
A. Computer Security Act
B. Computer Fraud and Abuse Act
C. Federal Sentencing Guidelines
D. Government Information Security Reform Act
Answer: B
Amendments to the Computer Fraud and Abuse Act criminalize causing damage to federal systems, federal interest systems, and computers involved in interstate commerce.
56
56. Matthew recently completed writing a new song and posted it on his website. He wants to ensure that he preserves his copyright in the work. As a US citizen, which of the following is the minimum that he must do to preserve his copyright in the song?
A. Register the song with the US Copyright Office.
B. Mark the song with the © symbol.
C. Mail himself a copy of the song in a sealed envelope.
D. Nothing.
Answer: D
Matthew is not required to do anything. Copyright protection is automatic as soon as he creates the work.
57
57. What law requires that communications carriers cooperate with federal agencies conducting a wiretap?
A. CFAA
B. CALEA
C. EPPIA
D. ECPA
Answer: B
The Communications Assistance to Law Enforcement Act (CALEA) requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order.
58
58. Which of the following is not a valid issue to consider when evaluating a safeguard?
A. Cost/benefit analysis
B. Compliance with existing baselines
C. Legal liability and prudent due care
D. Compatibility with IT infrastructure
Answer: B
New safeguards establish new baselines; thus, compliance with existing baselines is not a valid consideration point.
59
59. Which of the following is an example of administrative law?
A. United States Code
B. European Union Directives
C. United States Constitution
D. Code of Federal Regulations
Answer: D
The Code of Federal Regulations (CFR) is an example of administrative law.
60
60. What type of backup will copy only those files that have been modified since the most recent full backup?
A. Full backup
B. Incremental backup
C. Journaled backup
D. Differential backup
Answer: D
Differential backups copy all files modified since the most recent full backup.
61
61. Which one of the following attacks allows an attacker to execute arbitrary commands against the database supporting a web application?
A. SQL injection
B. Transaction manipulation
C. Cross-site scripting
D. Parameter manipulation
Answer: A
SQL injection attacks allow attackers to include their own SQL commands in the commands issued by a web application to a database.
62
62. Which one of the following would be considered a system compromise?
A. Forged spam email appearing to come from your organization
B. Unauthorized use of an account by the legitimate user's relative
C. Probing a network searching for vulnerable services
D. Infection of a system by a virus
Answer: B
Sharing an account with a relative allows unauthorized access to a system, meeting the definition of a compromise. Forged spam email does not necessarily require access to your organization's computing resources. Probing a network for vulnerable services is a scanning attack. Infection of a system by a virus is a malicious code attack.
63
63. What procedure returns business operations and processes to a working state?
A. Recovery
B. Restoration
C. Reparation
D. Respiration
Answer: A
Disaster recovery is the ability to recover from the loss of a complete site, whether because of natural disaster or malicious intent.
64
64. The operating system design concept of protection rings was derived from what early operating system?
A. Windows
B. Unix
C. Multics
D. Macintosh
Answer: C
Multics has left two enduring legacies in the computing world. First, it inspired the creation of a simpler, less-intricate operating system called Unix (a play on the word multics), and second, it introduced the idea of protection rings to operating system design.
65
65. Which one of the following patterns of activity is indicative of a scanning attack?
A. Large number of blocked connection attempts on port 22
B. Large number of successful connection attempts on port 80
C. Large number of successful connection attempts on port 443
D. Large number of disk failure events
Answer: A
A high number of blocked connection attempts may indicate that an attacker is scanning systems that do not offer a particular service on a particular port. Port 22 is the TCP port usually used by the Secure Shell (SSH) protocol, a common target of scanning attacks.
66
66. Which one of the following assumptions is not necessary before you trust the public key contained on a digital certificate?
A. The digital certificate of the CA is authentic.
B. You trust the sender of the certificate.
C. The certificate is not listed on a CRL.
D. The certificate actually contains the public key.
Answer: B
You do not need to trust the sender of a digital certificate as long as the certificate meets the other requirements listed and you trust the certification authority.
67
67. What technology can be used to minimize the impact of a server failure immediately before the next backup was scheduled?
A. Clustering
B. Differential backups
C. Remote journaling
D. Tape rotation
Answer: A
Clustering servers adds a degree of fault tolerance, protecting against the impact of a single server failure.
68
68. Which of the following is the term used for any potential occurrence that can cause an undesirable or unwanted outcome to an organization or to a specific asset?
A. Realized risk
B. Incident
C. Breach
D. Threat
Answer: D
A potential occurrence that can cause an undesirable or unwanted outcome to an organization or to a specific asset is a threat.
69
69. Why are military and intelligence attacks among the most serious computer crimes?
A. The use of information obtained can have far-reaching detrimental strategic effects on national interests in an enemy's hands.
B. Military information is stored on secure machines, so a successful attack can be embarrassing.
C. The long-term political use of classified information can impact a country's leadership.
D. The military and intelligence agencies have ensured that the laws protecting their information are the most severe.
Answer: A
The purpose of a military and intelligence attack is to acquire classified information. The detrimental effects of using such information could be nearly unlimited in the hands of an enemy.
70
70. What is the typical activation time for a warm site?
A. 1 hour
B. 12 hours
C. 24 hours
D. 72 hours
Answer: B
Warm sites can typically be activated within 12 hours.
71
71. What is a common security risk when using grid computing solutions that consume available resources from computers over the Internet?
A. Loss of data privacy
B. Latency of communication
C. Duplicate work
D. Capacity fluctuation
Answer: A
In many grid computing implementations, grid members can access the contents of the distributed work segments or divisions. This grid computing over the Internet is not usually the best platform for sensitive operations.
72
72. A momentary loss of power is what form of power issue?
A. Brownout
B. Spike
C. Sag
D. Fault
Answer: D
A fault is any abnormal situation in an electrical system when electrical current does not flow through the intended parts.
73
73. What is residual risk?
A. The risk remaining after a countermeasure is installed
B. The level of risk that slowly evaporates over time as implemented safeguards mature
C. The total amount of risk an organization faces
D. The risk that management chooses to accept rather than mitigate
Answer: D
Residual risk is the risk that management has chosen to accept rather than mitigate.
74
74. Where is a good location for a turnstile?
A. Main entrance to a secure area
B. Primary entrance for the public to enter a retail space
C. On secondary or side exits
D. On internal office intersections
Answer: C
Turnstiles are most appropriate on secondary or side exits where a security guard is not available or is unable to maintain constant surveillance. The other options listed are not as ideal for the use of a turnstile.
75
75. What type of malicious code appears to be a beneficial program but actually performs some type of malicious activity in the background?
A. Virus
B. Worm
C. Trojan horse
D. Logic bomb
Answer: C
Trojan horses are programs that appear to the user to be some type of beneficial program (such as a game or utility) but perform a malicious activity in the background.
76
76. You were hired to perform a business impact assessment for a company located in Southern California and are evaluating the firm's exposure to wildfires. You've determined that the value of the firm's facilities and equipment is $10,000,000. After consulting fire experts, you've determined that there is a 10 percent chance that the facility will be 75 percent destroyed by wildfire in a given year. What is the single loss expectancy?
A. $75,000
B. $100,000
C. $750,000
D. $7,500,000
Answer: D
The single loss expectancy is computed by multiplying the asset value ($10,000,000) by the exposure factor (75 percent). In this case, the single loss expectancy is $7,500,000.
77
77. Which of the following serve as operational guides for both security professionals and users, are flexible, and state what should be done instead of prescribing a specific product or control?
A. Policies
B. Baselines
C. Guidelines
D. Procedures
Answer: C
Guidelines serve as operational guides for both security professionals and users. They are flexible, so they can be customized for each unique system or condition. Guidelines state what should be done (in other words, what security mechanisms should be deployed) instead of prescribing a specific product or control and detailing configuration settings. Guidelines outline methodologies, include suggested actions, and are not compulsory.
78
78. What regulation formalizes the prudent man rule, requiring that senior executives of an organization take personal responsibility for ensuring due care?
