P/E 4

Question 1

1. What security protocol was developed specifically to protect communications between web servers and web browsers?

A. L2F
B. SKIP
C. SWIPE
D. SSL

Answer 1

Answer: D

Secure Sockets Layer (SSL) is an encryption protocol developed by Netscape to protect the communications between a web server and a web browser.

Question 2

2. What is the difference between residual risk and total risk?

A. Budget
B. Human resource allocation
C. Controls gap
D. Fault tolerance

Answer 2

Answer: C

The controls gap is the difference between total risk and risudual risk.

Question 3

3. If you require the most advanced and complete method of off-site backup, what option do you choose?

A. Manual backups
B. Automated backups
C. Remote mirroring
D. Remote journaling

Answer 3

Answer: C

Remote mirroring is the most advanced, complete, and expensive off-site backup solution. With this solution, a live database server is kept off site at some secure remote location.

Question 4

4. If a specific step-by-step guide does not exist that prescribes how to accomplish a necessary task, which of the following is used to create such a document?

A. Policy
B. Standard
C. Procedure
D. Guideline

Answer 4

Answer: D

A guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. Guidelines are flexible so they can be customized for each unique system or condition and can be used in the creation of new procedures (i.e., step-by-step guides).

Question 5

5. In what level of the Capability Maturity Model for Software do software developers operate according to a set of formal, documented software development processes?

A. Initial
B. Repeatable
C. Defined
D. Managed

Answer 5

Answer: C

In the Defined stage of the CMM, all development projects take place within the constraints of a standardized management model.

Question 6

6. Which firewall type looks exclusively at the message header to determine whether to transmit or drop data?

A. Static packet filtering
B. Application-level gateway
C. Stateful inspection
D. Dynamic packet filtering

Answer 6

Answer: A

A static packet-filtering firewall filters traffic by examining data from a message header.

Question 7

7. Which of the following is not a risk related to cell phone usage?

A. Data interception
B. Switch console port access
C. Eavesdropping
D. Cloning

Answer 7

Answer: B

A switch console port exists only on a switch; a cell phone cannot be used to access such ports.

Question 8

8. In an agile software development process, how often should business users be involved in development?

A. Daily
B. Weekly
C. Monthly
D. At each release

Answer 8

Answer: A

The agile development process requires that business users interact with developers on a daily basis.

Question 9

9. A made-up network designed to lure unsuspecting attackers with low-hanging fruit is called what?

A. IDS
B. Honeynet
C. Padded cell
D. Vulnerability scanner

Answer 9

Answer: B

Honeynets are entire networks created to serve as a snare for intruders. They look and act like legitimate networks, but they are 100 percent fake. Honeynets tempt intruders with seemingly vulnerable systems with attractive artificial data.

Question 10

10. Which one of the following cipher types operates on individual characters or bits of a message without knowledge of what came before or after?

A. Stream cipher
B. Caesar cipher
C. Block cipher
D. ROT3 cipher

Answer 10

Answer: A

Stream ciphers operate on one character or bit of a message (or data stream) at a time.

Question 11

11. Which type of access control system relies on using classification labels that are representative of security domains and realms?

A. Nondiscretionary access control
B. Mandatory access control
C. Discretionary access control
D. Logical access control

Answer 11

Answer: B

Mandatory access control enforces an access policy that is determined by the system, not the object owner.

Question 12

12. What are the well-known ports?

A. 0 to 1,023
B. 80, 135, 110, 25
C. 0 to 65, 536
D. 32,000 to 65,536

Answer 12

Answer: A

Ports 0 to 1,023 are the well-known ports.

Question 13

13. Which of the following is nested RAID involving the mirroring of striped drive sets with evenly distributed parity data?

A. RAID 1
B. RAID 6
C. RAID 1+5
D. RAID 1+0

Answer 13

Answer: C

RAID 1+5 is nested RAID involving the mirroring (RAID 1) of striped drive sets with evenly distributed parity data (RAID 5).

Question 14

14. Which of the following is not an element of configuration management?

A. Supporting rollback
B. Detailed documentation
C. Systematic analysis of impending alterations
D. Use of the spiral model of project management

Answer 14

Answer: D

The spiral model of project management does not directly relate to configuration management. Configuration management is about managing change that could result in reduced security.

Question 15

15. Which of the following is not a technique to avoid a single point of failure?

A. RAID
B. Redundant servers or clusters
C. High-speed network connection
D. Failover solutions

Answer 15

Answer: C

A high-speed network connection is not a single point of failure avoidance technique, especially if you have only one.

Question 16

16. The __________ model focuses on preventing interference in support of integrity. This model is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of and limitations to only these predetermined secure states, integrity is maintained and interference is prohibited.

A. Biba
B. Take grant
C. Goguen−Meseguer
D. Sutherland

Answer 16

Answer: D

The Sutherland model focuses on preventing interference in support of integrity. This model is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of and limitations to only these predetermined secure states, integrity is maintained and interference is prohibited.

Question 17

17. Which state is not considered to have a very high risk for seismic hazard?

A. Alaska
B. Oregon
C. Idaho
D. Georgia

Answer 17

Answer: D

Alaska, Oregon, and Idaho are located in regions that are rated high on seismic activity; Georgia, however, has its own unique set of environmental weather conditions.

Question 18

18. Which of the following is not part of RFC 1918?

A. 169.254.1.1
B. 192.168.1.1
C. 172.16.1.1
D. 10.1.1.1

Answer 18

Answer: A

The 169.254.x.x range is usually employed by the Microsoft APIPA response to failed DHCP services.

Question 19

19. In a discussion of high-speed telco links or network carrier services, what does fault tolerance mean?

A. Error checking
B. Redundancy
C. Flow control
D. Bandwidth on demand

Answer 19

Answer: B

In a discussion of high-speed telco links or network carrier services, fault tolerance means to have redundant connections.

Question 20

20. What technique is used by antivirus software to detect behavior deviating from normal patterns of activity?

A. Signature detection
B. Heuristic detection
C. Data integrity assurance
D. Automated reconstruction

Answer 20

Answer: B

Heuristic detection techniques develop models of normal activity and then identify deviations from that baseline.

Question 21

21. Coordinated attack efforts that leverage key mechanisms in legitimate network traffic or protocol responses that disrupt or inhibit service to some network infrastructure are what form of attack?

A. Distributed denial of service
B. Denial of service
C. Diffracted denial of service
D. Distributed reflective denial of service

Answer 21

Answer: D

Coordinated attack efforts between cooperative machines using traffic in an entirely legitimate manner are distributed reflective denial of service attacks.

Question 22

22. The __________ of a process consist of limits set on the memory addresses and resources it can access. This also states or defines the area within which a process is confined.

A. Isolation
B. Bounds
C. Confinement
D. Authentication

Answer 22

Answer: B

The bounds of a process consist of limits set on the memory addresses and resources it can access. The bounds state or define the area within which a process is confined.

Question 23

23. How many keys are assigned each participant in an asymmetric cryptosystem?

A. One
B. Two
C. Four
D. One per user

Answer 23

Answer: B

Each participant in an asymmetric cryptosystem is issued two keys: a public key and a private key.

Question 24

24. Darcy’s Doodles is an electronic content provider hosting websites related to art. The IT staff of Darcy’s Doodles is concerned about the risk of an earthquake destroying their data center, which is valued at $8,000,000. After consulting with seismologists, they determined that an earthquake is likely to occur once every 50 years and, if one occurred, it would completely destroy the facility. What is the ARO?

A. 1 percent
B. 2 percent
C. 20 percent
D. 50 percent

Answer 24

Answer: B

The annualized rate of occurrence (ARO) is the likelihood that a risk will materialize in a given year. In this example, the risk will occur once out of every 50 years, 1/50 = 2%.

Question 25

25. What can vulnerability scanners do? A. They actively scan for intrusion attempts. B. They serve as a form of enticement. C. They locate known security holes. D. They automatically reconfigure a system to a more secured state.

Answer 25

Answer: C Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. They are not active detection tools for intrusion, they offer no form of enticement, and they do not configure system security. In addition to testing a system for security weaknesses, they produce evaluation reports and make recommendations.

Question 26

26. Which subset of the Structured Query Language is used to create and modify the database schema? A. Data Definition Language B. Data Structure Language C. Database Schema Language D. Database Manipulation Language

Answer 26

Answer: A The Data Definition Language (DDL) is used to make modifications to a relational database's schema.

Question 27

27. Matthew received a digitally signed message sent by Christopher. What key should he use to verify the digital signature? A. Matthew's public key B. Matthew's private key C. Christopher's public key D. Christopher's private key

Answer 27

Answer: C The recipient of a message uses the sender's public key to verify the digital signature.

Question 28

28. What is the minimum number of cryptographic keys required for secure two-way communications in asymmetric key cryptography? A. One B. Two C. Three D. Four

Answer 28

Answer: D In asymmetric (public key) cryptography, each communicating party must have a pair of public and private keys. Therefore, two-way communication between parties requires a total of four cryptographic keys (a public and a private key for each user).

Question 29

29. The Caesar cipher is an example of what type of cryptographic algorithm? A. Substitution B. Polyalphabetism C. Transposition D. Diffusion

Answer 29

Answer: A The Caesar cipher is a simple substitution cipher where each letter of a message is changed.

Question 30

30. ___________ is a form of programming attack that is used to either falsify information being sent to a visitor or cause their system to give up information without authorization. A. SQL injection B. Buffer overflow C. DDoS D. XML exploitation

Answer 30

Answer: D XML exploitation is a form of programming attack that is used to either falsify information being sent to a visitor or cause their system to give up information without authorization.

Question 31

31. A _______________ contains levels with various compartments that are isolated from the rest of the security domain. A. Hybrid environment B. Compartmentalized environment C. Hierarchical environment D. Security environment

Answer 31

Answer: A Hybrid environments combine both hierarchical and compartmentalized environments so that security levels have subcompartments.

Question 32

32. What organization issued RFC 1087, Ethics and the Internet? A. (ISC)2 B. Internet Advisory Board C. SANS D. NIST

Answer 32

Answer: B The document Ethics and the Internet was issued as RFC 1087 by the Internet Advisory Board.

