P/E 3 Flashcards

Question

25. What is the frequency of an IT infrastructure security audit or security review based on? A. Asset value B. Administrator discretion C. Risk D. Level of realized threats

Answer 1

Answer: C The frequency of an IT infrastructure security audit or security review is based on risk. You must establish the existence of sufficient risk to warrant the expense of, and interruption caused by, a security audit on a more or less frequent basis. Asset value and threats are a part of risk but are not the whole picture, and assessments are not performed based only on either of these. A high-value asset with a low level of threats doesn't present a high risk. Similarly, a low-value asset with a high level of threats doesn't present a high risk. The decision to perform an audit isn't usually relegated to an administrator.

Answer 2

Answer: D Hardware segmentation is similar to process isolation in purpose. It prevents the access of information that belongs to a different process/security level.

Answer 3

Answer: C Defense in depth is also known as layered security. The motivation for layered security comes from the benefits that accrue from establishing multiple layers or levels of access controls to provide defense in depth from security threats. If one layer fails or is bypassed, defenses at other layers kick in to provide additional protection.

Answer 4

Answer: D The ARO (annualized rate of occurrence) is the element of quantitative risk analysis that judges the frequency of compromise of a threat.

Answer 5

Answer: D The qualitative analysis portion of the business impact assessment (BIA) allows you to introduce intangible concerns, such as loss of customer goodwill, into the BIA planning process.

Answer 6

Answer: C Kerberos provides confidentiality and integrity protection security services for authentication traffic using symmetric cryptography to encrypt tickets sent over the network to prove identification and provide authentication. The security services provide by Kerberos are not directly related to availability or nonrepudiation.

Answer 7

Answer: B Recommendations of the auditor are not considered basic and essential concepts to be included in an audit report. Key elements of an audit report include the purpose, scope, and results of the audit.

Answer 8

Answer: D Sanitization is the process of wiping storage media clean in preparation for disposal or destruction. It ensures that data cannot be recovered by any means from destroyed or discarded media.

Answer 9

Answer: B A concentric circle security model comprises several mutually independent security applications, processes, or services that operate toward a single common goal.

Answer 10

Answer: B Multilevel security systems can process information at different levels even when all system users do not have the required security clearance to access all information processed by the system.

Answer 11

Answer: B The waiting state is a process state that depends on peripherals as the processes pause execution until the conclusion of some requested activity, such as peripheral activity.

Answer 12

Answer: B Ethical hackers are those trained in responsible network security methodology, with a philosophy toward nondestructive and nonintrusive testing.

Answer 13

Answer: B The annualized rate of occurrence (ARO) is a measure of how many times a risk might materialize in a typical year. It is a measure of risk likelihood.

Answer 14

Answer: C An intrusion detection system is designed to detect intrusions and is not a countermeasure against inappropriate content by internal users. However, activity logging, content filtering, and policies that include penalties for violations can all be used as countermeasures for inappropriate content.

Answer 15

Answer: B A subnet is not created by a router; a subnet is created through the assignment of an IP address and a subnet mask. Routers only manage traffic between subnets.

Answer 16

Answer: C The need-to-know policy operates on the basis that any given system user should be granted access only to portions of sensitive information or materials necessary to perform some task.

Answer 17

Answer: A A patch management system ensures that systems have required patches. In addition to deploying patches, it would also check the systems to verify they accepted the patches. There is no such thing as a patch scanner. A penetration test will attempt to exploit a vulnerability, but it can be intrusive and cause an outage so it isn't appropriate in this scenario. A fuzz tester sends random data to a system to check for vulnerabilities but doesn't test for patches.

Answer 18

Answer: B API keys are passed with each API call to authenticate the API user.

Answer 19

Answer: D When possible, operations controls should be invisible, or transparent, to users. This keeps users from feeling hampered by security and reduces their knowledge of the overall security scheme, thus further restricting the likelihood that users will violate system security deliberately.

Answer 20

Answer: D Random access memory (RAM) is accessed in a random, rather than a sequential, fashion.

Answer 21

Answer: B Layering is the deployment of multiple security mechanisms in a series.

Answer 22

Answer: B A switch is a networking device that can be used to create digital network segments (i.e., VLANs) that can be altered as needed by adjusting the settings internal to the device rather than on end-point devices. A router connects disparate networks rather than creating network segments.

Answer 23

Answer: A Kerberos uses symmetric key cryptography. It does not use asymmetric or public key cryptography, and it does not require public key infrastructure (PKI).

Answer 24

Answer: D Piggybacking is following someone through a secured gate or doorway without being identified or authorized personally.

Answer 25

Answer: B System high mode provides the most granular control over resources and users because it enforces clearances, requires need to know, and allows the processing of only single sensitivity levels. All the other levels either do not have unique need to know between users (dedicated), allow multiple levels of data processing (compartmented), or allow a wide number of users with varying clearance (multilevel).

