Practice Test 2 Flashcards
James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining?
a. SLA
b. RTO
c. MTD
d. RPO
D. The recovery point objective (RPO) identifies the maximum amount of data, measured in time, that may be lost during a recovery effort. The recovery time objective (RTO) is the amount of time expected to return an IT service or component to operation after a failure. The maximum tolerable downtime (MTD) is the longest amount of time that an IT service or component may be unavailable without causing serious damage to the organization. Service-level agreements (SLAs) are written contracts that document service expectations.
Fred needs to deploy a network device that can connect his network to other networks while controlling traffic on his network. What type of device is Fred’s best choice?
a. A switch
b. A bridge
c. A gateway
d. A router
D. Fred should choose a router. Routers are designed to control traffic on a network while connecting to other similar networks. If the networks were very different, a bridge can help connect them. Gateways are used to connect to networks that use other protocols by transforming traffic to the appropriate protocol or format as it passes through them. Switches are often used to create broadcast domains and to connect endpoint systems or other devices.
Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process?
a. Black box
b. Crystal box
c. Gray box
d. Zero box
B. Crystal box penetration testing, which is also sometimes called white box penetration testing, provides the tester with information about networks, systems, and configurations, allowing highly effective testing. It doesn’t simulate an actual attack like black and gray box testing can, and thus does not have the same realism, and it can lead to attacks succeeding that would fail in a zero- or limited-knowledge attack.
Application banner information is typically recorded during what penetration testing phase?
a. Planning
b. Attack
c. Reporting
d. Discovery
D. The discovery phase includes activities like gathering IP addresses, network ranges, and hostnames, as well as gathering information about employees, locations, systems, and of course, the services those systems provide. Banner information is typically gathered as part of discovery to provide information about what version and type of service is being provided.
What is the default subnet mask for a Class B network?
a. 255.0.0.0
b. 255.255.0.0
c. 255.254.0.0
d. 255.255.255.0
B. A class B network holds 2^16 systems, and its default network mask is 255.255.0.0.
Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device?
a. Record the MAC address of each system.
b. Require users to fill out a form to register each system.
c. Scan each system using a port scanner.
d. Use device fingerprinting via a web-based registration system.
D. Device fingerprinting via a web portal can require user authentication and can gather data like operating systems, versions, software information, and many other factors that can uniquely identify systems. Using an automated fingerprinting system is preferable to handling manual registration, and pairing user authentication with data gathering provides more detail than a port scan. MAC addresses can be spoofed, and systems may have more than one depending on how many network interfaces they have, which can make unique identification challenging.
David works in an organization that uses a formal data governance program. He is consulting with an employee working on a project that created an entirely new class of data and wants to work with the appropriate individual to assign a classification level to that information. Who is responsible for the assignment of information to a classification level?
a. Data creator
b. Data owner
c. CISO
d. Data custodian
B. The data owner is normally responsible for classifying information at an appropriate level. This role is typically filled by a senior manager or director, who then delegates operational responsibility to a data custodian.
What type of inbound packet is characteristic of a ping flood attack?
a. ICMP echo request
b. ICMP echo reply
c. ICMP destination unreachable
d. ICMP route changed
A. The ping flood attack sends echo requests at a targeted system. These pings use inbound ICMP echo request packets, causing the system to respond with an outbound ICMP echo reply.
Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?
a. More complex passwords
b. User education against social engineering
c. Multifactor authentication
d. Addition of security questions based on personal knowledge
C. While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.
The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept?
a. MPLS, a way to replace long network addresses with shorter labels and support a wide range of protocols
b. FCoE, a converged protocol that allows common applications over Ethernet
c. SDN, a converged protocol that allows network virtualization
d. CDN, a converged protocol that makes common network designs accessible
C. Software-defined networking (SDN) is a converged protocol that allows virtualization concepts and practices to be applied to networks. MPLS handles a wide range of protocols like ATM, DSL, and others, but isn’t intended to provide the centralization capabilities that SDN does. Content Distribution Network (CDN) is not a converged protocol, and FCoE is Fiber Channel over Ethernet, a converged protocol for storage.