Question 33

33. In public key cryptography, what key does the sender of a message use to encrypt it? A. The sender's private key B. The sender's public key C. The recipient's private key D. The recipient's public key

Answer 33

Answer: D In public key cryptography, the sender of a message encrypts it using the recipient's public key.

Question 34

34. What security model is based on dynamic changes of user privileges and access based on user activity? A. Sutherland B. Brewer–Nash C. Biba D. Graham–Denning

Answer 34

Answer: B The Brewer–Nash model is based on dynamic changes of user privileges and access based on user activity.

Question 35

35. What are used to inform would-be intruders or those who attempt to violate security policy that their intended activities are restricted and that any further activities will be audited and monitored? A. Interoffice memos B. Honeypots C. Warning banners D. Pseudo flaw

Answer 35

Answer: C Warning banners are used to inform would-be intruders or those who attempt to violate the security policy that their intended activities are restricted and that any further activities will be audited and monitored. Interoffice memos are limited to employees and wouldn't include intruders. Honeypots are systems with fake data used to tempt attackers. Honeypots are often configured with pseudo flaws or false vulnerabilities.

Question 36

36. Why is a purely quantitative approach not possible? A. The mathematical formulas are too complex. B. Historical occurrences are not helpful in prediction of future events. C. Qualitative items cannot be accurately quantified. D. Estimations of impact or exposure are based on actuarial tables and measurements of probability.

Answer 36

Answer: C A purely quantitative approach is not possible because qualitative items cannot be accurately quantified.

Question 37

37. What is a drawback to using VPNs when a firewall is present? A. You can't filter on encrypted traffic. B. VPNs cannot cross firewalls. C. Firewalls block all outbound VPN connections. D. Firewalls greatly reduce the throughput of VPNs.

Answer 37

Answer: A Firewalls are unable to filter on encrypted traffic within a VPN, which is a drawback. VPNs can cross firewalls. Firewalls do not have to always block outbound VPN connections. Firewalls usually only minimally affect the throughput of a VPN and then only when filtering is possible.

Question 38

38. What is the primary purpose of most viruses today? A. Infecting word processor documents B. Creating botnets C. Destroying data D. Sending spam

Answer 38

Answer: B Most viruses are designed to add systems to botnets, where they are later used for other nefarious purposes, such as sending spam or participating in distributed denial of service attacks.

Question 39

39. What is hybrid risk assessment? A. Use of internal and external analysts B. Use of quantitative and qualitative approaches C. Use of dictionary and brute-force techniques D. Use of compartmented and hierarchical structures

Answer 39

Answer: B Hybrid risk assessment is a combination of both quantitative and qualitative approaches.

Question 40

40. What element of security control includes access controls, alarms, CCTV, and monitoring? A. Administrative physical control B. Technical physical security control C. Logistical security control D. Physical security control

Answer 40

Answer: B Technical physical security controls include access controls; intrusion detection; alarms; closed-circuit television (CCTV); monitoring; heating, ventilating, and air conditioning (HVAC); power supplies; and fire detection and suppression.

Question 41

41. What nontraditional alternative recovery site is made up of transportable relocation units? A. Off-site bureau B. Service bureau C. Mobile site D. Mobility suite

Answer 41

Answer: C Mobile sites are nonmainstream alternatives to traditional recovery sites. They typically consist of self-contained trailers or other easily relocated units.

Question 42

42. Which of the following is a drawback of classification schemes? A. They have a large administrative overhead for larger environments. B. They lend credence to the selection of protection mechanisms. C. They assist in identifying those assets that are most critical or valuable to the organization. D. They are often required for regulatory compliance or legal restrictions.

Answer 42

Answer: A A drawback of classification schemes, especially as implemented via a mandatory access control concept, is that they require significant administration for a large organization.

Question 43

43. Which form of DBMS primarily supports the establishment of treelike relationships? A. Relational B. Hierarchical C. Mandatory D. Distributed

Answer 43

Answer: B A hierarchical DBMS supports one-to-many relationships, often expressed in a tree structure.

Question 44

44. Senior management must show reasonable ___________________ to reduce their culpability and liability when a loss occurs. A. Profits B. Insurance C. Due care D. Asset valuation

Answer 44

Answer: C Senior management must show reasonable due care to reduce their culpability and liability when a loss occurs.

Question 45

45. Which one of the following systems would be appropriately placed in the DMZ? A. Database server B. User workstation C. Domain controller D. Web server

Answer 45

Answer: D The DMZ is designed to house systems that require public access. The web server is the only option on this list that should be exposed to the Internet.

Question 46

46. Many of the following options reflect best practices when engaging penetration testing to validate and verify the strength of your security policy. Which of the following is not recommended? A. Mimicking attacks previously perpetrated against your system B. Performing the attacks without management's consent C. Using manual and automated attack tools D. Reconfiguring the system to resolve any discovered vulnerabilities

Answer 46

Answer: B You should never conduct a formal or informal penetration test against any company without the advanced knowledge and express consent of management.

Question 47

47. Which of the following is a possible effective key length of the Triple DES (3DES) encryption algorithm? A. 40 bits B. 56 bits C. 128 bits D. 168 bits

Answer 47

Answer: D Triple DES has an effective key length of 168 bits.

Question 48

48. In the Biba model, what rule prevents a user from reading from lower levels of classification? A. Star axiom B. Simple property C. No read up D. No write down

Answer 48

Answer: A The Biba simple property rule/star axiom is "no read down."

Question 49

49. In what type of software testing must the tester not have access to the underlying source code? A. Static testing B. White box testing C. Gray box testing D. Black box testing

Answer 49

Answer: D In a black box test, the tester must not have access to the application's source code.

Question 50

50. The lack of data flow control could result in all but which of the following? A. Dropped connections B. Corrupted data C. Quality of service management D. Self-inflicted denial of service

Answer 50

Answer: C Failing to provide data flow control means failing to provide quality of service management as well.

Question 51

51. What document should state where critical business information will be stored? A. Business impact assessment B. Statement of purpose C. Vital records program D. Emergency-response guidelines

Answer 51

Answer: C The vital records program states where critical business records will be stored and the procedures for making and storing backup copies of those records.

Question 52

52. When assigning a classification label, which of the following is not an essential criterion? A. Value or cost B. Data disclosure damage assessment C. Source or origin D. Maturity or age

Answer 52

Answer: C The source or origin of a resource is rarely a serious criterion in the assignment of a classification label. The other options are just a few of the important criteria of classification assignment.

Question 53

53. Which of the following is the best method to protect against rainbow-table attacks? A. Encrypting passwords sent over the network B. Enable firewalls C. Keeping systems up to date D. Salting passwords

Answer 53

Answer: D Salting passwords can reduce the effectiveness of rainbow table attacks. Rainbow-table attacks are offline password attacks, so encrypting data sent over the network doesn't directly protect against rainbow-table attacks. While keeping systems up to date and enabling firewalls is always a good idea, these do not directly protect against rainbow-table attacks.

Question 54

54. Which one of the following types of evidence consists of tangible objects (such as a gun) that can be brought into court? A. Documentary evidence B. Real evidence C. Testimonial evidence D. Best evidence

Answer 54

Answer: B Real evidence consists of items that can be brought into a courtroom, such as a gun, computer, or other tangible object.

Question 55

55. Which one of the following attack types often takes place as a reconnaissance activity preceding another type of attack? A. Compromise B. Malicious code C. Scanning D. Denial of service

Answer 55

Answer: C Hackers often use scanning attacks to gather intelligence about vulnerable systems that they may later attempt to compromise.

Question 56

56. What method is not integral to assuring effective and reliable security staffing? A. Screening B. Bonding C. Training D. Conditioning

Answer 56

Answer: D Screening, bonding, and training are all vital procedures for ensuring effective and reliable security staffing because they verify the integrity and validate the suitability of said staffers.

Question 57

57. Which of the following is an element of intangible asset valuation? A. Support cost B. Intellectual property value C. Replacement cost D. Training expense

Answer 57

Answer: B While valuable, intellectual property value is an element of intangible asset valuation.

Question 58

58. What technology may database developers use to restrict users' access to a limited subset of database attributes or records? A. Polyinstantiation B. Cell suppression C. Aggregation D. Views

Answer 58

Answer: D Database views use SQL statements to limit the amount of information that users can view from a table.

Question 59

59. Which of the following statements is true of business continuity planning? A. It prevents every possible disaster from interrupting business. B. It limits the extent of damage for commonly occurring disasters. C. It rewards the beneficiaries of disaster recovery. D. It maximizes the insurance coverage against natural disaster.

Answer 59

Answer: B BCP involves prepared and verified measures for protection of critical business operations from the effects of a loss, damage, or other failure of operational facilities providing crucial functions. Thus, it limits the extent of damage for commonly occurring disasters.

Question 60

60. What sort of system defines subject access through subject roles (job descriptions) and subject tasks (job functions)? A. Rule-based access control B. Mandatory access control C. Role-based access control D. Discretionary access control

Answer 60

Answer: C Role-based access control uses a well-defined collection of named job roles to endow each one with specific permissions, thereby seeking to ensure that users who occupy such roles can access what they need to get their jobs done.

Question 61

61. What is the second phase of the IDEAL software development model? A. Developing B. Diagnosing C. Determining D. Designing

Answer 61

Answer: B The second phase of the IDEAL software development model is the Diagnosing stage.

Question 62

62. What block size is used by the Triple DES encryption algorithm? A. 32 bits B. 64 bits C. 128 bits D. Variable

Answer 62

Answer: B Both DES and Triple DES use a fixed block size of 64 bits.

Question 63

63. What system may be used to verify digital certificates without latency? A. CRL B. OCSP C. PGP D. PKI

Answer 63

Answer: B The Open Certificate Status Protocol (OCSP) eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification.