Answer 26

Answer: C Zero-knowledge teams possess only primary information about an organization during a security assessment or penetration test.

Answer 27

Answer: C Base+Offset addressing uses a value stored in one of the CPU's registers as the base location from which to begin counting. The CPU then adds the offset supplied with the instruction to the value and retrieves the operand from that computed memory location.

Answer 28

Answer: C A redundant commit statement is not associated with the Clark-Wilson model; it is instead an element in database replication. The Clark-Wilson model does define constrained data item, transformation procedures, and integrity verification procedure.

Answer 29

Answer: B Abstraction states that a detailed understanding of lower system levels is not a necessary requirement for working at higher levels.

Answer 30

Answer: C The Clark-Wilson model can also be described as a restricted interface model because it uses classification-based restrictions to offer subject-specific functions and information. Subjects at one classification level will see a specific set of data and obtain access to a related set of functions, while another subject at a different classification level will see a different dataset and obtain access to a different set of functions.

Answer 31

Answer: D Social engineering is an attempt to deceive an insider into performing questionable actions on behalf of some unauthorized outsider.

Answer 32

Answer: D Log files include information on what happened, when and where it happened, who was involved, and sometimes how, but they do not include why an attack occurred; they do not include the motivation of an attacker. Log files should be protected because they can be used to reconstruct events, attackers may try to modify them, and unprotected logs cannot be used as evidence.

Answer 33

Answer: D A behavior-based IDS can be labeled an expert system or a pseudo-artificial intelligence system because it can learn and make assumptions about events. In other words, the IDS can act like a human expert by evaluating current events against known events. A knowledge-based IDS uses a database of known attack methods to detect attacks. Both host-based and network-based systems can be either knowledge-based, behavior-based, or a combination of both.

Answer 34

Answer: C Clipping levels are widely used in the process of auditing events to establish a baseline of system or user activity that is considered routine activity.

Answer 35

Answer: A Endpoint security is implemented in order to provide sufficient security on each individual host, rather than relying on network-based security only.

Answer 36

Answer: C The code of ethics does not explicitly mention the CISSP exam.

Answer 37

Answer: D Of the four models mentioned, Biba and Clark-Wilson are most commonly used for commercial applications because both focus on data integrity. Of these two, Clark-Wilson offers more control and does a better job of maintaining integrity, so it's used most often for commercial applications. Bell-LaPadula is used most often for military applications. Brewer and Nash applies only to datasets (usually within database management systems) where conflict-of-interest classes prevent subjects from accessing more than one dataset that might lead to a conflict-of-interest situation.

Answer 38

Answer: D Input validation protects against a wide variety of web-based attacks, including XSS.

Answer 39

Answer: A The cryptographic goal of nonrepudiation ensures that you can prove to an uninvolved third party that a message originated with the purported sender.

Answer 40

Answer: C WPA-2 uses AES encryption, replacing the TKIP encryption used by WPA.

Answer 41

Answer: D Tactical planning is designed to focus on timeframes of approximately one year and may include scheduling of tasks, assignment of responsibilities, hiring plans, maintenance plans, and even acquisition plans.

Answer 42

Answer: A Discretionary controls give the subject (user) some ability to define the objects to access. This access control mechanism ensures that the owner or creator of an object controls and defines the access other subjects have to that object.

Answer 43

Answer: D A security impact analysis reviews change requests and evaluates them for potential negative impacts. All changes aren't necessarily approved or rejected. The analysis doesn't attempt to identify changes.

Answer 44

Answer: B RSA is an example of asymmetric cryptography, which does not require a preexisting relationship to provide a secure mechanism for data exchange. Two individuals can begin communicating securely from the moment they start communicating.

Answer 45

Answer: B Audit trails are the means through which individuals are held accountable for their actions and any events or occurrences they cause.

Answer 46

Answer: A In a trusted system, all protection mechanisms work together to process sensitive data for many types of users while maintaining a stable and secure computing environment.

Answer 47

Answer: A The first priority in incident response is to prevent further damage by isolating affected systems and containing the threat.

Answer 48

Answer: D A screen scraper tool is used to automatically extract standardized formatted data, such as XML and HTML, from human-friendly output. This tool is often used to extract results from web search engines.

Answer 49

Answer: D The purpose of a privacy policy is to inform users where they do and do not have privacy for the primary benefit of the protection of the company's right to audit and monitor user activity.

Answer 50

Answer: A Directive controls are the means by which an organizational security policy is governed at the logical level.

Answer 51

Answer: D An implicit deny mechanism will block all access that is not explicitly allowed. A constrained interface reduces what is viewable to a user and an access control matrix identifies subjects and objects, and they both employ an implicit deny philosophy, but the question doesn't describe them. An explicit deny philosophy requires a separate rule to deny specific access.

Answer 52

Answer: A The Bell-LaPadula model is focused on maintaining the confidentiality of objects. Bell-LaPadula does not address the aspects of object integrity or availability.