A. National Information Infrastructure Protection Act
B. Federal Information Security Management Act
C. Information Security Reform Act
D. Federal Sentencing Guidelines
Answer: D
The Federal Sentencing Guidelines formalized the prudent man rule and applied it to information security.
79
79. Which one of the following determinations might result from a qualitative risk assessment?
A. Annualized loss expectancy
B. Single loss expectancy
C. Categorical prioritization
D. Exposure factor
Answer: C
Qualitative risk assessment uses nonnumerical factors, such as categorical prioritization. The other choices listed are examples of factors used in quantitative risk assessment.
80
80. True or false: all compliance obligations are dictated by state, federal, or international law?
A. True
B. False
Answer: B
Some compliance obligations are dictated by contractual relationships, such as the Payment Card Industry Data Security Standard.
81
81. Which of the following represent natural events that can pose a threat or risk to an organization?
A. Earthquake
B. Tornado
C. Flood
D. All of the above
Answer: D
Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornados, wildfires, and other acts of nature.
82
82. What layer of the ring protection scheme includes programs running in supervisory mode?
A. Level 0
B. Level 1
C. Level 3
D. Level 4
Answer: A
Supervisory mode programs are run by the security kernel, at Level 0 of the ring protection scheme.
83
83. Which of the following is the least secure method for determining whether software is infected by a virus?
A. Scan it with a virus inspection tool.
B. Execute it.
C. Verify the size of its core files.
D. Perform a cyclic redundancy check (CRC) on its core files.
Answer: B
Users should never test an executable by executing it.
84
84. What security principle ensures a unique memory area for each application running on a system?
A. Process isolation
B. Protection rings
C. Abstraction
D. Security kernel
Answer: A
Process isolation, also called memory protection, ensures that each process has its own isolated memory space for the storage of data and the actual executing application code.
85
85. What is the most common and inexpensive form of physical access control device?
A. Cameras
B. Mantraps
C. Escape hatch
D. Locks
Answer: D
Locks are an essential and integral component to any business environment because they restrict access to only those who possess the key. They are found virtually everywhere that humans may access areas, systems, and so on.
86
86. What is the main goal of business continuity planning?
A. Restore operations to the primary site as quickly as possible.
B. Implement a smooth transition to an alternative site without loss of data.
C. Reduce the likelihood that a disaster will destroy your data processing facility.
D. Ensure the continuous operation of the business in an emergency.
Answer: D
Business continuity planning is designed to keep your business up and running in the face of an emergency.
87
87. Which of the following is not a useful item to consider when establishing the value of an asset?
A. Development cost
B. Intellectual property or equity value
C. Liability of asset loss
D. Classification level
Answer: D
Classification level is assigned based on an asset's value as well as its sensitivity and confidentiality. It is not used as a valuation element.
88
88. The Data Encryption Standard (DES) cipher operates on blocks of text of what size?
A. 56 bits
B. 64 bits
C. 112 bits
D. 128 bits
Answer: B
The DES cipher operates on messages in 64-bit blocks.
89
89. An organization recently installed and configured a database application on a server. The application uses service accounts and these accounts were granted administrator access on the network to streamline configuration. Later, malware infected the server and used the application service account to escalate its privileges as an administrator. Which of the following principles was not followed?
A. Privilege creep
B. Separation of duties
C. Need-to-know
D. Principle of least privilege
Answer: D
Granting the service account full network administrator privileges violates the principle of least privilege. It is often easier to configure it this way, but it is not secure. Privilege creep occurs when users are granted additional privileges as job requirements change, but unneeded privileges are not removed. Separation of duties ensures a single entity doesn't control all elements of a critical process. Need-to-know ensures users are granted access to only the data they need and no more.
90
90. Which of the following provides the best protection to ensure the confidentiality of data at rest?
A. Destruction
B. Encryption
C. Sanitization
D. Marking
Answer: B
Encryption provides strong protection to ensure the confidentiality of data at rest and is the best choice of the available answers.
91
91. Christopher recently received word that his application for a trademark was approved by the US Patent and Trademark Office. What symbol should he use next to the name to indicate its protected status?
A. ©
B. ®
C. ™
D. †
Answer: B
The ® symbol is reserved for trademarks that have received official registration status by the US Patent and Trademark Office.
92
92. Matthew and Richard want to communicate with each other using a public key cryptosystem. What is the total number of keys they must have to successfully communicate?
A. 1
B. 2
C. 3
D. 4
Answer: D
To use public key cryptography, Matthew and Richard must each have their own pair of public and private cryptographic keys.
93
93. What occurs when the relationship between the plain text and the key is complicated enough that an attacker can't merely continue altering the plain text and analyzing the resulting cipher text to determine the key? (Choose all that apply.)
A. Confusion
B. Transposition
C. Polymorphism
D. Diffusion
Answer: A;D
Confusion and diffusion are two principles underlying most cryptosystems.
94
94. The purchasing of insurance is a form of ___________________.
A. Risk mitigation
B. Risk assignment
C. Risk acceptance
D. Risk rejection
Answer: B
Insurance is a form of risk assignment or transference.
95
95. What is the duration of trade secret protection under federal law?
A. 20 years
B. 25 years
C. 50 years
D. Unlimited
Answer: D
There is no limit to the duration of trade secret protection.
96
96. Issues commonly addressed in a(n) _____________ include system uptime requirements, peak and average load expectations, diagnostic responsibilities, failover and redundancy, and financial or contractual remedies for noncompliance.
A. MOU
B. ECDHE
C. SLA
D. OCSP
Answer: C
Issues commonly address in a service-level agreement (SLA) include system uptime requirements, peak and average load expectations, diagnostic responsibilities, failover and redundancy, and financial or contractual remedies for noncompliance.
97
97. Which backup format stores only those files that have been set with the archive bit and have been modified since the last complete backup?
A. Differential backup
B. Partial backup
C. Incremental backup
D. Full backup
Answer: A
Differential backups store all files that have been modified since the time of the most recent full backup; they affect only those files that have the archive bit turned on, enabled, or set to 1.
98
98. What is the major weakness inherent in public key cryptography systems?
A. Slow speed
B. Difficulty of key exchange
C. Lack of scalability
D. Lack of nonrepudiation capability
Answer: A
Public key cryptosystems are notoriously slower than their secret key counterparts. They eliminate the difficulty of key exchange and provide for both scalability and nonrepudiation.
99
99. What type of disaster recovery test is the simplest to perform?
A. Structured walk-through
B. Read-through
C. Simulation
D. Parallel
Answer: B
In the read-through test, you distribute copies of the disaster recovery plan to key personnel for review but do not actually meet or perform live testing.
100
100. Which one of the following business impact assessment variables provides the recovery time objective for a business function?
A. AV
B. SLE
C. ARO
D. MTD
Answer: D
The maximum tolerable downtime (MTD) is equivalent to the recovery time objective (RTO). It provides the maximum length of time a business function can be inoperable without causing irreparable harm to the business.
101
101. Known as reciprocal agreements, what pledge binds two organizations into a mutually helpful recovery process in the event of disaster?
A. Mutual assistance agreements
B. Business continuity plan
C. Disaster recovery plan
D. Software escrow
Answer: A
MAAs are popular in disaster recovery literature but difficult to implement. They are agreements between two parties to mutually assist one another in the event of disaster.
102
102. What organization created the Ten Commandments of Computer Ethics?
A. Internet Advisory Board
B. (ISC)2
C. Information Security Audit and Control Association
D. Computer Ethics Institute
Answer: D
The Computer Ethics Institute created the Ten Commandments of Computer Ethics.
103
103. The Twofish algorithm uses an encryption technique not found in other algorithms that XORs the plain text with a separate subkey before the first round of encryption. What is this called?
A. Preencrypting
B. Prewhitening
C. Precleaning
D. Prepending
Answer: B
Prewhitening XORs the plain text with a separate subkey before the first round of encryption.