Question 64

64. From within the Bell–LaPadula model, what is allowed to violate the star property, but when doing so does not actually violate security? A. End users B. Intruders C. Root administrators D. Trusted subject

Answer 64

Answer: D A trusted subject can violate the star property of "no write down" in the act of declassification, which is not an actual violation of security.

Question 65

65. What type of evidence must be authenticated by a witness who can uniquely identify it or through a documented chain of custody? A. Documentary evidence B. Testimonial evidence C. Real evidence D. Hearsay evidence

Answer 65

Answer: C Real evidence must be either uniquely identified by a witness or authenticated through a documented chain of custody.

Question 66

66. What element is not considered in a security-oriented design for any given facility or site? A. Separation of employee and visitor areas B. Restricted access levels to areas of higher value or importance C. Centralized location of confidential assets D. Optional access to all areas

Answer 66

Answer: D Optional access should never be granted to all areas, especially where sensitive equipment or data is utilized and stored.

Question 67

67. How many keys are required to fully implement a symmetric algorithm with 20 participants? A. 10 B. 20 C. 40 D. 190

Answer 67

Answer: D The number of keys required to fully implement a symmetric encryption algorithm is given by the formula (n*(n-1))/2.

Question 68

68. Which of the following may introduce new vulnerabilities to voice communications? A. Modems B. VoIP C. Encryption D. PBX

Answer 68

Answer: B Voice over IP (VoIP), which transmits voice communications through an IP network, introduces network-specific vulnerabilities to voice communications.

Question 69

69. Which of the following is not true? A. Complying with all applicable legal requirements is a key part of sustaining security. B. It is often possible to disregard legal requirements if complying with regulations would cause a reduction in security. C. The legal requirements of an industry and of a country should be considered the baseline or foundation on which the remainder of the security infrastructure must be built. D. Industry and governments impose legal requirements, restrictions, and regulations on the practices of an organization.

Answer 69

Answer: B Laws and regulations must be obeyed and security concerns must be adjusted accordingly.

Question 70

70. A tunnel mode VPN is used to connect which types of systems? A. Hosts and servers B. Clients and terminals C. Hosts and networks D. Servers and domain controllers

Answer 70

Answer: C Tunnel mode VPNs are used to connect networks to networks or networks to hosts. Transport mode is used to connect hosts to hosts. Host, server, client, terminal, and domain controller are all synonyms.

Question 71

71. What type of detected incident allows the most time for an investigation? A. Compromise B. Denial of service C. Malicious code D. Scanning

Answer 71

Answer: D Scanning incidents are generally reconnaissance attacks. The real damage to a system comes in the subsequent attacks, so you may have some time to react if you detect the scanning attack early.

Question 72

72. How might you map out the organizational needs for transfer to or establishment in a new facility? A. Inventory assessment B. Threat assessment C. Risk analysis D. Critical path analysis

Answer 72

Answer: D Critical path analysis can be defined as the logical sequencing of a series of events such that planners and integrators possess considerable information for the decision-making process.

Question 73

73. An attack pattern characterized by a series of invalid packet sequence numbers is called what? A. Stream B. Spamming C. Distributed denial of service D. Teardrop

Answer 73

Answer: D In a teardrop attack, an attacker exploits a bug in operating systems. The bug exists in the routines used to reassemble (that is, resequence) fragmented packets. An attacker sends numerous specially formatted fragmented packets to the victim, which causes the system to freeze or crash.

Question 74

74. Which of the following provides the best description of data purging? A. Destroying media B. Removing all data remnants from media C. Degaussing optical media to remove data D. Overwriting files

Answer 74

Answer: B Purging is an intense method of clearing that removes all data remnants from media to prepare it for reuse in less secure environments. Purging leaves media in a reusable state, instead of destroying it. Degaussing does not remove data from optical media. Overwriting files isn't a reliable method of removing data remnants.

Question 75

75. Which of the following choices is the most reliable method of destroying data on a CD? A. Degaussing B. Physical destruction C. Deleting D. Overwriting

Answer 75

Answer: B Physical destruction is the most reliable method of destroying data on any media, including a CD. Degaussing won't affect a CD. Deleting rarely deletes the data. Overwriting might destroy the data depending on the method used, but it isn't as reliable as physical destruction.

Question 76

76. A _____________is a type of new system deployment testing where the new system and the old system run simultaneously. A. Parallel run B. Simulation test C. Black-box test D. Stress test

Answer 76

Answer: A A parallel run is a type of new system deployment testing where the new system and the old system are run in parallel.

Question 77

77. Which is the most common form of perimeter security device or mechanism for any given business? A. Security guards B. Fences C. Badges D. Lighting

Answer 77

Answer: D Lighting is by far the most pervasive and basic element of security because it illuminates areas and makes signs of hidden danger visible to all.

Question 78

78. Which of the following individuals are not responsible for preserving the chain of custody of evidence? A. Police investigators B. Court reporters C. Evidence technicians D. Attorneys

Answer 78

Answer: B Court reporters generally do not handle evidence and are not subject to maintaining the chain of custody.

Question 79

79. What character, if eliminated from all web form input, would prevent the execution of most common cross-site scripting attacks? A. $ B. & C. > D. #

Answer 79

Answer: C Cross-site scripting attacks must pass the tag to a browser.

Question 80

80. What US federal law prohibits attempts to circumvent copyright protection mechanisms placed on a protected work by the copyright holder? A. Digital Millennium Copyright Act B. Trade Secrets Act C. Copyright Enhancement Act D. USA PATRIOT Act

Answer 80

Answer: A The Digital Millennium Copyright Act contains provisions prohibiting the circumvention of copyright protection mechanisms.

Question 81

81. What type of intellectual property protection is commonly used to cover literary works (including computer software)? A. Copyright B. Trademark C. Patent D. Service mark

Answer 81

Answer: A Literary works are one of the categories of intellectual property covered by copyright law.

Question 82

82. What type of system is authorized to process data at different classification levels only when all users have authorized access to those classification levels? A. Compartmented mode system B. System-high mode system C. Multilevel mode system D. Dedicated mode system

Answer 82

Answer: B Systems running in system-high mode are authorized to process data at different classification levels only if all system users have access to the highest level of classification processed.

Question 83

83. What malicious code avoidance technique provides users with the ability to identify code originating from a trusted source? A. Sandboxing B. Control signing C. Whitelisting D. Access permissions

Answer 83

Answer: B Control signing utilizes a system of digital signatures to ensure that the code originates from a trusted source. It is up to the end user to determine whether the authenticated source should be trusted.

Question 84

84. The tendency for various technologies, solutions, utilities, and systems to evolve and merge over time is known as what? A. Security governance B. Technology convergence C. OWASP D. Threat modeling

Answer 84

Answer: B Technology convergence is the tendency for various technologies, solutions, utilities, and systems to evolve and merge over time.

Question 85

85. Which of the following malicious code objects was likely designed as a weapon of war? A. Good Times B. Confickr C. Stuxnet D. Melissa

Answer 85

Answer: C The Stuxnet worm was allegedly designed by American and/or Israeli military forces in an attempt to disrupt the Iranian nuclear program.

Question 86

86. What tool or organization is an open repository of information and tools focusing on improving security for online or web-based applications? A. CVE B. PCI DSS C. OWASP D. XSS

Answer 86

Answer: C OWASP (Open Web Application Security Project) is a nonprofit security project focusing on improving security for online or web-based applications. OWASP is not just an organization; it is also a large community that works together to freely share information, methodology, tools, and techniques related to better coding practices and more secure deployment architectures. For more information on OWASP and to participate in the community, visit their website at www.owasp.org.

Question 87

87. Under what method are database backups bulk transferred to off-site recovery locations? A. Electronic billing B. Electronic payment C. Electronic vaulting D. Electronic safekeeping

Answer 87

Answer: C Electronic vaulting automatically backs up data to a secure site where storage professionals at the vaulting company's site handle the details.

Question 88

88. What form of password attack utilizes a preassembled lexicon of terms and their permutations? A. Rainbow tables B. Dictionary word list C. Brute force D. Educated guess

Answer 88

Answer: B Dictionary word lists are precompiled lists of common passwords and their permutations and serve as the foundation for a dictionary attack on accounts.

Question 89

89. What is the primary means by which fax communications can be made secure? A. Nonrepudiation controls B. Limited access C. Authentication D. Encryption

Answer 89

Answer: D The primary means by which fax communications can be secured is to use encryption.

Question 90

90. What is the size of the master boot record on a system installed with a typical configuration? A. 256 bytes B. 512 bytes C. 1,024 bytes D. 2,048 bytes

Answer 90

Answer: B The master boot record is a single sector of a floppy disk or hard drive. Each sector is normally 512 bytes. The MBR contains only enough information to direct the proper loading of the operating system.

Question 91

91. What are the consequences for CISSPs who violate the Code of Ethics? A. Criminal sanctions B. Civil sanctions C. Loss of certification D. Public humiliation

Answer 91

Answer: C CISSPs who violate the (ISC)2 Code of Ethics are subject to certification revocation.

Question 92

92. During what type of penetration test does the tester have no access to system configuration information? A. Black box penetration test B. White box penetration test C. Gray box penetration test D. Red box penetration test

Answer 92

Answer: A During a black box penetration test the testers have no access to configuration information about the system being tested.

Question 93

93. Which one of the following methods is not a valid method of destroying data on a hard drive? A. Purging the drive with a software program B. Copying data over the existing data C. Removing the platters and shredding them D. Removing the platters and disintegrating them

Answer 93

Answer: B Copying data over existing data is not reliable because data may remain on the drive as data remanence. Some software programs can overwrite the data with patterns of 1s and 0s to destroy the data. Shredding or disintegrating the platters will destroy the data.

Question 94

94. What form of attack prevents systems or services from processing or responding to legitimate traffic and network resources? A. Brute force B. Denial of service C. Spamming D. Sniffing

Answer 94

Answer: B Denial of service attacks seek to shut down or stifle network response and congest traffic so that legitimate data cannot be handled in a timely fashion.

Question 95

95. What is the biggest problem with computer-based information when used as evidence? A. It is considered hearsay. B. It is fragile. C. It cannot be contained. D. Its nature is intangible.