Answer 53

Answer: B IPX/SPX, AppleTalk, and NetBEUI are examples of non-IP protocols.

Answer 54

Answer: D BitLocker is the full disk encryption package provided by Microsoft as a Windows component. EFS, while a component of Windows, does not provide full disk encryption. TrueCrypt and PGP are not Microsoft products.

Answer 55

Answer: B Resource prioritization is the final step of the business impact assessment (BIA) process.

Answer 56

Answer: D Bob decrypts any messages he receives using his own private key.

Answer 57

Answer: B Most higher-order security models, such as Bell-LaPadula and Biba, are based on the state machine model (as well as the information flow and noninterference models).

Answer 58

Answer: B VoIP (Voice over IP) allows for phone conversations to occur over an existing TCP/IP network and Internet connection.

Answer 59

Answer: D Detective controls are, as the name suggests, mechanisms and means through which the effectiveness of preventive controls is verified.

Answer 60

Answer: A A trusted path is a channel established with strict standards to allow necessary communication without exposing the TCB to security vulnerabilities.

Answer 61

Answer: D ARP performs the resolution of and maintains the local cache of mappings between MAC addresses and IP addresses. Thus, ARP poisoning affects the MAC to IP relationship. HOSTS file poisoning and caching server poisoning are DNS attacks, thus exploiting the relationship between FQDNs and IP addresses. Internet file cache poisoning is the planting of false code or other data in a browser's file history.

Answer 62

Answer: B Third-party governance typically includes onsite assessment, document exchange and review, and process/policy review. Full interruption testing is more often associated with DRP.

Answer 63

Answer: A The Goguen-Meseguer model is an integrity model based on predetermining the set or domain—a list of objects that a subject can access.

Answer 64

Answer: D Although throughput is an important factor in supporting availability, it is not a key technique employed by software designers to ensure that software does only what is required and nothing more.

Answer 65

Answer: D The BIOS firmware is normally stored on an EEPROM chip to allow for "flash" updates when the BIOS needs revision.

Answer 66

Answer: A The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan.

Answer 67

Answer: C The annualized rate of occurrence (ARO) measures the frequency with which a specific event is expected to occur over the course of a year.

Answer 68

Answer: C Static RAM chips are built using a number of flip-flop transistors that retain their charge without requiring constant refreshing.

Answer 69

Answer: A User mode is the basic mode used by the CPU when executing user instructions. It enables only a portion of the full CPU instruction set.

Answer 70

Answer: C An advanced persistent threat (APT) refers to a group of attackers working together who are highly motivated, skilled, and patient and are often sponsored by a government. Whaling is a phishing attack that focuses on high-level executives and spear-phishing is a targeted phishing attack, but neither is commonly sponsored by a government. Rogueware is software that appears as free antivirus software but is actually malicious.

Answer 71

Answer: D Remote dialing (aka hoteling) is the vulnerability or feature of a PBX system that allows for an external entity to piggyback onto the PBX system and make long-distance calls without being charged for the tolls.

Answer 72

Answer: D A password policy can ensure that users create strong passwords of sufficient length and complexity. Password policies can also track password history and prevent users from reusing passwords.

Answer 73

Answer: C Granting users limited access only to those applications, functions, processes, or services necessary to fulfill their tasks is the principle of least privilege.

Answer 74

Answer: B Penetration testing is the process of exercising, validating, and verifying the state of security on a network.

Answer 75

Answer: A The removal of a user from a public key cryptosystem does not require the generation of any new keys. A message merely needs to be sent to all participants revoking the former user's key pair.

Answer 76

Answer: B A spamming attack (sending massive amounts of unsolicited email) can be used as a type of denial-of-service attack. It doesn't use eavesdropping methods, so it isn't sniffing. Brute-force methods attempt to crack passwords. Buffer overflow attacks send strings of data to a system in an attempt to cause it to fail.

Answer 77

Answer: C Purging is used to sufficiently cleanse remnants of data on a magnetic storage drive so that it can be reused in unsecure environments.

Answer 78

Answer: C TLS (Transport Layer Security) was specifically designed as a replacement for SSL.

Answer 79

Answer: A Due care is the notion of preserving and protecting assets and interests for a given organization as exercised through a formalized security structure comprising baselines, guidelines, policies, procedures, and rules.

Answer 80

Answer: D The exposure factor is the amount of the asset that is at risk. In this case, the 80 percent of the tickets that are single-game sales must be refunded, so the exposure factor is 80 percent of the game's revenue.

Answer 81

Answer: D Encrypted passwords (and one-time passwords) can reduce the success of a sniffing attack. Rainbow tables are used by attackers to crack hashed passwords. Salting passwords helps reduce the success rate of rainbow tables. Access reviews help ensure that an organization is using practices that support the security policy.

Answer 82

Answer: C Storing and maintaining vital records and crucial information is instrumental to record retention.

Answer 83

Answer: C A VLAN (virtual LAN) is a hardware-imposed network segmentation created by switches that requires a routing function to support communication between different segments.