104
104. What is the real purpose for a honeypot or a honeynet?
A. To keep attackers away from real systems or networks they might otherwise attack
B. To provide a lure for attackers by advertising the presence of a weak or insecure system or network
C. To provide a walled-off environment that simulates a production network or system and provides fake data to retain an intruder's interest following detection and transfer by an IDS
D. To lure attackers into a bogus system or network environment and present sufficient material of apparent worth or interest to keep the attacker around long enough to track them down
Answer: D
A honeypot (single system) or honeynet (entire network) is intended to provide a lure for attackers, and by design it provides sufficient material of apparent worth or interest to keep attackers around for a while. Option A is an optimistic outlook on the value of honeypots or honeynets vis-à-vis production networks, option B is based on the definition of entrapment (undesirable, if prosecution might ever be a goal), and option C refers to a so-called padded cell.
105
105. ___________________ ensures against unauthorized access to information deemed personal or confidential.
A. Integrity
B. Availability
C. Nonrepudiation
D. Privacy
Answer: D
The principle of privacy ensures freedom from unauthorized access to information deemed personal or confidential.
106
106. A prolonged period of low voltage is typical of which power-related issue?
A. Blackout
B. Inrush
C. Transient
D. Brownout
Answer: D
A brownout is a reduction of electrical power or a temporary drop in power, but voltage is still present.
107
107. Which backup procedure replicates only those files that have been added or changed since the last backup of any kind?
A. Electronic vaulting
B. Incremental backup
C. Full backup
D. Differential backup
Answer: B
Incremental backups store only those files that have been modified since the time of the most recent full or incremental backup. Incremental backups duplicate only those files that have the archive bit turned on.
108
108. What kind of alarm system will notify local police, fire, or emergency services when triggered?
A. Local alarm system
B. Remote alarm system
C. Auxiliary alarm system
D. Centralized alarm system
Answer: C
Auxiliary alarm systems facilitate local, remote, and centralized alarm systems by notifying external sources (police, fire, medical) of signifying events.
109
109. Which of the following programming languages is least prone to the undetected insertion of malicious code by a third party?
A. C++
B. Java
C. VBScript
D. Fortran
Answer: C
Of the languages listed, VBScript is the least prone to undetected modification by third parties because it is an interpreted language, whereas the other three languages (C++, Java, and Fortran) are compiled languages.
110
110. The normal operations of a business are restored at the conclusion of the _______ phase of incident response.
A. Identification
B. Analysis
C. Closure
D. Lessons learned
Answer: C
The closure phase includes the restoration of the normal business operations of an organization.
111
111. You operate a grain processing business and are developing your restoration priorities. Which one of the following systems would likely be your highest priority?
A. Order-processing system
B. Fire suppression system
C. Payroll system
D. Website
Answer: B
People should always be your highest priority in business continuity planning. As a life safety system, fire suppression systems should always receive high prioritization.
112
112. Who is believed to have been behind the Stuxnet attack? (Choose all that apply.)
A. Iran
B. Israel
C. United States
D. Iraq
Answer: B;C
The Stuxnet attack is believed to have been a joint American-Israeli operation to disrupt Iranian nuclear operations.
113
113. To what type of application attack are CGI scripts and other web-based software especially vulnerable?
A. TOCTTOU attacks
B. Rootkit attacks
C. Trap-door attacks
D. Buffer overflow attacks
Answer: D
CGI and other web-based programs are especially vulnerable to buffer overflow attacks because they are developed rapidly and are available to external users.
114
114. Chris would like to test systems on his network for cross-site scripting (XSS) vulnerabilities. Which one of the following tools would be best suited to this task?
A. Port scanner
B. Network vulnerability scanner
C. Network discovery scanner
D. Web vulnerability scanner
Answer: D
Cross-site scripting attacks are web vulnerabilities and Chris would be best served by a web vulnerability scanner. A network vulnerability scanner might also pick up this vulnerability, but the web vulnerability scanner is specifically designed for the task and more likely to be successful.
115
115. What BIA measure describes the proportion of an asset that will be damaged if a risk materializes?
A. AV
B. EF
C. ARO
D. SLE
Answer: B
The exposure factor (EF) describes the amount of damage that a risk poses to an asset, expressed as a percentage of the asset's value.
116
116. Which of the following models uses labels to define classifications levels of objects?
A. Mandatory access control model
B. Discretionary access control model
C. Role-based access control model
D. Rule-based access control model
Answer: A
A mandatory access control model uses labels to classify objects such as data. Subjects with matching labels can access these objects. None of the other models use labels.
117
117. An executive's company-purchased mobile phone was lost or stolen. At this point, what could be done to ensure data on the phone cannot be read by someone who has the phone?
A. Encryption
B. GPS
C. Remote wipe
D. Password-protected screen lock
Answer: C
After a phone has been stolen, a remote wipe signal can be sent to the phone to clear it of all data. Encryption would be effective in preventing someone from reading the data before it was stolen but not afterward, and if a dedicated attacker has the phone, it is possible the encryption can be cracked. GPS can help identify the location, but it would not prevent access to data. Password protection slows down an unauthorized user but would not prevent access.
118
118. Which one of the following items is not a critical piece of information in the chain of evidence?
A. General description of the evidence
B. Name of the person collecting the evidence
C. Relationship of the evidence to the crime
D. Time and date the evidence was collected
Answer: C
The chain of evidence does not require that the evidence collector know or document the relationship of the evidence to the crime.
119
119. Which is not a part of an electronic access control lock?
A. An electromagnet
B. A credential reader
C. A door sensor
D. A biometric scanner
Answer: D
An electronic access control (EAC) lock comprises three elements: an electromagnet to keep the door closed, a credential reader to authenticate subjects and to disable the electromagnet, and a door-closed sensor to reenable the electromagnet.
120
120. What simple safeguard can be used to protect against replay attacks in secure communications?
A. Changing keys daily
B. Time-stamping messages
C. Digital signatures
D. Message digests
Answer: B
Replay attacks take advantage of authentication requests that do not include a time stamp by later replaying the message to open a new authenticated session.
121
121. An organization wants to implement a cloud-based service using a combination of two separate clouds. Which deployment model should they choose?
A. Community
B. Hybrid
C. Private
D. Public
Answer: B
The hybrid model includes a combination of two or more clouds. The other answers refer to a single cloud-based structure. A community model is shared with two or more organizations but it can be a single cloud. A private cloud is private to an organization, and a public cloud is available to any organization.
122
122. What is the Delphi technique?
A. A security model
B. A form of qualitative risk analysis
C. An encryption mechanism
D. A security audit process
Answer: B
The Delphi technique is a form of qualitative risk analysis that uses an anonymous feedback-and-response process to arrive at a group consensus.
123
123. What form of access control is concerned with the data stored by a field rather than any other issue?
A. Content-dependent
B. Context-dependent
C. Semantic integrity mechanisms
D. Perturbation
Answer: A
Content-dependent access control is focused on the internal data of each field.
124
124. What type of network discovery scan attempts to simulate an already open network connection?
A. TCP connect scan
B. Xmas scan
C. TCP SYN scan
D. TCP ACK scan
Answer: D
The TCP ACK scan sends an ACK packet, simulating a packet from the middle of an already established connection.
125
125. What law amended the Computer Fraud and Abuse Act to include protections for portions of the national infrastructure?
A. Government Information Security Reform Act
B. Computer Security Act
C. Comprehensive Crime Control Act
D. National Information Infrastructure Protection Act
Answer: D
The National Information Infrastructure Protection Act extends protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids, and telecommunications circuits.
126
126. How many times may the owner of a trademark renew the trademark registration?
A. Once
B. Twice
C. Five times
D. Unlimited
Answer: D
There is no limit on the number of 10-year renewals that may be filed for a registered trademark.
127
127. The backup administrator configures a system to perform full backups on Sundays and incremental backups on Mondays through Saturdays. The system fails on Wednesday. What backups must be applied?
A. Sunday only
B. Sunday, Monday, Tuesday, and Wednesday
C. Sunday and Wednesday only
Answer: B
With incremental backups, you must first restore the most recent full backup and then apply all incremental backups that occurred since that full backup.