Answer 95

Answer: D You should realize that most computer evidence is intangible, meaning it is electronic and magnetically stored information that is vulnerable to erasure, corruption, and other forms of damage. Although computer evidence is usually considered hearsay, there is an exception to the hearsay rule that makes it admissible (specifically if it was created by a normal business operation and supported by a witness).

Question 96

96. What form of interference is generated by a difference in power between hot and neutral wires of a power source? A. Radio frequency interference B. Cross-talk noise C. Traverse mode noise D. Common mode noise

Answer 96

Answer: C Traverse mode noise is generated by the difference in power between the hot and neutral wires of a power source or operating electrical equipment.

Question 97

97. Which of the following is a valid definition of a closed system? A. A system designed to work well with a narrow range of other systems, generally all from the same manufacturer B. A system where the source code and other internal logic is exposed to the public C. A system designed using agreed-upon industry standards D. A system where the source code and other internal logic is hidden from the public

Answer 97

Answer: A A closed system is designed to work well with a narrow range of other systems, generally all from the same manufacturer.

Question 98

98. What attack pattern is characterized by specially crafted inputs issued to a vulnerable application or service? A. Hijacking B. Buffer overflow C. Man in the middle D. Brute force

Answer 98

Answer: B In many cases, a buffer overflow attack will involve specially crafted, typically oversized inputs in an attempt to overwrite critical application data and disrupt or redirect program execution flow.

Question 99

99. Darcy's Doodles is an electronic content provider hosting websites related to art. The IT staff of Darcy's Doodles is concerned about the risk of an earthquake destroying their data center, which is valued at $8,000,000. After consulting with seismologists, they determined that an earthquake is likely to occur once every 50 years and, if one occurred, it would completely destroy the facility. What is the ALE? A. $80,000 B. $160,000 C. $1,600,000 D. $8,000,000

Answer 99

Answer: B The annualized loss expectancy (ALE) is the product of the annualized rate of occurrence (ARO) and the single loss expectancy (SLE). The ARO in this example is 2 percent and the SLE is $8,000,000, giving an ALE of $160,000.

Question 100

100. Which of the following types of IDS is effective only against known attack methods? A. Host based B. Network based C. Knowledge based D. Behavior based

Answer 100

Answer: C A knowledge-based IDS is effective only against known attack methods, which is its primary drawback.

Question 101

101. Which one of the following is not a safe harbor requirement for US companies doing business in Europe? A. Notice B. Choice C. Onward transfer D. Accountability

Answer 101

Answer: D Accountability is not one of the seven safe harbor requirements.

Question 102

102. Which of the following is not a requirement for a cryptographic hash function? A. Variable-length input B. Fixed-length output C. Easy to compute D. Easy to reverse

Answer 102

Answer: D Hash functions must be one-way functions, meaning that they are impossible to reverse.

Question 103

103. Abnormal or unauthorized activities detectable to an IDS include which of the following? (Choose all that apply.) A. External connection attempts B. Execution of malicious code C. Access to controlled objects D. None of the above

Answer 103

Answer: A;B;C IDSs watch for violations of confidentiality, integrity, and availability. Attacks recognized by IDSs can come from external connections (such as the Internet or partner networks), viruses, malicious code, trusted internal subjects attempting to perform unauthorized activities, and unauthorized access attempts from trusted locations.

Question 104

104. What aspect of an organizational security policy, procedure, or process affects all other aspects? A. Awareness training B. Logical security C. Disaster recovery D. Physical security

Answer 104

Answer: D Physical security is the most prominent aspect of an organizational security policy because it directly and indirectly influences all other forms. Without physical security, no other processes and procedures are reliable.

Question 105

105. Which of the following is not a valid security measure to protect against brute-force and dictionary attacks? A. Enforce strong passwords through a security policy. B. Maintain strict control over physical access. C. Require all users to log in remotely. D. Use two-factor authentication.

Answer 105

Answer: C Requiring users to log in remotely does not protect against password attacks such as brute-force or dictionary attacks. Strong password policies, physical access control, and two-factor authentication all improve the protection against brute-force and dictionary password attacks.

Question 106

106. A flooding attack designed to overwhelm a web server is an example of what category of attack? A. Grudge B. Denial of service C. Reconnaissance D. Malicious code

Answer 106

Answer: B Denial-of-service attacks are designed to reduce the availability of services to authorized users.

Question 107

107. What of the following is not a form of physical identification or electronic access control? A. Security gate B. Security badge C. Smart card D. Token device

Answer 107

Answer: A A security gate is a form of physical control that may involve the use of physical identification or electronic access control but is not either one itself.

Question 108

108. What part of the Common Criteria specifies the claims of security from the vendor that are built into a target of evaluation? A. Protection profiles B. Evaluation assurance level C. Certificate authority D. Security target

Answer 108

Answer: D Security targets (STs) specify the claims of security from the vendor that are built into a TOE.

Question 109

109. Coordinated attack efforts against an infrastructure or system that limits or restricts its capacity to process legitimate traffic is what form of network-driven attack? A. Denial of service B. Distributed denial of service C. Distributed reflective denial of service D. Differential denial of service

Answer 109

Answer: B Coordinated attacks between several cooperative machines using traffic in an illegitimate way is a distributed denial of service attack.

Question 110

110. Security Association Markup Language (SAML) attacks often focus on? A. Web-based authentication B. Data theft C. Man-in-the-middle attacks D. Screen scraping

Answer 110

Answer: A SAML attacks are often focused on web-based authentication.

Question 111

111. Which of the following is the highest security classification for a government/military organization? A. Classified B. Top secret C. Sensitive D. Sensitive but unclassified

Answer 111

Answer: B Top secret is the highest security classification for a government/military organization.

Question 112

112. What RFC contains the Internet Advisory Board's statement on ethics and the Internet? A. RFC 1087 B. RFC 1918 C. RFC 2048 D. RFC 2296

Answer 112

Answer: A RFC 1087 outlines the IAB's position on proper use of the Internet.

Question 113

113. What wireless communication technique employs a form of serial communication? A. Spread spectrum B. FHSS C. DSSS D. OFDM

Answer 113

Answer: B Frequency Hopping Spread Spectrum (FHSS) was an early implementation of the spread spectrum concept. However, instead of sending data in a parallel fashion, it transmits data in a series while constantly changing the frequency in use.

Question 114

114. An important reason to maintain separate work areas between different levels of employees is the prevention of which of the following? A. Collision B. Collusion C. Shoulder surfing D. Plain-text attack

Answer 114

Answer: C If an employee with a lower level of clearance can be present in an area of higher clearance, then that employee may be able to see sensitive information on displays (i.e., shoulder surfing).

Question 115

115. Using an insular padded cell on your network for protection to isolate intruders functions on what principle? A. The data offered by the padded cell is what originally attracts the attacker. B. Padded cells are a form of entrapment. C. The intruder is seamlessly transitioned into the padded cell once they are detected. D. Padded cells are used to test a system for known vulnerabilities

Answer 115

Answer: C When an intruder is detected by an IDS, they are transferred to a padded cell. The transfer of the intruder into a padded cell is performed automatically, without informing the intruder that the change has occurred. The padded cell is unknown to the intruder before the attack, so it cannot serve as an enticement or entrapment. Padded cells are used to detain intruders, not to detect vulnerabilities.

Question 116

116. Which one of the following passwords is least likely to be compromised during a dictionary attack? A. gniteelf B. consistent C. surprise2me D. EbrEl4a

Answer 116

Answer: D Except option D, the choices are forms of common words that might be found during a dictionary attack. gniteelf is simply fleeting spelled backward and consistent is a dictionary word. surprise2me combines two dictionary words. Crack and other utilities can easily see through these "sneaky" techniques. Option D is simply a random string of characters that a dictionary attack would not uncover.

Question 117

117. What is the point and purpose of disaster recovery services? A. To prevent interruption to business operations B. To prevent intrusion upon business operations C. To provide restoration facilities to continue business operations D. To provide personnel for provisioning rations to survivors

Answer 117

Answer: C Disaster recovery services provide restoration facilities to continue business operations.

Question 118

118. How many keys are required to fully implement a symmetric encryption algorithm with eight participants? A. 8 B. 16 C. 28 D. 56

Answer 118

Answer: C The number of keys required to fully implement symmetric encryption is computed using the formula (n*(n - 1)) / 2. In this case (8*7) / 2 = 28.

Question 119

119. Which of the following types of WAN connections offer the least assurance of communications? A. Dedicated lines B. Nondedicated lines C. Leased lines D. Point-to-point link lines

Answer 119

Answer: B Nondedicated leased lines offer the least assurance of communication because they require a link to be established before communication can take place. If all circuits for that connection type are currently in use, a connection will not be established, thus no communications.

Question 120

120. How can you protect your business against failure of a software vendor to provide support for its products if it goes out of business? A. Software escrow B. Disaster recovery plan C. Business continuity plan D. Mutual assistance agreements

Answer 120

Answer: A A software escrow arrangement is a unique tool used to protect a company against unsupportive or out-of-business vendors.

Question 121

121. Which component of the CIA Triad has the most avenues or vectors of attack and compromise? A. Confidentiality B. Integrity C. Availability D. Accountability

Answer 121

Answer: C Availability has the most avenues or vectors of attack and compromise. Availability can be affected by damaging the resource, compromising the resource host, interfering with communications, or attacking the client.

Question 122

122. What is the point and purpose of disaster recovery planning? A. To repair business machines during periods of downtime B. To relieve personnel of administrative duty during a disaster C. To restore business to full operational capacity after a disaster D. To restart business systems after weathering a disaster

Answer 122

Answer: C DRP covers the procedures to be followed should a disaster (fire, flood, and so on) occur. The point and purpose of disaster recovery planning is to restore business to full operational capacity after a disaster.

Question 123

123. Which one of the following types of attack is most difficult to defend against? A. Scanning B. Malicious code C. Grudge D. Distributed denial of service

Answer 123

Answer: D It is very difficult to defend against distributed denial-of-service attacks due to their sophistication and complexity.