Answer 84

Answer: D Substitution ciphers actually replace the characters in a message with different values.

Answer 85

Answer: D Sanitization is any number of processes that prepare media for destruction.

Answer 86

Answer: C Brute-force attacks can be used against password database files and system logon prompts, not only database files. Weaknesses with passwords include users choosing easy-to-remember passwords, users writing down complex passwords, and the ability to steal passwords with other methods.

Answer 87

Answer: D Ricky uses his own private key to decrypt the message that Flo encrypted with Ricky's public key.

Answer 88

Answer: C Account reviews can detect instances of creeping privileges or excessive privileges. Account provisioning grants privileges. Disabling an account ensures it isn't used, and account revocation deletes the account.

Answer 89

Answer: A User mode is the most restricted system mode.

Answer 90

Answer: A Virtual memory uses drive space to simulate memory when programs require more memory than is physically available.

Answer 91

Answer: D Erasing media is simply performing a delete operation against a file, a selection of files, or the entire media.

Answer 92

Answer: B Of the options listed, a retina scan is the least accepted biometric device because it requires users to position their face on a cup reader that blows air into the eye and can reveal personal health issues. An iris scan can be read from a distance and doesn't reveal medical information. Additionally, fingerprints and facial geometry scans do not reveal medical information and are less invasive.

Answer 93

Answer: A Monitoring is not used to detect asset values. Monitoring can help detect malicious actions, attempted intrusions, and system failures.

Answer 94

Answer: C Directive controls guide an organizational security implementation and as such are control statements.

Answer 95

Answer: C Privacy Enhanced Mail (PEM) does not provide traffic flow confidentiality.

Answer 96

Answer: B Awareness training typically reduces risk and vulnerability.

Answer 97

Answer: B The rainbow table contains precomputed hashes of common passwords and is used to crack hashes stored in password files.

Answer 98

Answer: D Deployment of countermeasures is not considered a type of auditing activity but is instead an attempt to prevent security problems. Auditing includes recording event data in logs, using data reduction methods to extract meaningful data, and analyzing logs.

Answer 99

Answer: B VLANs do not impose encryption on data or traffic. Encrypted traffic can occur within a VLAN, but encryption is not imposed by the VLAN.

Answer 100

Answer: C The flag value of 00000100 indicates a RST, or reset flag, has been transmitted. This is not necessarily an indication of malicious activity.

Answer 101

Answer: D The Clark-Wilson model enforces separation of duties to further protect the integrity of data. This model employs limited interfaces or programs to control and maintain object integrity.

Answer 102

Answer: C Spoofing grants the attacker the ability to hide their identity through misdirection and is used in many different types of attacks. Spoofing doesn't send large amounts of data to a victim. It can be used as part of a buffer overflow attack to hide the identity of the attacker but doesn't cause buffer overflows directly. If user account names and passwords are stolen, the attacker can use them to impersonate the user.

Answer 103

Answer: B Access control is the automated mechanism that can prevent or permit system changes, installations, and updates on a selective basis.

Answer 104

Answer: A One of the most common vulnerabilities and hardest to protect against is the occurrence of errors and omissions. Inference is a technique used to gain information from a database without having full access to the database and can be protected by controlling database access. Malicious code can be blocked with up-to-date antivirus software. Data scavenging can be blocked by controlling what data is thrown in the trash.

Answer 105

Answer: B Indirect addressing occurs when the memory address supplied to the CPU as part of the instruction doesn't contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address.

Answer 106

Answer: B By far, the buffer overflow is the most common, and most avoidable, programmer-generated vulnerability.

Answer 107

Answer: D The BCP implementation phase involves the largest commitment of hardware and software resources. The other phases are more manpower intensive.

Answer 108

Answer: C The user who creates a new object is usually the default owner of that object.

Answer 109

Answer: D The * (star) Security Property states that a subject may not write information to an object at a lower sensitivity level (no write down).

Answer 110

Answer: C Espionage is a criminal action to disclose or profit from illegally obtained sensitive information about an organization.

Answer 111

Answer: C Cascading: Input for one system comes from the output of another system. Feedback: One system provides input to another system, which reciprocates by reversing those roles (so that system A first provides input for system B and then system B provides input to system A). Hookup: One system sends input to another system but also sends input to external entities. Waterfall: A form of project management, not related to information flow.

Answer 112

Answer: B Encapsulation is the feature of the TCP/IP protocol suite that makes it possible for tools like Loki to bypass firewall restrictions by tunneling prohibited traffic through an alternate protocol, such as ICMP.

Answer 113

Answer: B Nonvolatile secondary memory is used for long-term storage. Examples of this memory type include hard drives, optical discs, and magnetic tape.

Answer 114

Answer: C Corrective controls are the governing means and mechanisms that reverse and undo the undesirable effects of a given event or occurrence, such as system intrusion or component failure.