128
128. What is the name of the security protocol designed by Visa and MasterCard to provide e-commerce security?
A. SSL
B. SSH
C. S-HTTP
D. SET
Answer: D
The Secure Electronic Transaction (SET) protocol serves as a method of securing e-commerce transactions.
129
129. Which one of the following is not a hashing algorithm?
A. MD4
B. MD5
C. SHA
D. PGP
Answer: D
Pretty Good Privacy (PGP) is an email encryption system and not a hashing algorithm.
130
130. Which of the following is not an expected result of requiring users to regularly change their workstation assignment or physical location?
A. Deters collusion between employees because ever-changing constellations of co-workers are less likely to bond sufficiently to perform unauthorized or illegal activities together
B. Encourages users to store personal information on systems
C. Encourages users to keep all work materials on network servers where they can be easily protected, overseen, and audited
D. Gives users little or no opportunity to customize their systems or to install unapproved software because subsequent users will discover and report such changes
Answer: B
Options A, C, and D are examples of valid reasons why changes to workstation assignments or physical location can improve or maintain security. Regularly changing workstation assignment or location discourages users from storing personal information on systems.
131
131. Which of the following best describes change management?
A. Preventing changes to systems
B. Ensuring only approved changes are implemented
C. Ensuring that changes do not reduce security
D. Auditing privilege access
Answer: B
The goal of change management is to ensure that any change does not lead to unintended outages or reduce security. Change management doesn't affect personnel safety. A change management plan will commonly include a rollback plan, but that isn't a specific goal of the program. Change management doesn't perform any type of auditing.
132
132. Which of the following combinations of terms defines the operations security triple?
A. Confidentiality, integrity, and availability (the CIA Triad)
B. Authentication, authorization, and accounting (AAA)
C. The relationship between assets, vulnerabilities, and threats
D. Due care, due diligence, and operations controls
Answer: C
The primary purpose for operations security is to safeguard information assets that reside in a system day to day, to identify and safeguard any vulnerabilities that might be present in that system, and to prevent any exploitation of threats. Administrators often call the relationship between assets, vulnerabilities, and threats an operations security triple. CIA relates to a model used to develop security policy, and AAA defines a framework for managing access to computer resources, enforcing policy, auditing usage, and providing usage data for charge backs or billing. Due care, due diligence, and operations controls are part of operations security but not in the same sense as in the relationship between assets, vulnerabilities, and threats.
133
133. A(n) ______________ system is one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.
A. Assured
B. Updated
C. Protected
D. Trusted
Answer: D
A trusted system is one in which all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.
134
134. What is the first step of the business impact assessment process?
A. Identification of priorities
B. Likelihood assessment
C. Risk identification
D. Resource prioritization
Answer: A
Identification of priorities is the first step of the business impact assessment process.
135
135. Which of the following is not related to verifying that a candidate for employment is qualified as well as not disqualified for a position?
A. Education verification
B. Reference checks
C. Security clearance validation
D. Signing an NDA
Answer: D
Singing an NDA may be a part of the hiring process, but it is not related to verifying that a candidate for employment is qualified as well as not disqualified for a position.
136
136. What type of alternate processing facility contains an organization's data at all times?
A. Hot site
B. Warm site
C. Cold site
D. MAA site
Answer: A
Hot sites contain updated copies of the organization's data, ready to assume an operational role.
137
137. During what phase of the IDEAL model does the organization develop, test, refine, and implement solutions?
A. Initiating
B. Diagnosing
C. Establishing
D. Acting
Answer: D
In the acting phase, it's time to stop "talking the talk" and "walk the walk." The organization develops solutions and then tests, refines, and implements them.
138
138. Which of the following is not a critical member of a BCP team?
A. Legal representatives
B. Information security representative
C. Technical and functional experts
D. Chief executive officer
Answer: D
While it is important to have executive-level support, it is not necessary (and quite unlikely!) to have the CEO on the team.
139
139. What process provides a framework for cost/benefit analysis related to proposed changes?
A. Request control
B. Release control
C. Deployment control
D. Change control
Answer: A
The request control process provides an organized framework within which users can request modifications, managers can conduct cost/benefit analysis, and developers can prioritize tasks.
140
140. Christopher wishes to digitally sign a message he is sending to Matthew. What key should Christopher use to create the digital signature?
A. Christopher's public key
B. Christopher's private key
C. Matthew's public key
D. Matthew's private key
Answer: B
Christopher creates the digital signature using his own private key.
141
141. Which of the following is most closely associated with the security model of an access control matrix?
A. Trusted computing base
B. Capabilities list
C. Security token
D. Formal enrollment
Answer: B
A capabilities list maintains a row of security attributes for each controlled object. A capabilities list is the row of an access control matrix.
142
142. What protocol is slowly replacing certificate revocation lists as a real-time method of verifying the status of a digital certificate?
A. OLAP
B. LDAP
C. OCSP
D. BGP
Answer: C
The Online Certificate Status Protocol (OCSP) provides real-time query/response services to digital certificate users. This overcomes the latency inherent in the traditional certificate revocation list download and cross-check process.
143
143. Jane is selecting a backup strategy for her organization. She wants to choose a combination of two backup types that will provide full coverage of modified files and require restoring the minimum number of backup tapes. What strategy should she choose?
A. Full and incremental backups
B. Full and transaction logging
C. Full and differential backups
D. Incremental and differential backups
Answer: C
A combination of full and differential backups requires that administrators only restore two backups: the most recent full backup and the most recent differential backup.
144
144. Which of the following models includes a lattice-based format to define object access?
A. Role-based access control model
B. Rule-based access control model
C. Mandatory access control model
D. Discretionary access control model
Answer: C
A mandatory access control model includes a lattice-based format, with labels used to identify separate compartments. None of the other models include a lattice-based format.
145
145. You are selecting an alternate processing facility for your organization and must select an approach that allows recovery site activation within six hours. What site should you choose?
A. Hot site
B. Warm site
C. Cold site
D. MAA site
Answer: A
Hot sites are the only site capable of activation within the required six-hour timeframe.
146
146. Flo and Ricky are sending messages to each other using an asymmetric encryption algorithm. Flo wants to send Ricky a private message. What key should she use to encrypt it?
A. Flo's public key
B. Flo's private key
C. Ricky's public key
D. Ricky's private key
Answer: C
Flo should encrypt the message with Ricky's public key.
147
147. What type of virus modifies operating system routines to trick antivirus software into thinking everything is functioning normally?
A. Multipart viruses
B. Stealth viruses
C. Encrypted viruses
D. Polymorphic viruses
Answer: B
Stealth viruses alter operating system file access routines so that when an antivirus package scans the system, it is provided with the information it would see on a clean system rather than with infected versions of data.
148
148. What sort of penetration testing team is completely unaware of the working environment?
A. Ethical hacker
B. Partial knowledge team
C. Full knowledge team
D. Zero knowledge team
Answer: D
The zero knowledge team knows nothing about the site except for basic information, such as domain name and company address.
149
149. What business continuity metric identifies the longest period of time that a business function may be unavailable without causing irreparable harm to the business?
A. MTD
B. RTO
C. SLE
D. ALE
Answer: A
The maximum tolerable downtime (MTD) is the maximum length of time a business function can be inoperable without causing irreparable harm to the business.
150
150. What form of infrastructure mode wireless networking deployment supports large physical environments through the use of a single SSID but numerous access points?
A. Stand-alone
B. Wired extension
C. Enterprise extended
D. Bridge
Answer: C
Enterprise extended infrastructure mode exists when a wireless network is designed to support a large physical environment through the use of a single SSID but numerous access points.
151
151. What term is used to describe hiding messages within graphical images?
A. Pseudocryptography
B. Graphography
C. Steganography
D. Rheumatology
Answer: C
Steganography is the art of hiding messages within the bits of a graphical image to avoid detection.
152
152. During which phase of the business impact assessment do you determine the risks that you're willing to address simultaneously?