Question 124

124. When an organization is attempting to identify risks, what should they identify first? A. Assets B. Threats C. Vulnerabilities D. Public attacks

Answer 124

Answer: A An organization must first identify the value of assets when identifying risks so that they can focus on the potential risks for their most valuable assets. They can then identify threats and vulnerabilities related to these assets. Public attacks can be evaluated to determine if they present a risk to the organization, but this should not be the first step.

Question 125

125. Third-party governance cannot be mandated for whom? A. Internal entities B. External consultants and suppliers C. Subsidiaries D. Commercial competitors

Answer 125

Answer: D Commercial competitors or any other entity that is not directly connected or related to the primary organization cannot have that organization's third-party governance mandated or forced on them.

Question 126

126. Which one of the following individuals is most likely to cause serious intentional damage to a business's computing resources? A. Malicious insider B. Terrorist C. Criminal D. Script kiddie

Answer 126

Answer: A The malicious insider poses the greatest risk to your organization because they might already have access to your systems and a working knowledge of your infrastructure.

Question 127

127. What type of cipher relies on changing the actual characters within a message to achieve confidentiality? A. Stream cipher B. Transposition cipher C. Block cipher D. Substitution cipher

Answer 127

Answer: D Substitution ciphers change the values of individual characters in a message.

Question 128

128. What is the best defensive action that system administrators can take against the threat posed by new malicious code objects that exploit known software vulnerabilities? A. Update antivirus definitions monthly. B. Install antiworm filters on the proxy server. C. Apply security patches as they are released. D. Prohibit Internet use on the corporate network.

Answer 128

Answer: C The vast majority of new malicious code objects exploit known vulnerabilities that were already addressed by software manufacturers. The best action administrators can take against new threats is to maintain the patch level of their systems.

Question 129

129. A server administrator recently modified the configuration for a server to improve performance. Unfortunately, when an automated script runs once a week, the modification causes the server to reboot. It took several hours of troubleshooting to ultimately determine the problem wasn't with the script but instead with the modification. What could have prevented this? A. Vulnerability management B. Patch management C. Change management D. Blocking all scripts

Answer 129

Answer: C An effective change management program helps prevent outages from unauthorized changes. Vulnerability management helps detect weaknesses but wouldn't block the problems from this modification. Patch management ensures systems are kept up to date. Blocking scripts removes automation, which would increase the overall workload.

Question 130

130. What is the primary purpose of change management? A. To prevent unwanted reductions to security B. To allow management to review all changes C. To delay the release of mission-critical patches D. To improve productivity of end users

Answer 130

Answer: B The primary purpose of change management is to allow management to review all changes. However, it is true that the overall goal of change management is to prevent unwanted reductions to security.

Question 131

131. Which of the following should be done to a user's account when an employee leaves the organization? A. Delete the user's account B. Change the user's password C. Modify the user's privileges D. Disable the user's account

Answer 131

Answer: D It's important to disable the user's account as soon as possible when the employee leaves. Because the account might be needed to access encrypted resources, it should not be deleted right away. Changing the user's password or modifying the user's privileges leaves open the possibility of someone using the account.

Question 132

132. Which of the following is not a feature of packet switching? A. Bursty traffic focused B. Fixed known delays C. Sensitive to data loss D. Supports any type of traffic

Answer 132

Answer: B Packet switching has variable delays; circuit switching has fixed known delays.

Question 133

133. Which one of the following is best suited to transmit sensitive data over a network? A. SCP B. FTP C. HTTP D. L2TP

Answer 133

Answer: A Secure Copy (SCP) encrypts data with Secure Shell (SSH) and is the best choice of the available answers to transmit sensitive data over a network. File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), and Layer 2 Tunneling Protocol (L2TP) transmit data over a network in clear text unless they are combined with another protocol to encrypt the traffic.

Question 134

134. Who is responsible for authoring the principle that can be summed up as "the enemy knows the system"? A. Rivest B. Schneier C. Kerckchoffs D. Shamir

Answer 134

Answer: C Kerckchoffs's principle states that a cryptographic system should remain secure even when all details of the system, except the key, are public knowledge.

Question 135

135. When is it acceptable to include your opinion about the causes of an incident in an incident report? A. Never; you should include only facts in your report. B. Only when requested by management. C. Only when you clearly delineate opinion from fact in your report. D. Always, under any circumstances.

Answer 135

Answer: C You may include your opinion in an incident report, but you must be careful to clearly differentiate between fact and opinion.

Question 136

136. What advanced virus type uses more than one propagation technique? A. Polymorphism B. Stealth C. Encryption D. Multipartitism

Answer 136

Answer: D Multipartite viruses use more than one propagation technique in an attempt to penetrate systems that defend against only one method or the other.

Question 137

137. ________________, such as that commonly found in firewall systems, is governed by a set of administrator-defined filters. A. Rule-based access control B. Role-based access control C. Mandatory access control D. Discretionary access control

Answer 137

Answer: A Rule-based access control defines specific functions for access to requested objects.

Question 138

138. What tool can an organization use to reduce or avoid risk when working with external vendors, consultants, or contractors? A. IPSec B. VPN C. SLA D. BCP

Answer 138

Answer: C An SLA (service-level agreement) is a contract with an external entity and is an important part of risk reduction and risk avoidance. By clearly defining the expectations and penalties for external parties, everyone involved knows what is expected of them and what the consequences are in the event of a failure to meet those expectations.

Question 139

139. Which of the following is not a canon of the (ISC)2 Code of Ethics? A. Protect your colleagues. B. Provide diligent and competent service to principals. C. Advance and protect the profession. D. Protect society.

Answer 139

Answer: A The code of ethics does not require that you protect your colleagues.

Question 140

140. Which of the following is not a reason for data classification? A. Because securing everything at a low security level means sensitive data is easily accessible B. To determine how much effort, money, and resources are allocated to protect the data and control access to it. C. Because securing everything at a high security level is too expensive and restricts access to unclassified, noncritical data D. To provide for nonrepudiation

Answer 140

Answer: D Providing for nonrepudiation is not a reason for data classification.

Question 141

141. What programming language(s) can be used to develop ActiveX controls for use on an Internet site? A. Visual Basic B. C C. Java D. All of the above

Answer 141

Answer: D Microsoft's ActiveX technology supports a number of programming languages, including Visual Basic, C, C++, and Java. On the other hand, only the Java language can be used to write Java applets.

Question 142

142. In a _______________, each level or classification label in the security structure grants a subject access to objects equal to and lower than that level. A. Hybrid environment B. Hierarchical environment C. Compartmentalized environment D. Centralized environment

Answer 142

Answer: B In a hierarchical environment, the various classification labels are assigned in an ordered structure from low security to medium security to high security.

Question 143

143. Which one of the following countries cannot receive high-performance computers from the United States? A. South Korea B. Iran C. Russia D. England

Answer 143

Answer: B Iran currently appears on the list of Tier 4 countries that cannot receive high-performance computers from the United States.

Question 144

144. How is metadata generated? A. By creating a data warehouse B. By performing data mining C. By hosting a data mart D. By authoring a data dictionary

Answer 144

Answer: B In the context of large databases and the activity of data analysis, metadata is created by performing data mining.

Question 145

145. What type of attack uses malicious email and targets a group of employees within a single company? A. Phishing B. Spear phishing C. Whaling D. Vishing

Answer 145

Answer: B Spear phishing targets a specific group of people such as a group of employees within a single company. Phishing goes to anyone without any specific target. Whaling is a form of phishing that targets high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).

Question 146

146. Which one of the following tools scans filesystems for unauthorized modifications? A. LastPass B. Crack C. Shadow password files D. Tripwire

Answer 146

Answer: D Tripwire scans your filesystem for unexpected modifications and reports to you periodically.

Question 147

147. Which of the following is not usually part of an employment background check for a job opening in a secured environment? A. Current amount in checking account B. Employment history C. Postings on social networking sites D. Educational background

Answer 147

Answer: A The amount in a checking account is usually not part of an employment background check. However, there are cases where a credit history and criminal record check are performed. Checking social networking sites has become standard practice as part of pre-employment screening.

Question 148

148. What is the most effective defense against SQL injection attacks? A. Limiting account privileges B. Input validation C. User authentication D. Encryption

Answer 148

Answer: B Input validation ensures that dangerous strings and characters are not included in user input, protecting the underlying database from SQL injection attacks.

Question 149

149. Which one of the following is not a right of individuals under the European Union's data privacy directive? A. Right to access personal data B. Right to delete data C. Right to correct data D. Right to know the data's source

Answer 149

Answer: B The European Union's data privacy directive does not grant individuals the right to delete data from corporate databases.

Question 150

150. What Internet standard does all public email comply with? A. IEEE 802.11 B. X.400 C. X.509 D. LDAP

Answer 150

Answer: B Internet email must comply with X.400.

Question 151

151. What is the SLE for an asset valued at $10,000,000, with a threat exposure factor of 25 percent, and an ARO of 400 times per year? A. $1,000,000,000 B. $100,000,000 C. $9,000,000 D. $2,500,000

Answer 151

Answer: D SLE is calculated with the formula of AV * EF. For this situation, $10,000,000 * 25% = $2,500,000. BTW, if the ALE was requested, then the formula would be AV * EF * ARO or $10,000,000 * 25% * 400 = $1,000,000,000.

Question 152

152. Which one of the following is not a requirement of an invention to be patented? A. It must be new. B. It must be previously protected as a trade secret. C. It must be useful. D. It must be nonobvious.

Answer 152

Answer: B The three requirements of patent law are that an invention must be new, useful, and nonobvious.

Question 153

153. What is the primary function of a gateway as a network device? A. Routing traffic B. Protocol translator C. Attenuation protection D. Creating virtual LANs

Answer 153

Answer: B The gateway is a network device (or service) that works at the Application layer. However, an Application layer gateway is a very specific type of component. It serves as a protocol translation tool. For example, an IP-to-IPX gateway takes inbound communications from TCP/IP and translates them over to IPX/SPX for outbound transmission.