Answer 115

Answer: A In the man-in-the-middle attack, the attacker sits between the two communicating parties and relays messages between them. Both parties think they are communicating directly with each other.

Answer 116

Answer: A A brute-force attack is an attempt to discover passwords for user accounts by systematically attempting every possible combination of letters, numbers, and symbols. Spoofing is pretending to be something or someone else, and it is used in a wide variety of attacks. A dictionary attack checks passwords against a database or dictionary. A rainbow table attack checks hashed values of passwords against the values stored in a rainbow table.

Answer 117

Answer: A A user entitlement audit can identify whether users have excessive privileges violating the principle of least privilege. While security logs may be used in the user entitlement audit, they would not be used alone. A review of inactive accounts is part of an access review audit, not a user entitlement audit. Traffic analysis focuses on the patterns and trends of data rather than the actual content.

Answer 118

Answer: B The annual loss expectancy is computed by multiplying the asset value ($10,000,000) by the exposure factor (75 percent), then multiplying that (the SLE) by the ARO, in this example 10 percent, resulting in $750,000 ALE.

Answer 119

Answer: B Warm sites contain all of the equipment needed to assume operations but do not maintain current data.

Answer 120

Answer: B CPU registers are the fastest form of memory.

Answer 121

Answer: C Auditing is the periodic examination and review of a network to ensure that it meets security and regulatory compliance.

Answer 122

Answer: C NAC often operates in a pre-admission philosophy in which a system must meet all current security requirements (such as patch application and antivirus updates) before it is allowed to communicate with the network. This often means systems that are not in compliance are quarantined or otherwise involved in a captive portal strategy in order to force compliance before network access is restored.

Answer 123

Answer: C Security is not and should not be treated as an IT issue only.

Answer 124

Answer: D A federated database used for single sign-on (SSO) allows a user to log on once and access multiple resources. This is not called a federal database. Kerberos is an effective SSO system within a single organization but not between organizations. Diameter is a newer alternative to RADIUS used for centralized authentication.

Answer 125

Answer: C In most cases, you must simply wait until the emergency or condition expires and things return to normal. If physical and infrastructure support is lost, such as after a catastrophe, regular activity (including deploying updates, performing scans, or tightening controls) is not possible.

Answer 126

Answer: B;D A system must be recertified whenever the configuration changes or a specified time has passed since the last certification.

Answer 127

Answer: D Antivirus software is not a deterrent access control, though it can be identified as a preventive, corrective, or recovery access control. Examples of deterrent access controls include security policies, cameras, awareness training, fences, locks, security badges, and guards.

Answer 128

Answer: B The Clark-Wilson model is focused on maintaining the integrity of objects. Through the use of two principles—well-formed transactions and separation of duties—the Clark-Wilson model provides an effective means to protect integrity.

Answer 129

Answer: B Privileged entities are those who are given special access to off-limits areas of the company's crucial IT infrastructure.

Answer 130

Answer: C Accounts should be disabled when employees leave for any reason. Accounts are not transferred between companies. It should be deleted only after it has been determined that the account is no longer needed.

Answer 131

Answer: A Third-party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements. The actual method of third-party governance may vary, but it generally involves an outside investigator or auditor. This auditor might be designated by a governing body or might be a consultant hired by the target organization.

Answer 132

Answer: B A virtualized network, or network virtualization, is the combination of hardware and software networking components into a single integrated entity. The resultant system allows for software control over all network functions, management, traffic shaping, address assignment, and so on. A single management console or interface can be used to oversee every aspect of the network, a task requiring physical presence at each hardware component in the past.

Answer 133

Answer: C The single loss expectancy is calculated as the product of the exposure factor (80 percent) and the asset value ($1,500,000). In this example, the single loss expectancy is $1,200,000.

Answer 134

Answer: D zzuf is a Linux tool that automates the process of mutation fuzzing.

Answer 135

Answer: D Administrative control takes into consideration the processes and people who operate within an organizational security policy.

Answer 136

Answer: A Requiring a VPN to access the private wired network in addition to WPA-2 and 802.1x is the only additional reliable security option.

Answer 137

Answer: B TEMPEST is the standard that defines the study and control of electronic signals produced by various types of electronic hardware. Eavesdropping refers to using sniffing tools to capture and analyze data. SESAME is a ticket-based authentication system similar to Kerberos. Wiretapping commonly refers to monitoring phone calls.

Answer 138

Answer: B Recovery control indicates a direct form of control that returns systems and processes to a known good, normalized state following an intrusion, fault, or failure.

Answer 139

Answer: D The observer or auditor of a manual review system is directly responsible for recognizing failure of that system.

Answer 140

Answer: B The use of the single quotation mark is a telltale sign of a SQL injection attack.

Answer 141

Answer: C Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. They are not active detection tools for intrusion, they offer no form of enticement, and they do not configure system security. In addition to testing a system for security weaknesses, they produce evaluation reports, which include recommendations.