A. Risk identification
B. Likelihood assessment
C. Criticality prioritization
D. Resource prioritization
Answer: D
During the resource prioritization phase, you determine the risks that you're able to simultaneously address with the resources available to you.
153
153. In which phase of the Capability Maturity Model for Software do developers begin to operate according to a set of formal, documented software development practices?
A. Initial
B. Repeatable
C. Defined
D. Managed
Answer: C
The Defined phase introduces formal, documented software development processes.
154
154. During threat modeling, several options exist for ranking or rating the severity and priority of threats. Which of the following not a threat modeling ranking system?
A. DREAD
B. Probability * Damage Potential
C. Qualitative analysis
D. High/medium/low
Answer: C
Qualitative analysis is part of risk management/risk assessment, but it is not specifically a means of ranking or rating the severity and priority of threats under threat modelling. The three common means of ranking or rating the severity and priority of threats are DREAD, Probability * Damage Potential, and High/medium/low.
155
155. What type of information is not normally included in the risk acceptance/mitigation portion of BCP (business continuity plan) documentation?
A. Reasons for accepting risks
B. Potential future events that might warrant reconsideration of the decision
C. Identification of insurance policies that apply to a given risk
D. Risk mitigation provisions and processes
Answer: C
Insurance policies are an example of risk assignment/transference and would not be described in the risk acceptance/mitigation section of the documentation.
156
156. Security guards or mantraps are representative forms of what secure access control?
A. Technical access control
B. Administrative access control
C. Personnel access control
D. Physical access control
Answer: D
Physical controls for physical security include fencing, lighting, locks, construction materials, mantraps, dogs, and guards.
157
157. An organization has a patch management program but wants to implement another method to ensure that systems are kept up to date. What could they use?
A. Change management program
B. Configuration management program
C. Port scanners
D. Vulnerability scanners
Answer: D
Vulnerability scanners can check systems to ensure they are up to date with current patches (along with other checks) and are an effective tool to verify the patch management program. Change and configuration management programs ensure systems are configured as expected and unauthorized changes are not allowed. A port scanner is often part of a vulnerability scanner but it will check only for open ports, not patches.
158
158. Systems within an organization are configured to automatically receive and apply patches when they are applied. After receiving a patch, 55 of the systems automatically restarted but booted into a stop error. What could have prevented this problem without sacrificing security?
A. Disable the setting to automatically apply the patches.
B. Implement a patch management program to approve all patches.
C. Ensure systems are routinely audited for patches.
D. Implement a patch management program that tests patches before deploying them.
Answer: D
An effective patch management program evaluates and tests patches before deploying them and would have prevented this problem. Approving all patches would not prevent this problem because the same patch would be deployed. Systems should be audited after deploying patches, not to test for the impact of new patches.
159
159. Which of the following passwords uses a challenge-response mechanism to create a one-time password?
A. Synchronous one-time passwords
B. Asynchronous one-time passwords
C. Strong static passwords
D. Passphrases
Answer: B
An asynchronous token generates and displays one-time passwords using a challenge-response process to generate the password. A synchronous token is synchronized with an authentication server and generates synchronous one-time passwords. Static passwords are not one-time passwords but instead stay the same for a period of time. A passphrase is a static password created from an easy-to-remember phrase.
160
160. Which of the following actions does not usually occur during the restoration phase of incident response?
A. Disconnecting a system from the network
B. Restoring backup data
C. Rebuilding compromised systems
D. Supplementing existing security controls
Answer: A
Systems are usually disconnected from the network during the isolation and recovery process.
161
161. Which BCP (business continuity plan) task requires that you create a comprehensive list of business processes?
A. Criticality prioritization
B. Risk identification
C. Likelihood assessment
D. Impact assessment
Answer: A
In the criticality prioritization task, you create a list of business processes and rank them in order of importance to the organization.
162
162. What provision of the European Union's safe harbor for privacy requires mechanisms to protect data against loss?
A. Notice
B. Access
C. Security
D. Enforcement
Answer: C
The security provisions of the safe harbor require proper mechanisms to protect data against loss, misuse, and unauthorized disclosure.
163
163. Which of the following types of intrusion detection systems (IDSs) is effective only against known attack methods?
A. Behavior-based
B. Host-based
C. Knowledge-based
D. Network-based
Answer: C
A knowledge-based (or signature-based) IDS is effective only against known attack methods. A behavior-based IDS starts by creating a baseline of activity to identify normal behavior and then measures system performance against the baseline to detect abnormal behavior, allowing it to detect previously unknown attack methods. Both host-based and network-based systems can be either knowledge-based, behavior-based, or a combination of both.
164
164. A complete loss of power is what kind of power issue?
A. Brownout
B. Fault
C. Blackout
D. Surge
Answer: C
In a blackout, a total loss of electrical power, as supplied by a utility company or source, or a zero-voltage condition occurs.
165
165. What type of disaster recovery test involves relocating personnel to the alternate recovery site but does not take the main facility offline?
A. Checklist test
B. Structured walkthrough
C. Simulation test
D. Parallel test
Answer: D
The parallel test involves relocating personnel to the alternate recovery site and implementing site activation procedures.
166
166. What law requires that federal agencies develop and implement an effective information security program?
A. CALEA
B. FERPA
C. FISMA
D. CFAA
Answer: C
The Federal Information Security Management Act (FISMA), passed in 2002, requires that federal agencies implement an information security program that covers the agency's operations.
167
167. What type of attack occurs when malicious users position themselves between a client and server and then interrupt the session and take it over?
A. Man-in-the-middle
B. Spoofing
C. Hijack
D. Cracking
Answer: C
In a hijack attack, which is an offshoot of a man-in-the-middle attack, a malicious user is positioned between a client and server and then interrupts the session and takes it over. A man-in-the middle attack doesn't interrupt the session and take it over. Spoofing hides the identity of the attacker. Cracking commonly refers to discovering a password but can also mean any type of attack.
168
168. Of the following choices, what is a primary benefit when images are used to deploy new systems?
A. Provides baseline for configuration management
B. Improves patch management response times
C. Reduces vulnerabilities from unpatched systems
D. Provides documentation for changes
Answer: A
When images are used to deploy systems, the systems start with a common baseline, which is important for configuration management. Images don't necessarily improve the evaluation, approval, deployment, and audits of patches to systems within the network. While images can include current patches to reduce their vulnerabilities, this is because the image provides a baseline. Change management provides documentation for changes.
169
169. An abuse by an unauthorized person to use authorized personnel identification as a means of entry is what form of attack?
A. Piggybacking
B. Masquerading
C. Eavesdropping
D. Intrusion
Answer: B
Masquerading occurs when a person presents him- or herself as another user, typically to gain access to unauthorized information or processes.
170
170. Which of the following is an example of a risk best measured in qualitative form?
A. Downtime of systems
B. Loss of financial resources
C. Loss of customer goodwill
D. Damage to facilities
Answer: C
Loss of customer goodwill is the only item listed that is not easily quantified and is, therefore, a better candidate for qualitative assessment.
171
171. What is the practice of establishing emergency-response actions following a business-related disaster?
A. Mutual assistance agreements
B. Business continuity planning
C. Software escrow
D. Disaster recovery planning
Answer: D
Disaster recovery planning is the practice of establishing emergency-response actions to follow after a disaster.
172
172. Which one of the following symmetric encryption algorithms is not supported by S/MIME?
A. DES
B. RC2
C. 3DES
D. IDEA
Answer: D
S/MIME supports the DES, RC2, and 3DES symmetric encryption algorithms and also uses RSA for public key encryption. It does not provide support for IDEA.
173
173. What amendment to the US Constitution protects individuals against wiretapping and invasions of privacy?
A. First
B. Fourth
C. Fifth
D. Tenth
Answer: B
The Fourth Amendment, as interpreted by the courts, includes protections against wiretapping and other invasions of privacy.
174
174. Which one of the following is not a core principle of the Agile Manifesto?
A. Simplicity is essential.
B. Build projects around all team members equally.
C. Working software is the primary measure of progress.
D. The best designs emerge from self-organizing teams.
Answer: B
The Agile Manifesto says that you should build projects around motivated individuals and give them the support they need.