Question 154

154. Remote wipe is a useful feature in minimizing the risk of personal or confidential information being accessed by those in unauthorized possession of a mobile device. What additional feature is essential to ensure that data is truly protected against malicious recovery? A. Screen lock B. GPS tracking C. Data ownership management D. Device encryption

Answer 154

Answer: D In order to ensure that a remote wipe destroys data beyond recovery, the device should be encrypted. Thus the undelete operation would only be recovering encrypted data, which the attacker would be unable to decipher.

Question 155

155. Which one of the following requires that merchants handling credit card information promptly report security incidents involving a breach of cardholder data? A. GLBA B. SOX C. PCI DSS D. HIPAA

Answer 155

Answer: C The Payment Card Industry Data Security Standard includes requirements that merchants promptly report incidents affecting the security of credit card information.

Question 156

156. Which one of the following techniques introduces confusion into a cryptographic algorithm? A. Transposition B. Decryption C. Encryption D. Substitution

Answer 156

Answer: D Confusion occurs when the relationship between the plain text and the key is so complicated that an attacker can't merely continue altering the plain text and analyzing the resulting cipher text to determine the key.

Question 157

157. What is the limit on the number of candidate keys that can exist in a single table? A. Zero B. One C. Two D. No limit

Answer 157

Answer: D There is no limit to the number of candidate keys that a table can have. However, each table can have only one primary key.

Question 158

158. Which one of the following is not one of the three main steps of the business continuity planning (BCP) process, as defined by (ISC)2? A. Project scope and planning B. Business impact assessment C. System backup D. Continuity planning

Answer 158

Answer: C Performing a system backup is not one of the major steps of the BCP process.

Question 159

159. Mary identified a vulnerability in her code where it fails to check during a session to determine whether a user's permission has been revoked. What type of vulnerability is this? A. Back door B. TOC/TOU C. Buffer overflow D. SQL injection

Answer 159

Answer: B TOC/TOU is a type of timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request.

Question 160

160. Biometric authentication devices fall under what top-level authentication factor type? A. Type 1 B. Type 2 C. Type 3 D. Type 4

Answer 160

Answer: C Biometric authentication devices represent a Type 3 ("something you have") authentication factor.

Question 161

161. If you require hourly updates to backup facilities, what option do you choose? A. Manual backups B. Remote journaling C. Remote mirroring D. Remote control

Answer 161

Answer: B Remote journaling data transfers are performed expeditiously on a frequent (usually hourly) basis through copies of the transaction logs.

Question 162

162. What encryption algorithm is used by the Clipper chip, which supports the Escrowed Encryption Standard sponsored by the US government? A. Data Encryption Standard (DES) B. Advanced Encryption Standard (AES) C. Skipjack D. IDEA

Answer 162

Answer: C The Skipjack algorithm implemented the key escrow standard supported by the US government.

Question 163

163. Which of the following are goals of the Identification phase of incident response? (Choose all that apply.) A. Restoration of normal activity B. Incorporation of lessons learned C. Notification of appropriate personnel D. Identification of incidents

Answer 163

Answer: C;D The two goals of the identification phase are identifying incidents and notifying the appropriate personnel.

Question 164

164. Stuxnet was the first known example of malicious code that functioned as a rootkit on what type of system? A. SCADA B. PLC C. Cloud D. DCS

Answer 164

Answer: A Stuxnet delivered the first-ever rootkit to a SCADA system located in a nuclear facility.

Question 165

165. What type of application vulnerability allows attackers to gain access to the database underlying a web application? A. Buffer overflow B. Cross-site scripting C. SQL injection D. Cross-site request forgery

Answer 165

Answer: C SQL injection attacks allow hackers to bypass normal access controls and gain access to the database supporting a web application.

Question 166

166. _______________ is a centralized database or index of assets, personnel, resources, or services on the network. A. TACACS+ B. Kerberos C. RADIUS server D. A directory service

Answer 166

Answer: D A directory service is a centralized database of resources, such as a phone directory, made available to the network.

Question 167

167. What type of software license agreement is commonly used for high-priced and highly specialized software packages? A. Contractual agreements B. Shrink-wrap agreements C. Verbal agreements D. Click-wrap agreements

Answer 167

Answer: A Licenses for high-value software often use contractual agreements to outline the responsibilities of both parties.

Question 168

168. What type of trusted recovery process always requires the intervention of an administrator? A. Automated B. Manual C. Function D. Controlled

Answer 168

Answer: B A manual type of trusted recovery process (described in the Common Criteria) always requires the intervention of an administrator. Automated recovery can perform some type of trusted recovery for at least one type of failure. Function recovery provides automated recovery for specific functions and will roll back changes to a secure state if recovery fails. Controlled is not a specific type of trusted recovery process.

Question 169

169. What form of interference is generated by a power differential between hot and ground wires? A. Common mode noise B. Traverse mode noise C. Cross-talk noise D. Radio frequency interference

Answer 169

Answer: A Common mode noise is generated by the difference in power between the hot and ground wires of a power source or operating electrical equipment.

Question 170

170. When attempting to impose accountability on users, what key issue must be addressed? A. Reliable log storage system B. Proper warning banner notification C. Legal defense/support of authentication D. Use of discretionary access control

Answer 170

Answer: C To effectively hold users accountable, your security must be legally defensible. Primarily, you must be able to prove in a court that your authentication process cannot be easily compromised. Thus, your audit trails of actions can then be tied to a human.

Question 171

171. Which software development life cycle model allows for multiple iterations of the development process, resulting in multiple prototypes, each produced according to a complete design and testing process? A. Software Capability Maturity model B. Waterfall model C. Development cycle D. Spiral model

Answer 171

Answer: D The spiral model allows developers to repeat iterations of another life cycle model (such as the waterfall model) to produce a number of fully tested prototypes.

Question 172

172. What port is used by Secure Sockets Layer (SSL) to provide secure web connections? A. 25 B. 80 C. 443 D. 8080

Answer 172

Answer: C SSL uses port 443 to generate secure client-server web connections.

Question 173

173. Among the following scenarios, which course of action is insufficient to increase your posture against brute-force and dictionary-driven attacks? A. Restrictive control over physical access B. Policy-driven strong password enforcement C. Two-factor authentication deployment D. Requiring authentication time-outs

Answer 173

Answer: D Requiring authentication time-outs bears no direct result on password attack protection. Strong password enforcement, restricted physical access, and two-factor authentication help improve security posture against automated attacks.

Question 174

174. Machine language is an example of a ___________________-generation language. A. First B. Second C. Third D. Fifth

Answer 174

Answer: A Machine languages are considered first-generation languages.

Question 175

175. What contractual obligation requires credit card merchants to report the potential compromise of credit card data? A. GLBA B. Sarbanes-Oxley C. FERPA D. PCI DSS

Answer 175

Answer: D The Payment Card Industry Data Security Standard (PCI DSS) requires that credit card merchants immediately report any known or suspected compromise of cardholder data.

Question 176

176. Visitors should be __________________. A. Allowed full access B. Logged and tracked C. Issued computer access credentials D. Exempt from screening

Answer 176

Answer: B Visitors should be logged and tracked. This usually includes issuance of a limited-access badge and oversight by an employee or a security guard. Generally, visitors are not given access to any sensitive area or system.

Question 177

177. What industry must implement information security programs under the Gramm-Leach-Bliley Act of 1999? A. Educational institutions B. Financial institutions C. Telecommunications firms D. Law firms

Answer 177

Answer: B The Gramm-Leach-Bliley Act (GLBA) governs the exchange of personal information by financial institutions and requires that they provide customers with written privacy policies.

Question 178

178. What should be included in the risk assessment portion of the BCP documentation for each risk that was deemed acceptable? A. Future events that might warrant reconsideration B. Mitigation provisions C. Processes to reduce the risk D. Response checklist

Answer 178

Answer: A One of the key elements of the BCP documentation is a list of future events that might warrant reconsideration of the determination that a risk is acceptable.

Question 179

179. Which of the following is not valued in agile software development? A. Comprehensive documentation B. Individuals and interactions C. Working software D. Customer collaboration

Answer 179

Answer: A Agile software development prioritizes working software at the expense of comprehensive documentation.

Question 180

180. An OEP (occupant emergency plan) is a guide to all but which of the following? A. Reduce costs B. Minimize threats to life C. Prevent injury D. Manage duress

Answer 180

Answer: A The OEP provides guidance on how to minimize threats to life, prevent injury, manage duress, handle travel, provide for safety monitoring, and protect property from damage in the event of a destructive physical event. It is not focused on minimizing costs.

Question 181

181. Tom built a database table consisting of the names, telephone numbers, and customer IDs for his business. The table contains information on 30 customers. What is the cardinality of this table? A. Two B. Three C. Thirty D. Undefined

Answer 181

Answer: C The cardinality of a table refers to the number of rows in the table whereas the degree of a table is the number of columns.

Question 182

182. What is a device that attempts to route first but will bridge if routing fails? A. Switch B. Repeater C. Bridge D. Brouter

Answer 182

Answer: D A brouter is a device that attempts to route first, but if that fails, it defaults to bridging.

Question 183

183. Which process ensures that you close the loop of incident response to improve the effectiveness of your response to future incidents? A. Containment B. Lessons learned C. Isolation D. Analysis

Answer 183

Answer: B The lessons learned process includes a review of the incident and your processes to ensure that they are as effective as possible.

Question 184

184. Which environment requires exact, specific clearance for an object's security domain? A. Hierarchical environment B. Hybrid environment C. Compartmentalized environment D. Organizational environment

Answer 184

Answer: C Compartmentalized environments require specific security clearances over compartments or domains instead of objects.

Question 185

185. What standard of evidence is required for investigators to obtain a search warrant? A. Probable cause B. Reasonable certainty C. Beyond a shadow of a doubt D. Due care

Answer 185

Answer: A In order to obtain a search warrant, investigators must have probable cause.