Answer 142

Answer: C Certificate path validation is verification that each certificate in a certificate path is valid and legitimate.

Answer 143

Answer: B There is no requirement that the reference monitor's source code be available to the public.

Answer 144

Answer: B A phone number is the most PII-like information from this list. Any data point that directly or nearly directly points to an individual is PII. Any data point that itself does not point to an individual on its own is not PII. For example, the list of groceries you purchase is not PII unless that list also contains your name, credit card information, or account number.

Answer 145

Answer: C The Online Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.

Answer 146

Answer: C Trust comes first. Trust is built into a system by crafting the components of security. Then assurance (in other words, reliability) is evaluated using certification and/or accreditation processes.

Answer 147

Answer: C The Defined stage of SW-CMM is characterized by the use of formal, documented software development processes.

Answer 148

Answer: D Trade secrets must be kept secret by the organization but have unlimited life. Patents would also apply to a manufacturing process, but they require public disclosure of the process and have limited duration.

Answer 149

Answer: A Administrative access controls are also referred to as management controls and include policies and procedures such as hiring and firing policies, data classifications and labels, and security awareness training. Technical and logical controls are synonymous and include hardware or software mechanisms used to manage access. Physical access controls are physical controls deployed to prevent direct contact with systems or areas within a facility.

Answer 150

Answer: C A security label is usually a permanent part of the object to which it is attached, thus providing some protection against tampering. The other options do not offer such protection.

Answer 151

Answer: C Sanitization (or wiping, purging, or zeroization) is a technique that can be used to destroy all traces of data on a storage device in order to prevent the recovery of data remanence.

Answer 152

Answer: C NAT offers numerous benefits, including that you can use the private IP addresses defined in RFC 1918 in a private network and still be able to communicate with the Internet.

Answer 153

Answer: D Some DDoS traffic can be traced back to its origin, but that does not mean the origin is the hacker. DDoS attacks that use distributed remote agents or intermediary but innocent third-party networks do not provide an easy trace path back to the original controlling hacker.

Answer 154

Answer: D Auditing encompasses a wide variety of different activities, including the recording of event/occurrence data, examination of data, data reduction, the use of event/occurrence alarm triggers, and log file analysis.

Answer 155

Answer: B A VPN is not a network segmentation; it is a secured encapsulation tunnel. Subnets, VLANs, and a DMZ are examples of network segmentation.

Answer 156

Answer: A A vulnerability scanner is the best tool of those listed to determine if a server is vulnerable to known attacks. A port scanner will identify open ports and a sniffer captures traffic, but neither will necessarily determine vulnerabilities. A configuration tester is an automated tool that checks system configuration but doesn't necessarily determine vulnerabilities.

Answer 157

Answer: D Degaussing is the technique used to remove data from magnetic tapes with the goal of returning the tape to its original state. Hard disks that are degaussed can destroy the disk drive mechanics making the drive no longer functional but there are no guarantees that the data has actually been destroyed. The platters may be removed in a clean room from the damaged drive to a known working drive and the data could be accessed then.

Answer 158

Answer: A Destruction is the final stage in the life cycle of backup media. Destruction should occur after proper sanitization or as a means of sanitization.

Answer 159

Answer: B The Simple Integrity Property states that a subject cannot read an object of a lower integrity level (no read down).

Answer 160

Answer: C Fiber is the most difficult network segment to eavesdrop because the act of doing so is always detectable.

Answer 161

Answer: D An organization involved in divestiture has security concerns related to prevention of data leakage, using proper sanitization techniques, and holding exit interviews. Performing on-boarding is not usually related to divestiture but to acquisition.

Answer 162

Answer: D Third-party governance auditors might be designated by a governing body or might be consultants hired by the target organization.

Answer 163

Answer: B Security was of paramount concern during the design of the Java platform, and Sun's development team created the "sandbox" concept to place privilege restrictions on Java code. The sandbox isolates Java code objects from the rest of the operating system and enforces strict rules about the resources those objects can access.

Answer 164

Answer: B Frequency analysis may be used on encrypted messages. The other techniques listed require additional information, such as the plain text or the ability to choose the cipher text.

Answer 165

Answer: D Partial-knowledge teams possess a detailed account of organizational assets, including hardware and software inventory, prior to a penetration test.

Answer 166

Answer: B While most business decisions need to include cost analysis, the change control process of configuration management is not directly concerned with cost effectiveness.

Answer 167

Answer: D Audit trails provide a comprehensive record of system activity and can help detect a wide variety of security violations, software flaws, and performance problems. An audit trail includes a variety of logs, including change logs, security logs, and system logs, but any one of these individual logs can't detect all the issues mentioned in the question.

Answer 168

Answer: B TLS (Transport Layer Security), the revised replacement for SSL, has become the de facto standard used to provide secure e-commerce services. This is in spite of the attempts of several credit card companies to promote alternate options, such as Secure Electronic Transaction (SET).