175
175. Within the context of the EU Data Protection Law, what is the responsibility of a data processor?
A. Collect information for the data controller and prevent unauthorized disclosure
B. Use the data only as directed by the data controller and prevent unauthorized disclosure
C. Abide by the nine Safe Harbor principles while collecting data
D. Grant data access to third parties that abide by the nine Safe Harbor principles
Answer: B
The data processor should protect the data to prevent unauthorized disclosure and use the data only as directed by the data controller. The data controller, not the data processor, collects data. The data processor will abide by the seven Safe Harbor principles but does not collect data. The data processor is the third party and should not grant access to outside entities.
176
176. What IPsec component provides assurances of message integrity and nonrepudiation?
A. ESP
B. L2TP
C. AH
D. IKE
Answer: C
The Authentication Header (AH) provides assurances of message integrity and nonrepudiation. AH also provides authentication and access control and prevents replay attacks.
177
177. Which one of the following tools can be used to launch a distributed denial of service attack against a system or network?
A. Satan
B. Saint
C. LOIC
D. Nmap
Answer: C
Low Orbit Ion Cannon (LOIC) is a commonly used distributed denial of service (DDoS) attack toolkit. The other three tools mentioned are reconnaissance techniques used to map networks and scan for known vulnerabilities.
178
178. You are concerned about the risk that a tornado poses to your corporate headquarters in Indiana. The building itself is valued at $10 million. After consulting with the National Weather Service, you determine that there is a 2 percent likelihood that a tornado will strike over the course of a year. You hired a team of architects and engineers who determined that the average tornado would destroy approximately 25 percent of the building. What is the annualized loss expectancy (ALE)?
A. $10,000,000
B. $2,500,000
C. $200,000
D. $50,000
Answer: D
The ALE is computed by multiplying the SLE ($2,500,000) by the annualized rate of occurrence (2%) to get $50,000.
179
179. What phase of a business impact assessment calculates the ARO for a given risk scenario?
A. Risk identification
B. Likelihood assessment
C. Impact assessment
D. Resource prioritization
Answer: B
The annualized rate of occurrence (ARO) is a measure of how many times a risk might materialize in a typical year. It is a measure of risk likelihood.
180
180. Which of the following is an example of a Type 3 authentication factor?
A. Something you have
B. Something you are
C. Somewhere you are
D. Something you know
Answer: B
A Type 3 authentication factor is based on biometric characteristics, or something you are. A Type 2 authentication factor is based on something you have, such as a smart card or token device. A Type 1 authentication factor is based on something you know, such as passwords or PINs. Somewhere isn't formally listed in one of the three authentication factory types.
181
181. Which one of the following security modes does not require that all users have a security clearance for the highest level of information processed by the system?
A. Dedicated
B. System high
C. Compartmented
D. Multilevel
Answer: D
In a multilevel security mode system, there is no requirement that all users have appropriate clearances to access all the information processed by the system.
182
182. What type of attack occurs when a malicious user is positioned between the two endpoints of a communication's link?
A. Spoofing
B. Spamming
C. Denial of service
D. Man-in-the-middle
Answer: D
A man-in-the-middle attack occurs when a malicious user is positioned between the two endpoints of a communication's link, intercepting and facilitating their communication session.
183
183. Defense in depth is a security strategy that defends against attacks and compromises with multiple cooperating controls and safeguards. This is also known by what other protection mechanism term?
A. Hiding
B. Layering
C. Classification
D. Abstraction
Answer: B
Defense in depth is also known as layering. Hiding is preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. Classification is labelling subjects and objects based on their value or sensitivity. Abstraction is the act of placing similar elements into groups and then assigning access controls on those elements as a collective.
184
184. What is the preventive practice of establishing and planning for business-related threats and risk?
A. Disaster recovery planning
B. Business continuity planning
C. Mutual assistance agreements
D. Software escrow
Answer: B
Business continuity planning is the preventive practice of establishing and planning for threats to business flow, including natural and unnatural risk and threats to daily operations.
185
185. Which one of the following is not a tenet of the CISSP Code of Ethics?
A. Protect society, the commonwealth, and the infrastructure.
B. Take no action that jeopardizes the business interests of principals.
C. Act honorably, honestly, justly, responsibly, and legally.
D. Advance and protect the profession.
Answer: B
The Code of Ethics does not require that you protect the business interests of the principals. In fact, you may find yourself ethically bound to take action that jeopardizes those business interests.
186
186. What type of virus modifies its own code as it travels from system to system in an attempt to evade signature detection?
A. Polymorphic
B. Encrypted
C. Multipartite
D. Stealth
Answer: A
Polymorphic viruses actually modify their own code as they travel from system to system. The virus's propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system.
187
187. Which of the following requirements does not come from the Children's Online Privacy Protection Act?
A. Children must be kept anonymous when participating in online forums.
B. Parents must be provided with the opportunity to review information collected from their children.
C. Parents must give verifiable consent to the collection of information about children.
D. Websites must have a privacy notice.
Answer: A
COPPA does not require that children remain anonymous in online forums.
188
188. Who is responsible for classifying information?
A. Users
B. Data custodian
C. Auditor
D. Data owner
Answer: D
The data owner is the person responsible for classifying information for placement and protection within the security solution.
189
189. What federal agency provides detailed data that can assist with assessing earthquake risk?
A. NIST
B. USGS
C. FEMA
D. DOI
Answer: B
The US Geological Survey provides detailed earthquake risk data for locations in the United States.
190
190. What software component did the developers of Sun's Java programming language include to place privilege restrictions on Java code?
A. Cache
B. Sandbox
C. Playground
D. Proxy
Answer: B
The Java sandbox restricts the activities that can be performed by programs running within the Java environment.
191
191. You are creating a security product that must facilitate the exchange of symmetric encryption keys between two parties that have no way to securely exchange keys in person. What algorithm might you use to facilitate the exchange?
A. Rijndael
B. Blowfish
C. Vernam
D. Diffie-Hellman
Answer: D
The Diffie-Hellman algorithm allows the exchange of symmetric encryption keys between two parties over an insecure channel.
192
192. Which of the following is not an example of a converged protocol?
A. iSCSI
B. VoIP
C. FCoE
D. NNTP
Answer: D
NNTP (Network News Transfer Protocol) is not an example of a converged protocol. ISCSI, VoIP, and FCoE are converged protocols.
193
193. What type of attack includes activities such as tricking a secretary into revealing the boss's password?
A. Chatty attack
B. Social engineering
C. Dumpster diving
D. Psychological operations
Answer: B
Social engineering is a term used to describe attacks that exploit human nature to gain illegitimate access to a computer system, either directly or indirectly.
194
194. You are concerned about the risk that a hurricane poses to your corporate headquarters in south Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized rate of occurrence (ARO)?
A. 5 percent
B. 10 percent
C. 50 percent
D. 100 percent
Answer: B
The ARO is, quite simply, the probability that a given disaster will strike over the course of a year. According to the experts quoted in the scenario, this chance is 10 percent.
195
195. Which type of alarm system broadcasts an audible signal with a listening range of 400 feet?
A. Auxiliary alarm system
B. Local alarm system
C. Centralized alarm system
D. Remote alarm system
Answer: B
Local alarm systems, as the name implies, are locally controlled broadcast systems that emit audible signals. A fire alarm is an example of a local alarm system.
196
196. The backup administrator configures a system to perform full backups on Sundays and differential backups on Mondays through Saturdays. The system fails on Wednesday. What backups must be applied?
A. Sunday only
B. Sunday, Monday, Tuesday and Wednesday
C. Sunday and Wednesday only
D. Sunday, Monday and Wednesday only
Answer: C
With differential backups, you must first restore the most recent full backup and then apply the most recent differential backup.