Question 186

186. Which one of the following business impact assessment variables represents the dollar value of each organizational resource? A. AV B. SLE C. ARO D. MTD

Answer 186

Answer: A The asset value (AV) is a monetary measure of an asset's worth to the organization

Question 187

187. The following eight primary protection rules or actions define the boundaries of what security model? •Securely create an object. •Securely create a subject. •Securely delete an object. •Securely delete a subject. •Securely provide the read access right. •Securely provide the grant access right. •Securely provide the delete access right. •Securely provide the transfer access right. A. Graham-Denning B. Bell-LaPadula C. Take-Grant D. Sutherland

Answer 187

Answer: A The Graham-Denning model is focused on the secure creation and deletion of both subjects and objects. Ultimately, Graham-Denning is a collection of eight primary protection rules or actions (listed in the question) that define the boundaries of certain secure actions.

Question 188

188. Which of the following is not true? A. Fiber-optic cable offers very high throughput rates. B. Fiber-optic cable is difficult to install. C. Fiber-optic cable is expensive. D. Communications over fiber-optic cable can be tapped easily.

Answer 188

Answer: D The statement that fiber-optic cable can be tapped easily is false. Fiber-optic cable is difficult to tap.

Question 189

189. Which source of interference is generated by electrical appliances, light sources, electrical cables and circuits, and so on? A. Cross-talk noise B. Radio frequency interference C. Traverse mode noise D. Common mode noise

Answer 189

Answer: B Radio frequency interference (RFI) is the source of interference that is generated by electrical appliances, light sources, electrical cables and circuits, and so on.

Question 190

190. Which type of connection created by a packet-switching networking system reuses the same basic parameters or virtual pathway each time it connects? A. Bandwidth on demand connection B. Switched virtual circuit C. Permanent virtual circuit D. CSU/DSU connection

Answer 190

Answer: C A PVC reestablishes a link using the same basic parameters or virtual pathway each time it connects. SVCs use unique settings each time. Bandwidth on demand links can be either PVCs or SVCs. CSU/DSU is not a packet-switching technology.

Question 191

191. In what phase of the process used to develop a continuity strategy are mechanisms and procedures that will actually mitigate the risks designed? A. Strategy development B. Provisions and processes C. Education and training D. Business impact assessment

Answer 191

Answer: B It is in the provisions and processes phase that the mechanisms and procedures that will mitigate identified risks are actually designed.

Question 192

192. Which of the following is a benefit of packet-switching technologies over circuit-switching technologies? A. Fixed known delays B. Connection oriented C. Sensitive to connection loss D. Supports bursty traffic

Answer 192

Answer: D Packet-switching technologies support bursty traffic rather than constant traffic. The others are benefits of circuit switching.

Question 193

193. Which of the following disasters is absolutely unpreventable but still considered a part of any formal security-planning phase? A. Utility failure B. Infrastructure failure C. Power outage D. Natural disaster

Answer 193

Answer: D Natural disasters are always factored into any formal recovery plan because they are unpreventable and unavoidable interruptions to business and business processes.

Question 194

194. During what phase of incident response do you collect evidence such as firewall logs? A. Detection and identification B. Response and reporting C. Compliance D. Recovery and remediation

Answer 194

Answer: B Evidence collection takes place during the response and reporting phase of the incident.

Question 195

195. Alice wants to produce a message digest of a 2,048-byte message she plans to send to Bob. If she uses the MD5 hashing algorithm, what size will the message digest for this particular message be? A. 128 bits B. 512 bits C. 1,024 bits D. 2,048 bits

Answer 195

Answer: A The MD5 algorithm produces 128-bit hashes regardless of the size of the input message.

Question 196

196. What is the length of protection offered by trademark law without requiring a renewal? A. 5 years B. 7 years C. 10 years D. 20 years

Answer 196

Answer: C Trademarks are protected for an initial 10-year period and may be renewed for unlimited successive 10-year periods.

Question 197

197. What is not considered a security best practice with regard to password selection? A. Rejection of listed or known bad entries B. Periodic, scheduled password changes C. Simple, easily recalled letter combinations D. Automated real-time strength enforcement

Answer 197

Answer: C Strong password choices should be neither predictable nor deterministic, should be of sufficient length and strength, and should be periodically changed and enforced against best security practices by automated means.

Question 198

198. Compute the value of the function 28 mod 3. A. 0 B. 1 C. 3 D. 25

Answer 198

Answer: B 9 * 3 = 27, leaving a remainder of 1, so 28 mod 3 is 1.

Question 199

199. When establishing who someone is before you grant them access to resources, what is the first step? A. Verify credentials B. Claim an identity C. rant authority D. Monitor activity

Answer 199

Answer: B The first step toward granting a user access is for them to claim an identity (identification). That is followed by verifying credentials (authentication), then by granting authority (authorization), and finally by monitoring activity (auditing).

Question 200

200. Which one of the following is not a goal of cryptographic systems? A. Nonrepudiation B. Confidentiality C. Availability D. Integrity

Answer 200

Answer: C The four goals of cryptographic systems are confidentiality, integrity, authentication, and nonrepudiation.

Question 201

201. What frequency does an 802.11n-compliant device employ? A. 3 Hz B. 900 MHz C. 7 GHz D. 2.4 GHz

Answer 201

Answer: D 802.11n can use the 2.4 GHz and 5 GHz frequencies. The 2.4 GHz frequency is also used by 802.11g and 802.11b.

Question 202

202. Which of the following options is not considered a cause of disaster? A. Power outage B. Terrorist attack C. Hurricane destruction D. Maintenance downtime

Answer 202

Answer: D Maintenance downtime is considered a man-made interruption of service that is not a form of disaster.

Question 203

203. Which of the following attacks is the best example of a financial attack? A. Denial of service B. Website defacement C. Port scanning D. Phone phreaking

Answer 203

Answer: D Phone phreaking attacks are designed to obtain service while avoiding financial costs.

Question 204

204. Which VPN protocol should not be used as the sole encapsulation mechanism if there is a dial-up segment present between the host and the link endpoint? A. L2F B. PPTP C. IPSec D. L2TP

Answer 204

Answer: C IPSec is not designed to function naked over a dial-up segment. IPSec must be encapsulated to transmit across a dial-up link; often it is encased in L2TP for this.

Question 205

205. What is the most effective defense against SQL injection attacks? A. Input validation B. Firewalls C. Encryption D. Cross-site scripting

Answer 205

Answer: A Input validation ensures that invalid characters are not entered into input fields on web forms, preventing an attacker from launching a SQL injection attack.

Question 206

206. A developer added a subroutine to a web application that checks to see if the date is April 1 and, if it is, randomly changes user account balances. What type of malicious code is this? A. Logic bomb B. Worm C. Trojan horse D. Virus

Answer 206

Answer: A Logic bombs wait until certain conditions are met before delivering their malicious payloads.

Question 207

207. On what port do DHCP clients request a configuration? A. 25 B. 110 C. 68 D. 443

Answer 207

Answer: C Dynamic Host Configuration Protocol (DHCP) uses port 68 for client request broadcast and port 67 for server point-to-point response.

Question 208

208. You are responsible for the security of your organization's web server and wish to install a digital certificate that supports strong cryptography. What standard should you choose? A. SSL v1.2 B. SSL v2.0 C. SSL v3.0 D. TLS v1.2

Answer 208

Answer: D Transport Layer Security (TLS) supplanted Secure Sockets Layer (SSL) as the best practice security standard for web encryption.

Question 209

209. ________________ is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. A. Polyinstantiation B. Perturbation C. Declassification D. Physical protection

Answer 209

Answer: C Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level.

Question 210

210. What is the top priority of BCP and DRP? A. Data B. Recovery procedures C. Budget D. People

Answer 210

Answer: D The top priority of BCP and DRP is always people. The primary concern is to get people out of harm's way; then you can address IT recovery and restoration issues.

Question 211

211. What is the best defensive action that system administrators can take against the threat posed by new malicious code objects that exploit known software vulnerabilities? A. Update antivirus definitions monthly. B. Install antiworm filters on the proxy server. C. Apply security patches as they are released. D. Prohibit Internet use on the corporate network.

Answer 211

Answer: C The vast majority of new malicious code objects exploit known vulnerabilities that were already addressed by software manufacturers. The best action administrators can take against new threats is to maintain the patch level of their systems.

Question 212

212. Which of the following is not used in typical biometric authentication? A. Fingerprint scans B. Retinal scans C. Voice recognition D. Saliva sample

Answer 212

Answer: D Typical biometric authentication systems represent mechanisms that can mostly perform real-time analysis of biometric authentication factors without involving personal health factors.

Question 213

213. What does the modified waterfall model add to the standard waterfall development cycle? A. Validation B. Design review C. Requirements gathering D. Security analysis

Answer 213

Answer: A The modified waterfall process differs from the standard waterfall process by adding validation and verification phases.

Question 214

214. Which of the following best describes a security control baseline? A. A listing of security controls that an organization must implement B. A listing of security controls that ensures a maximum level of security C. A listing of security controls that provide a minimum level of security D. A listing of applied security controls

Answer 214

Answer: C A baseline is a listing of security controls that provide a minimum level of security. Organizations can tailor a baseline to meet its needs. The baseline is a starting point and it does not ensure maximum security. A baseline provides a listing of controls an organization can apply, but it isn't necessarily a listing of applied controls.

Question 215

215. Which of the following issues is not commonly addressed in a service-level agreement? A. Maximum tolerable downtime B. Peak load C. Software design D. Financial obligations

Answer 215

Answer: C The SLA describes the critical requirements of the software support model. It does not normally include design details.

Question 216

216. Which backup facility is large enough to support current operational capacity and load but lacks the supportive infrastructure? A. Mobile site B. Service bureau C. Hot site D. Cold site

Answer 216

Answer: D A cold site is any facility that provides only the physical space for recovery operations while the organization using the space provides its own hardware and software systems.

Question 217

217. The security role of ________________ is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. A. Data custodian B. Data owner C. Auditor D. InfoSec officer

Answer 217

Answer: A The security role of data custodian is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.