Answer 169

Answer: A Indirect addressing uses a scheme similar to direct addressing. However, the memory address supplied to the CPU as part of the instruction doesn't contain the actual value that the CPU is to use as an operand. Instead, the memory address contains another memory address (perhaps located on a different page).

Answer 170

Answer: A A Type 2 authentication factor is something you have, including a smart card, token device, or memory card. Type 3 authentication is something you are, and some behavioral biometrics include something you do. Type 1 authentication is something you know.

Answer 171

Answer: D ROM is burned at the factory and then unchangeable. Thus, ROM is the most secure because it will always maintain its integrity.

Answer 172

Answer: B Quantitative risk assessment produces a number-based result that is as easy to read and understand as a typical budget report.

Answer 173

Answer: A Sabotage is a criminal act committed against an organization by a knowledgeable employee.

Answer 174

Answer: C The scenario presented in the question describes the three characteristics of compartmented security mode.

Answer 175

Answer: B A drawback with single sign-on is that maximum unauthorized access is possible if an attacker discovers a password. Because users need to remember only one password, it makes it easier for users to remember passwords. Single sign-on does not dictate the length of passwords or encourage excessive privileges.

Answer 176

Answer: C Compliance checking ensures that all necessary elements of a security solution are properly deployed and functioning as expected.

Answer 177

Answer: A VPNs are used to transport communications over an intermediary medium through the means of encapsulation (i.e., tunneling), authentication, and encryption.

Answer 178

Answer: B Due diligence is the action taken to apply, enforce, and perform responsibilities or rules as governed by organizational policy.

Answer 179

Answer: D Access controls govern subjects' access to objects and the first step in this process is identifying the subject. Accountability logging, verification of access control lists (ACLs), and authentication are not possible without a subject identity.

Answer 180

Answer: C If Alice wants to send a message to Bob, she should encrypt it using his public key.

Answer 181

Answer: B Generally, regulation compliance is of greatest concern to governments, military, and government contractors when working with cloud services—especially those whose hosting infrastructure is not restricted to a single country.

Answer 182

Answer: D The seven requirements are Notice, Choice, Onward Transfer, Access, Security, Data Integrity, and Enforcement.

Answer 183

Answer: D The operations security triple is a conceptual security model that encompasses three concepts (assets, risk, and vulnerability) and their interdependent relationship within a structured, formalized organization.

Answer 184

Answer: C The willful destruction of assets or elements within the IT infrastructure as a form of revenge or justification for perceived wrongdoing is known as sabotage. Espionage is the gathering of information about a competitor or enemy. Entrapment occurs when someone is encouraged to do something illegal after they have indicated they will not do it. Permutation refers to rearranging or modifying something slightly.

Answer 185

Answer: D The Brewer and Nash model organizes datasets according to conflict-of-interest classes so that authorized users with access to any member of a conflict class will be denied access to other members of that class. Thus, all three specific ingredients mentioned—properly identified subjects, one or more datasets, and conflict class definitions for all datasets—are required for it to operate properly. This makes option D the best answer.

Answer 186

Answer: D Both WPA and WPA2 support the enterprise authentication known as 802.1x/EAP, a standard port-based network access control that ensures clients cannot communicate with a resource until proper authentication has taken place. Effectively, 802.1x is a hand-off system that allows the wireless network to leverage the existing network infrastructure's authentication services. Through the use of 802.1x, other techniques and solutions such as RADIUS, TACACS, certificates, smart cards, token devices, and biometrics can be integrated into wireless networks providing techniques for both mutual and multi-factor authentication.

Answer 187

Answer: B Sampling is a form of data reduction, where elements are extracted from a larger body of information to construct a meaningful whole.

Answer 188

Answer: B Registers are onboard memory locations that can be accessed by the CPU in an extremely short period of time.

Answer 189

Answer: A;B;C IDSs can detect attacks from external connection attempts, execution of malicious code, and unauthorized access attempts to controlled objects. An IDS cannot detect inappropriate use of privileges such as a malicious insider abusing their privileges.

Answer 190

Answer: D Purging is erasing the data so the media is not vulnerable to data remnant recovery attacks, including those classified as laboratory level.

Answer 191

Answer: D Static IP addressing is not an implication of multilayer protocols.

Answer 192

Answer: B Ownership is the formal assignment of responsibility to an individual or group.

Answer 193

Answer: A Traffic analysis and trend analysis are forms of monitoring that examine the flow of packets rather than the actual content.

Answer 194

Answer: C Among these options, passphrase and a smart card provide the strongest authentication security because they deliver two-factor authentication. A password and a PIN are both in the same factor. Despite the security offered by one-time passwords, a two-factor authenticator is stronger.

Answer 195

Answer: A Layering of processes implements a structure similar to the ring model used for operating modes.

Answer 196

Answer: B Sampling is a form of data reduction that allows an auditor to quickly determine the important issues or events from an audit trail.