197
197. Which of the following individuals would not normally be included in your organization's incident response team?
A. Public affairs representative
B. Information security representative
C. Law enforcement representative
D. Senior management representative
Answer: C
Law enforcement officials would not usually serve on your internal incident response team. Rather, you would typically appoint an individual to serve as a liaison with law enforcement.
198
198. An organization has an access control model that applies to all sales managers in the organization. What type of access control model is this?
A. Identity-based
B. Label-based
C. Rule-based
D. Role-based
Answer: D
A role-based access control model is based on job functions such as a sales person or a sales manager, and it groups users into roles. A discretionary access control model is an identity-based access control model. A rule-based access control model is based on rules within an ACL. A mandatory access control model uses assigned labels to identify access.
199
199. Which one of the following alternate processing arrangements is rarely implemented?
A. Hot site
B. Warm site
C. Cold site
D. MAA site
Answer: D
Mutual assistance agreements are rarely implemented because they are difficult to enforce in the event of a disaster requiring site activation.
200
200. A security management plan that discusses the needs of an organization to maintain security, the desire to improve control of authorized access, and the goal of implementing token-based security is what type of plan?
A. Functional
B. Operational
C. Strategic
D. Tactical
Answer: C
A strategic plan is a long-term plan that is fairly stable. It defines the organization's goals, mission, and objectives. It is useful for about five years if it is maintained and updated annually. The strategic plan also serves as the planning horizon. Long-term goals and visions of the future are discussed in a strategic plan.
201
201. What type of attack allows the transmission of sensitive data between classification levels through the direct or indirect manipulation of a shared storage media?
A. Trojan horse
B. Direct access to media
C. Permission creep
D. Covert channel
Answer: D
Covert channel attacks involve the illicit transfer of data by manipulating storage or timing channels.
202
202. What government agency provides daily updates on wildfires in the United States?
A. FEMA
B. NIFC
C. USGS
D. USFWS
Answer: B
The National Interagency Fire Center provides daily updates on wildfires occurring in the United States.
203
203. Which of the following is not an element of a secure termination process?
A. On boarding
B. Returning company property
C. Having a witness for the exit interview
D. Escorting off premises
Answer: A
On boarding is used to bring a new employee into the organization, not for terminating an employee. An off-boarding process would be appropriate for termination.
204
204. Which of the following describes putting similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective?
A. Data classification
B. Abstraction
C. Superzapping
D. Using covert channels
Answer: B
Abstraction describes putting similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
205
205. What type of device provides electricity to protected systems in the event of a power failure?
A. UPS
B. PAL
C. IDS
D. SIEM
Answer: A
An uninterruptible power supply (UPS) provides power to critical systems in the event of an electrical failure.
206
206. What form of intellectual property is used to protect words, slogans, and logos?
A. Patent
B. Copyright
C. Trademark
D. Trade secret
Answer: C
Trademarks are used to protect the words, slogans, and logos that represent a company and its products or services.
207
207. What remote access protocol replaced SLIP?
A. 802.11
B. SSH
C. PPP
D. TLS
Answer: C
PPP is a replacement for SLIP.
208
208. How many building fires occur in the United States on any given day?
A. 100
B. 1,000
C. 100,000
D. 1,000,000
Answer: B
The Insurance Information Institute estimates that 1,000 building fires occur in the United States every day.
209
209. A biometric system is matching subjects to a database using a one-to-many search. What is this providing?
A. Authentication
B. Authorization
C. Accountability
D. Identification
Answer: D
Biometric systems using a one-to-many search provide identification by searching a database for a match. Biometric systems using a one-to-one search provide authentication. Biometric systems do not provide authorization or accountability.
210
210. What database element is equivalent to a single record?
A. Table
B. Row
C. Column
D. Attribute
Answer: B
A database row contains the information that makes up a single database record.
211
211. Which one of the following categories of attack includes industrial espionage?
A. Financial attacks
B. Thrill attacks
C. Grudge attacks
D. Business attacks
Answer: D
Industrial espionage is usually considered a business attack.
212
212. From which pool of keys is the primary key for a particular table selected?
A. Foreign keys
B. Super keys
C. Candidate keys
D. Referential keys
Answer: C
The primary key is selected from the pool of available candidate keys for each table.
213
213. In addition to job rotation, what other security mechanism supports peer auditing?
A. Separation of duties
B. Principle of least privilege
C. Mandatory vacations
D. Job responsibilities
Answer: C
Mandatory vacations support peer auditing by placing another user in a job position for at least a week every year.
214
214. Which form of disaster recovery test is usually met with the most resistance but provides the most realistic results?
A. Structured walk-through
B. Full-interruption test
C. Simulation test
D. Parallel test
Answer: B
Full-interruption tests operate in a manner similar to parallel tests, but they involve actually shutting down operations at the primary site and shifting them to the recovery site.
215
215. Which type of incident is often the easiest to detect?
A. Compromise
B. Scanning
C. Malicious code
D. Denial of service
Answer: D
Denial of service attacks often result in the unavailability of resources and are often noticed earlier than other types of attacks.
216
216. Identification is useful for all but which of the following reasons?
A. IT systems track activity by identities.
B. Identity is needed to perform authentication.
C. Computers can differentiate between one human and another.
D. Identity is used to associate activities with subjects.
Answer: C
Computers cannot differentiate between one human and another; they can differentiate only between one identity or user account and another.
217
217. Which process in the evaluation of a security system represents the formal acceptance of a certified configuration?
A. Certification
B. Evaluation
C. Accreditation
D. Formal analysis
Answer: C
Accreditation is the formal declaration by the Designated Approving Authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk.
218
218. Change management should ensure that which of the following is possible?
A. Duplicate security is imposed on other systems.
B. Unauthorized changes to the system are prevented.
C. Vulnerable resources are locked down when threatened
D. Changes can be rolled back to a previous state.
Answer: D
Change management is responsible for making it possible to roll back any change to a previous secured state.
219
219. Which one of the following is not a common action that a virus might take?
A. Propagation
B. Validation
C. Destruction
D. Act with stealth
Answer: B
Virus writers do not commonly include validation routines in their code.
220
220. What is the primary reason parallel deployment of security mechanisms is an insecure solution?
A. It complies with layering design.
B. A series configuration is secure.
C. A threat could pass through a single checkpoint that did not address its particular malicious activity.
D. A single failure of a security control does not render the entire solution ineffective.
Answer: C
Parallel security designs are insecure because a threat could pass through a single checkpoint that did not address its particular malicious activity.
221
221. What state was the first to pass a data breach notification law requiring that organizations experiencing breaches of personal information notify affected individuals?
A. California
B. Colorado
C. New York
D. Texas
Answer: A
California passed SB 1386, the first data breach notification law, in 2002. Many other states followed suit with laws based on the text of the California law.
222
222. You are concerned about the risk that fire poses to your $25 million data center facility. Based on expert opinion, you determine that there is a 1 percent chance that fire will occur each year. Experts advise you that a fire would destroy half of your building. What is the annualized loss expectancy?
A. $25,000,000
B. $12,500,000
C. $250,000
D. $125,000
Answer: D
The ALE is computed by multiplying the SLE ($12,500,000) by the annualized rate of occurrence (1%) to get $125,000.
223
223. What type of evidence refers to written documents that are brought into court to prove a fact?
A. Best evidence
B. Payroll evidence
C. Documentary evidence
D. Testimonial evidence
Answer: C
Written documents brought into court to prove the facts of a case are referred to as documentary evidence.
224
224. What federal agency provides detailed data that can assist with assessing flood risk?
A. NIST
B. USGS
C. FEMA
D. DOI
Answer: C
The Federal Emergency Management Agency provides flood risk data for locations in the United States.
225
225. Which type of alarm system signals a monitoring station?
A. Remote alarm system
B. Centralized alarm system
C. Local alarm system
D. Auxiliary alarm system
Answer: B
Centralized alarm systems remotely monitor sensors spread around a business facility or campus and trigger on some specified event.
226
226. You are concerned about the risk that fire poses to your $25 million data center facility. Based on expert opinion, you determine that there is a 1 percent chance that fire will occur each year. Experts advise you that a fire would destroy half of your building. What is the single loss expectancy of your facility to fire?