Question 218

218. Which backup facility is large enough to support current operational capacity and load, including the supportive infrastructure? A. Mobile site B. Service bureau C. Hot site D. Cold site

Answer 218

Answer: C A hot site includes an up-to-date mirrored operation that includes all aspects of an operational enterprise.

Question 219

219. ________________ operates on a set of defined rules or restrictions that filter actions and activities performed on the system. A. Discretionary access control B. Mandatory access control C. Nondiscretionary access control D. Voluntary access control

Answer 219

Answer: C Nondiscretionary access control enables the enforcement of systemwide restrictions that override object-specific access control.

Question 220

220. The ____________ model is focused on the secure creation and deletion of both subjects and objects. Ultimately, this model is a collection of eight primary protection rules or actions that define the boundaries of certain secure actions. A. Biba B. Sutherland C. Graham–Denning D. Brewer–Nash

Answer 220

Answer: C The Graham–Denning model is focused on the secure creation and deletion of both subjects and objects.

Question 221

221. What software development technique includes as a basic principle that it values responding to change over following a plan? A. Spiral B. Waterfall C. Agile D. CMM

Answer 221

Answer: C The agile software development methodology prioritizes flexible development that emphasizes responding to change over following a plan.

Question 222

222. What is the minimum number of cryptographic keys required to achieve a higher level of security than DES with the Triple DES algorithm? A. 1 B. 2 C. 3 D. 4

Answer 222

Answer: B To achieve added security over DES, 3DES must use at least two cryptographic keys.

Question 223

223. Which of the following actions should never occur during the isolation and containment phase of incident response? A. Powering down a compromised system B. Disconnecting a compromised system from the network C. Isolating a compromised system from other systems on the network D. Preserving the system in a running state

Answer 223

Answer: A You should never power down a compromised system during the early stages of incident response because this may destroy valuable evidence stored in volatile memory.

Question 224

224. Which of the following is not a benefit of NAT? A. Use of RFC 1918 addresses B. Fewer leased public addresses C. Hidden configuration of internal systems D. Access initiations from external entities

Answer 224

Answer: D NAT does not allow initiations from external entities. Therefore, allowing external initiations is not a benefit. The benefit is that NAT does not allow them.

Question 225

225. Which federal government agency is responsible for ensuring the security of government computer systems that are used to process sensitive and/or classified information? A. National Security Agency B. Federal Bureau of Investigation C. National Institute of Standards and Technology D. Secret Service

Answer 225

Answer: A The National Security Agency is responsible for managing the security of computer systems that process sensitive and/or classified information. The security of all other federal government systems is entrusted to the National Institute of Standards and Technology.

Question 226

226. On what principle does a SYN flood attack operate? A. Sending overly large SYN packets B. Exploiting a platform flaw in Windows C. Using an amplification network to flood a victim with packets D. Exploiting the TCP/IP three-way handshake

Answer 226

Answer: D SYN flood attacks are targeted at the standard three-way handshake process used by TCP/IP to initiate communication sessions.

Question 227

227. The act of performing a(n) __________ in order to drive the security policy is the clearest and most direct example of management of the security function. A. Ethical hacking exercise B. Full interruption test C. Risk assessment D. Public review of policy

Answer 227

Answer: C The act of performing a risk assessment in order to drive the security policy is the clearest and most direct example of management of the security function.

Question 228

228. Which one of the following files might be modified or created by a companion virus? A. COMMAND.EXE B. CONFIG.SYS C. AUTOEXEC.BAT D. WIN32.DLL

Answer 228

Answer: A Companion viruses are self-contained executable files with filenames similar to those of existing system/program files but with a modified extension. The virus file is executed when an unsuspecting user types the filename without the extension at the command prompt.

Question 229

229. The ________________ model is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of and limitations to only these predetermined secure states, integrity is maintained and interference is prohibited. A. Biba B. Sutherland C. Clark-Wilson D. Gramm-Leach-Bliley

Answer 229

Answer: B The Sutherland model is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of and limitations to only these predetermined secure states, integrity is maintained and interference is prohibited.

Question 230

230. Which of the following is an example of a code? A. Rivest B. AES C. 10 system D. Skipjack

Answer 230

Answer: C The 10 system is a code used in radio communications for brevity and clarity.

Question 231

231. Which recovery site alternative provides shared resources through contractual leasing options? A. Service bureau B. Mobile site C. Hot site D. Cold site

Answer 231

Answer: A A service bureau is a company that provides time-leased computer services for a fee.

Question 232

232. The VPN protocols PPTP, L2F, and L2TP primarily function at what layer of the OSI model? A. 1 B. 2 C. 3 D. 4

Answer 232

Answer: B VPN protocols—specifically PPTP, L2F, and L2TP—function at the Data Link layer (layer 2).

Question 233

233. Which of the following security controls is most effective against intruders tampering with evidence during an attack? A. Firewalls B. Intrusion detection systems C. Antivirus software D. Centralized logging

Answer 233

Answer: D Centralized logging provides a nonmodifiable repository for system logs, preventing an attacker from destroying evidence of an attack.

Question 234

234. What type of decision making involves the emotional impact of events on a firm's workforce and client base? A. Quantitative decision making B. Continuity decision making C. Qualitative decision making D. Impact decision making

Answer 234

Answer: C Qualitative decision making takes nonnumerical factors, such as emotional impact, into consideration.

Question 235

235. Which evidence-gathering technique is used when you do not want to provide an individual with any advance notice? A. Search warrant B. Subpoena C. Voluntary surrender D. Interview

Answer 235

Answer: A Search warrants allow law enforcement personnel to conduct surprise searches.

Question 236

236. What is the output value of the mathematical function 22 mod 4? A. 0 B. 2 C. 4 D. 6

Answer 236

Answer: B Option B is correct because 22 divided by 4 equals 5, with a remainder value of 2.

Question 237

237. Which of the following security measures is a controlled entry and exit point? A. Gates B. Fences C. Locks D. Cameras

Answer 237

Answer: A Security gates represent the means to gain access and leave a perimeter, facility, or campus in a controlled manner, unlike more passive means (such as fences/walls, locks, and cameras).

Question 238

238. What port is used by the SSH service and is often subject to scanning attacks? A. 22 B. 80 C. 110 D. 443

Answer 238

Answer: A The SSH service uses TCP port 22.

Question 239

239. Which of the following is not an IP address that would be considered a private IP address by RFC 1918? A. 172.32.4.29 B. 172.17.6.93 C. 172.23.23.251 D. 172.28.29.189

Answer 239

Answer: A The private IP addresses defined in RFC 1918 are 10.0.0.0 to 10.255.255.255 (a full Class A range), 172.16.0.0 to 172.31.255.255 (16 Class B ranges), and 192.168.0.0 to 192.168.255.255 (255 Class C ranges).

Question 240

240. The term personal area network is most closely associated with what wireless technology? A. 802.15 B. 802.11 C. 802.16 D. 802.3

Answer 240

Answer: A 802.15 (aka Bluetooth) creates personal area networks (PANs).

Question 241

241. What DES mode is the streaming cipher version of CBC? A. CFB B. ECB C. AES D. 3DES

Answer 241

Answer: A Cipher Feedback Mode (CFB) uses a streaming cipher, compared to CBC's block cipher.

Question 242

242. In the event of a security incident, what is the first action that responders should take? A. Isolate affected systems B. Gather evidence C. Conduct reconnaissance of the remote network D. Restore service

Answer 242

Answer: A The first step that should be followed when an incident is detected is isolating the affected system.

Question 243

243. What type of attack can detect passwords sent across a network in clear text? A. Spoofing attack B. Spamming attack C. Sniffing attack D. Side-channel attack

Answer 243

Answer: C A sniffing attack uses a sniffer (also called a packet analyzer or protocol analyzer) to capture data and can be used to read passwords sent across a network in clear text. A spoofing attack attempts to hide the identity of the attacker. A spamming attack involves sending massive amounts of email. A side-channel attack is a passive, noninvasive attack used against smart cards.

Question 244

244. What evidentiary principle states that a written contract is assumed to contain all the terms of an agreement? A. Material evidence B. Best evidence C. Parol evidence D. Relevant evidence

Answer 244

Answer: C The parol evidence rule states that a written contract is assumed to contain all the terms of an agreement and cannot be modified by a verbal agreement.

Question 245

245. Whole hard drive encryption can be configured to securely store its master encryption key in what locally present storage device? A. RAM B. L2 cache C. CMOS D. TPM

Answer 245

Answer: D The TPM (trusted platform module) can be used to securely host/store the master encryption key for whole drive encryption.

Question 246

246. The act of ___________ is the practice of assessing the completeness and effectiveness of the security program. A. Measuring and evaluating security metrics B. Monitoring performance C. Vulnerability analysis D. Crafting a baseline

Answer 246

Answer: A The act of measuring and evaluating security metrics is the practice of assessing the completeness and effectiveness of the security program. This should also include measuring it against common security guidelines and tracking the success of its controls.

Question 247

247. What means of risk response transfers the burden of risk to another entity? A. Mitigation B. Assignment C. Tolerance D. Rejection

Answer 247

Answer: B Risk assignment or transferring risk is the placement of the cost of loss a risk represents onto another entity or organization. Purchasing insurance and outsourcing are common forms of assigning or transferring risk.

Question 248

248. Which of the following cipher algorithms uses the longest key? A. One-time pad cipher B. Caesar cipher C. Vigenere cipher D. Columnar transposition cipher

Answer 248

Answer: A The one-time pad uses a key that is equal in length to the message. All of the other algorithms use keys that are shorter than the message.

Question 249

249. Which form of physical security control focuses on facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures? A. Technical B. Physical C. Administrative D. Logical

Answer 249

Answer: C Administrative physical security controls include facility construction and selection, site management, personnel controls, awareness training, and emergency response and procedures.

Question 250

250. A system that deploys ________________ permits the owner or creator of an object to control and define its accessibility. A. Mandatory access control B. Rule-based access control C. Discretionary access control D. Role-based access control

Answer 250

Answer: C Discretionary access control permits the owner or creator of an object to control and define its accessibility because the owner has full control by default.