Answer 197

Answer: A The Bell-LaPadula model addresses only the confidentiality of data and works well for military applications. This model is based on the state machine model and employs mandatory access controls and the lattice model.

Answer 198

Answer: B Authentication is the process of verifying or testing the validity of a claimed identity. Identification is the claimed identity. Authorization grants access to resources to the proven identity, and accountability tracks access to resources.

Answer 199

Answer: C BCP documentation can be an arduous task, but it should not require the creation of a new position.

Answer 200

Answer: C The mean time between failures (MTBF) rating on storage drives specifies the expected life span (or average failure rate for any drive in a given batch) for a given medium.

Answer 201

Answer: C POTS (plain old telephone system) or PSTN (public switched telephone network) requires the use of a modem to support digital computer communications over an otherwise analog link.

Answer 202

Answer: B Threat modeling is the process of identifying, understanding, and categorizing potential threats, including threats from attack sources. Asset valuation identifies the value of assets. Vulnerability analysis identifies weaknesses. An advanced persistent threat is a form of attack, often sponsored by a government.

Answer 203

Answer: B Process isolation prevents a process from reading or writing to an unauthorized memory location. This concept ensures that any behavior will affect only the memory and resources associated with the process.

Answer 204

Answer: D Using a block list or black list is a valid form of security filtering; it is just not a form of spoofing filtering.

Answer 205

Answer: B Clipping is a subset of sampling, which is a process of extracting data from a large body of information but with a specified cut-off point or threshold.

Answer 206

Answer: C Multistate processing systems are certified to handle multiple security levels simultaneously by using specialized security mechanisms.

Answer 207

Answer: D Copyright law protects the rights of creators of original works of authorship, including books.

Answer 208

Answer: B The SHA-2 algorithms support the creation of message digests up to 512 bits long.

Answer 209

Answer: D Audit overview is not essential for an audit report; the purpose, scope and results of an audit are the three primary (and necessary) elements.

Answer 210

Answer: C Distribution of malicious code will almost always result in damage or loss of assets and is not used in a penetration test. However, denial-of-service attacks, port scanning, and packet sniffing may all be included in a penetration test.

Answer 211

Answer: B Eavesdropping is the ability to intercept network and telephony communications along with physical and electronic documents and even personal conversations.

Answer 212

Answer: A A DMZ is used to host resources accessed by outside visitors but that are still isolated from the private network. A VPN is used to encapsulate plain-text protocols with a layer of encryption. VoIP is used to support the use of audio communications over an IP network. A WAP is used to enable portable clients to make network links over radio waves.

Answer 213

Answer: D You can determine the number of possible keys by raising 2 to the power of the length of the key (in bits). In this case, 28=256.

Answer 214

Answer: B Steganography allows hiding data within an image. Child pornographers often use it to hide illegal images within innocent ones.

Answer 215

Answer: A Application programming interfaces (APIs) provide standard mechanisms for web services to interact with each other.

Answer 216

Answer: B Pentest reports should be secured because they contain information about the vulnerabilities of the system and disclosure of such vulnerabilities to the wrong person could lead to security breaches. They would not normally contain confidential data from the network. They are useful to both upper management and security professionals. They would not normally include details about security control configuration.

Answer 217

Answer: B Security governance should include acquisitions, divestitures, and oversight committees.

Answer 218

Answer: D AWS is an Infrastructure-as-a-Service provider, not a code repository.

Answer 219

Answer: A Transformation procedures (TPs) are the only procedures that are allowed to modify a CDI. The limited access to CDIs through TPs forms the backbone of the Clark-Wilson integrity model.

Answer 220

Answer: A Read-only memory (ROM) can be written to only one time at the factory. Users cannot modify the contents.

Answer 221

Answer: B Dumpster diving is the act of searching through the refuse, remains, or leftovers from an organization or operation to discover or infer confidential information. Social engineering uses different methods to trick employees or users into giving up information, and impersonation is a social engineering tactic. Inference is a technique used to gain information from a database without having full access to the database.

Answer 222

Answer: A The meet in the middle attack specifically targets encryption algorithms that use two rounds of encryption, such as Double DES.

Answer 223

Answer: D Electronically erasable programmable read-only memory (EEPROM) chips can be erased by modulating an electric current applied to the chip.

Answer 224

Answer: D Mandatory access control uses labels to identify subjects and objects and grants access based on matching labels. Discretionary access control requires all objects to have an owner. Nondiscretionary access control provides centralized access controlled by an administrator. Role-based access control provides access based on membership within a role.

Answer 225

Answer: C Both omissions and errors are difficult aspects to protect against, particularly as they deal with human and circumstantial origins.

Answer 226

Answer: D The biggest risk associated with web or mobile applets is executing code from external sources. The risk is running malicious or unstable code from an outside source, even if that code is signed.

Answer 227

Answer: A Social engineering is a deceptive act meant to trick personnel into revealing sensitive information or performing some unauthorized act on their behalf.