A. $25,000,000
B. $12,500,000
C. $250,000
D. $125,000
Answer: B
The single loss expectancy is the amount of damage that would occur in one fire. The scenario states that a fire would destroy half the building, resulting in $12,500,000 of damage.
227
227. What form of proximity device is able to generate its own electricity from a magnetic field?
A. Passive device
B. Self-powered device
C. Field-powered device
D. Transponder
Answer: C
A field-powered device has electronics that activate when the device enters the electromagnetic field that the reader generates. Such devices actually generate electricity from an EM field to power themselves.
228
228. You are evaluating procedures within a company to ensure they properly implement a least-privileges policy. Which of the following capabilities indicate that the policy is not being followed?
A. Operators are able to access files on disks.
B. Administrators are able to configure permissions.
C. Administrators are able to back up data.
D. Operators are able to modify the computer's time.
Answer: D
Changing the computer's time is a privileged function and not normally granted to an operator or end user. Operators should be able to access files. Administrators should be able to configure permissions and back up data.
229
229. What database backup technology uses frequent, perhaps hourly, transfers of information between the primary and alternate sites?
A. Remote mirroring
B. Electronic vaulting
C. Remote journaling
D. Fault tolerance
Answer: C
Remote journaling technology transfers copies of the database transaction log to the alternate site on a frequent basis.
230
230. What type of phreaker tool is used to simulate the 2600 Hz tones used to interact with telephone network truck systems?
A. Black box
B. Red box
C. Blue box
D. White box
Answer: C
A blue box is used to simulate 2600 Hz tones to interact directly with telephone network trunk systems (that is, backbones). This could be a whistle, a tape recorder, or a digital tone generator.
231
231. What is the formula used to compute the ALE?
A. ALE = AV * EF * ARO
B. ALE = ARO * EF
C. ALE = AV * ARO
D. ALE = EF * ARO
Answer: A
The Annualized Loss Expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE*ARO. The other formulas displayed here do not accurately reflect this calculation.
232
232. Which of the following is not true about trademarks?
A. Trademarks must not be confusingly similar to existing trademarks.
B. Trademarks are issued for 10 years.
C. Trademarks may not be renewed.
D. Trademarks may not be descriptive of your goods or services.
Answer: C
Trademarks are issued for 10-year periods and may be renewed for unlimited successive 10-year periods.
233
233. A host organization that houses onsite security staff has what form of security system?
A. Auxiliary system
B. Centralized system
C. Localized system
D. Proprietary system
Answer: D
This is the same thing as a central station system; however, the host organization has its own onsite security staff waiting to respond to security breaches.
234
234. Mark recently completed work on a piece of computer software that he thinks will be especially valuable. He wants to protect the source code against others rewriting it in a different form. What is the best form of intellectual property protection he could seek in this case?
A. Trademark
B. Trade secret
C. Copyright
D. Patent
Answer: B
Mark's best option is to treat the software source code as a trade secret. Copyright protection requires that he disclose the source in a public filing. Patent protection does not cover the actual program.
235
235. What software development life cycle model allows the process to return only to the immediately preceding phase?
A. Software Capability Maturity Model
B. Waterfall model
C. Development cycle
D. Spiral model
Answer: B
The waterfall model allows the development process to return only to the immediately preceding phase of development at any given time.
236
236. What phase of a business impact assessment calculates the SLE for a given risk scenario?
A. Risk identification
B. Likelihood assessment
C. Impact assessment
D. Resource prioritization
Answer: C
The single loss expectancy (SLE) is a measure of how much damage would occur each time a risk materializes. It is a measure of risk impact.
237
237. What testing exercise would you perform that involves personnel relocation and remote site activation?
A. Parallel test
B. Full-interruption test
C. Structured walk-through
D. Simulation test
Answer: A
Parallel tests represent the next level in testing and involve actually relocating personnel to the alternate recovery site and implementing site activation procedures.
238
238. Which of the following is not an element of a job description?
A. Separation of duties
B. Security classification
C. Type and extent of access needed
D. Promotion opportunities
Answer: D
Promotion opportunities involve an entire organization, not a specific job. A job description focuses on what to do within a specific work position.
239
239. What aspect of security governance is based on the idea that senior management is responsible for the success or failure of a security endeavor?
A. Sarbanes-Oxley Act 2002
B. COBIT
C. Accreditation
D. Top-down approach
Answer: D
The top-down approach is the aspect of security governance that is based on the idea that senior management is responsible for the success or failure of a security endeavor.
240
240. Known as the table-top exercise, what tests the disaster recovery plan from a role-playing scenario?
A. Simulation test
B. Structured walk-through
C. Parallel test
D. Full-interruption
Answer: B
In a structured walk-through, members of the disaster recovery team run role-playing recovery exercises in a conference room.
241
241. Which type of virus uses a variety of keys to escape detection?
A. Polymorphic virus
B. Encrypted virus
C. Multipartite virus
D. File infector virus
Answer: B
Encrypted viruses use a variety of cryptographic keys in conjunction with encryption and decryption routines to hide their code on the hard drive.
242
242. What form of testing stresses demands on the disaster recovery team to derive an appropriate response from a disaster scenario?
A. Full-interruption test
B. Parallel test
C. Simulation test
D. Structured walk-through
Answer: C
Simulation tests are similar to the structured walk-throughs. In simulation tests, disaster recovery team members are presented with a scenario and asked to develop an appropriate response.
243
243. Which of the following elements is not necessary in the BCP documentation?
A. Risk acceptance details
B. Emergency response guidelines
C. Risk assessment
D. Mobile site plan
Answer: D
Details of mobile sites are part of a disaster recovery plan, rather than a business continuity plan, since they are not deployed until after a disaster strikes.
244
244. How soon after an incident should a postmortem review take place?
A. Within 24 hours
B. Within one week
C. Within one month
D. Within three months
Answer: B
Postmortem reviews are most effective if conducted within one week of an incident. Reviews conducted a month or more after an incident suffer because of the fading memories of responders.
245
245. What is the length of a patent in the United States?
A. 7 years
B. 14 years
C. 20 years
D. 35 years
Answer: C
US patents are generally issued for a period of 20 years.
246
246. Attempts to access an e-commerce site suddenly fail, and users receive a "Server unavailable" message. Evidence indicates that this error is the result of a malicious attack. What type of attack is most likely?
A. Malicious code
B. Denial of service
C. Compromise
D. Scanning
Answer: B
The "Server unavailable" message indicates that the attack is likely a denial of service attack, designed to affect the availability of computing resources.
247
247. In what DES mode is each block of unencrypted static text XORed with the immediately preceding block of cipher text before it is encrypted?
A. Electronic Codebook
B. Cipher Block Chaining
C. Cipher Feedback
D. Output Feedback
Answer: B
In the Cipher Block Chaining (CBC) mode, each block of unencrypted static text is XORed with the block of cipher text immediately preceding it before it is encrypted using the DES algorithm.
248
248. What type of attack is amplified by a third-party network?
A. Teardrop
B. Ping of death
C. Smurf
D. Land
Answer: C
The smurf attack uses a third-party network to amplify the denial of service attack.
249
249. In disaster recovery terms, which concept best captures the proverb "Don't put all your eggs in one basket"?
A. Service bureau
B. Disaster recovery plan
C. Mobile sites
D. Multiple sites
Answer: D
By splitting or dividing your outfit into several divisions, branches, offices, and so on, you create multiple sites and reduce the impact of a major disaster.
250
250. Who is responsible for the day-to-day maintenance of objects?
A. The user
B. The owner
C. The custodian
D. The administrator
Answer: C
A custodian is someone who has been assigned to or delegated the day-to-day responsibility of proper storage and protection of objects. A user is any subject who accesses objects on a system to perform some action or accomplish a work task. An owner is the person who has final corporate responsibility for the protection and storage of data. When discussing access to objects, three subject labels are used: user, owner, and custodian. Therefore, administrator is not an appropriate choice.