Susan is preparing to decommission her organization’s archival DVD-ROMs that contain Top Secret data. How should she ensure that the data cannot be exposed?
a. Degauss
b. Zero wipe
c. Pulverize
d. Secure erase
C. The best way to ensure that data on DVDs is fully gone is to destroy them, and pulverizing DVDs is an appropriate means of destruction. DVDs are write-only media, meaning that secure erase and zero wipes won’t work. Degaussing only works on magnetic media and cannot guarantee that there will be zero data remnance.
What is the final stage of the Software Capability Maturity Model (SW-CMM)?
a. Repeatable
b. Defined
c. Managed
d. Optimizing
D. The five stages of the SW-CMM are, in order, Initial, Repeatable, Defined, Managed, and Optimizing. In the Optimizing stage, a process of continuous improvement occurs.
Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet?
a. Packets with a source address from Angie’s public IP address block
b. Packets with a destination address from Angie’s public IP address block
c. Packets with a source address outside of Angie’s address block
d. Packets with a source address from Angie’s private address block
A. All packets leaving Angie’s network should have a source address from her public IP address block. Packets with a destination address from Angie’s network should not be leaving the network. Packets with source addresses from other networks are likely spoofed and should be blocked by egress filters. Packets with private IP addresses as sources or destinations should never be routed onto the Internet.
Matt is conducting a penetration test against a Linux server and successfully gained access to an administrative account. He would now like to obtain the password hashes for use in a brute-force attack. Where is he likely to find the hashes, assuming the system is configured to modern security standards?
a. /etc/passwd
b. /etc/hash
c. /etc/secure
d. /etc/shadow
D. Security best practices dictate the use of shadowed password files that move the password hashes from the widely accessible /etc/passwdfile to the more restricted /etc/shadow file.
Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?
a. Separation of duties
b. Two-person control
c. Least privilege
d. Job rotation
A. While developers may feel like they have a business need to be able to move code into production, the principle of separation of duties dictates that they should not have the ability to both write code and place it on a production server. The deployment of code is often performed by change management staff.
Which one of the following tools may be used to achieve the goal of nonrepudiation?
a. Digital signature
b. Symmetric encryption
c. Firewall
d. IDS
A. Applying a digital signature to a message allows the sender to achieve the goal of nonrepudiation. This allows the recipient of a message to prove to a third party that the message came from the purported sender. Symmetric encryption does not support nonrepudiation. Firewalls and IDS are network security tools that are not used to provide nonrepudiation.
In the diagram of the TCP three-way handshake here, what should system A send to system B in step 3?
a. ACK
b. SYN
c. FIN
d. RST
A. System A should send an ACK to end the three-way handshake. The TCP three-way handshake is SYN, SYN/ACK, ACK.
What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication?
a. RADIUS+
b. TACACS+
c. XTACACS
d. Kerberos
B. TACACS+ is the most modern version of TACACS, the Terminal Access Controller Access-Control System. It is a Cisco proprietary protocol with added features beyond what RADIUS provides, meaning it is commonly used on Cisco networks. XTACACS is an earlier version, Kerberos is a network authentication protocol rather than a remote user authentication protocol, and RADIUS+ is a made-up term.
What two types of attacks are VoIP call managers and VoIP phones most likely to be susceptible to?
a. DoS and malware
b. Worms and Trojans
c. DoS and host OS attacks
d. Host OS attacks and buffer overflows
C. Call managers and VoIP phones can be thought of as servers or appliances and embedded or network devices. That means that the most likely threats that they will face are denial-of-service (DoS) attacks and attacks against the host operating system. Malware and Trojans are less likely to be effective against a server or embedded system that doesn’t browse the Internet or exchange data files; buffer overflows are usually aimed at specific applications or services.
Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use?
a. Antivirus
b. Heuristic
c. Whitelist
d. Blacklist
C. The blacklist approach to application control blocks certain prohibited packages but allows the installation of other software on systems. The whitelist approach uses the reverse philosophy and only allows approved software. Antivirus software would only detect the installation of malicious software after the fact. Heuristic detection is a variant of antivirus software.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the exposure factor for the effect of a flood on DataTech’s data center?
a. 2%
b. 20%
c. 100%
d. 200%
B. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $20 million in damage divided by the $100 million facility value, or 20%.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the annualized rate of occurrence for a flood at DataTech’s data center?
a. 0.002
b. 0.005
c. 0.02
d. 0.05
B. The annualized rate of occurrence is the number of times each year that risk analysts expect a risk to happen in any given year. In this case, the analysts expect floods once every 200 years, or 0.005 times per year.
Questions 21–23 refer to the following scenario.
Hunter is the facilities manager for DataTech, a large data center management firm. He is evaluating the installation of a flood prevention system at one of DataTech’s facilities. The facility and contents are valued at $100 million. Installing the new flood prevention system would cost $10 million.
Hunter consulted with flood experts and determined that the facility lies within a 200-year flood plain and that, if a flood occurred, it would likely cause $20 million in damage to the facility.
Based on the information in this scenario, what is the annualized loss expectancy for a flood at DataTech’s data center?
a. $40,000
b. $100,000
c. $400,000
d. $1,000,000
B. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $20 million and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $100,000.
Which accounts are typically assessed during an account management assessment?
a. A random sample
b. Highly privileged accounts
c. Recently generated accounts
d. Accounts that have existed for long periods of time
B. The most frequent target of account management reviews are highly privileged accounts, as they create the greatest risk. Random samples are the second most likely choice. Accounts that have existed for a longer period of time are more likely to have a problem due to privilege creep than recently created accounts, but neither of these choices is likely unless there is a specific organizational reason to choose them.
In the shared responsibility model, under which tier of cloud computing does the customer take responsibility for securing server operating systems?
a. IaaS
b. PaaS
c. SaaS
d. TaaS
A. In an Infrastructure as a Service (IaaS) cloud computing model, the customer retains responsibility for managing operating system security while the vendor manages security at the hypervisor level and below.
What type of error occurs when a valid subject using a biometric authenticator is not authenticated?
a. A Type 1 error
b. A Type 2 error
c. A Type 3 error
d. A Type 4 error
A. Type 1 errors occur when a valid subject is not authenticated. Type 2 errors occur when an invalid subject is incorrectly authenticated. Type 3 and Type 4 errors are not associated with biometric authentication.
Jackie is creating a database that contains the Customers table, shown here. She is designing a new table to contain Orders and plans to use the Company ID in that table to uniquely identify the customer associated with each order. What role does the Company ID field play in the Orders table?
a. Primary key
b. Foreign key
c. Candidate key
d. Referential key
B. The Company ID is a field used to identify the corresponding record in another table. This makes it a foreign key. Each customer may place more than one order, making Company ID unsuitable for use as a primary or candidate key in this table. Referential keys are not a type of database key.
What three types of interfaces are typically tested during software testing?
a. Network, physical, and application interfaces
b. APIs, UIs, and physical interfaces
c. Network interfaces, APIs, and UIs
d. Application, programmatic, and user interfaces
B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all tested during the software testing process. Network interfaces are not typically tested, and programmatic interfaces is another term for APIs.
George is assisting a prosecutor with a case against a hacker who attempted to break into George’s company’s computer systems. He provides system logs to the prosecutor for use as evidence but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George’s testimony?
a. Testimonial evidence rule
b. Parol evidence rule
c. Best evidence rule
d. Hearsay rule
D. The hearsay rule says that a witness cannot testify about what someone else told them, except under very specific exceptions. The courts have applied the hearsay rule to include the concept that attorneys may not introduce logs into evidence unless they are authenticated by the system administrator. The best evidence rule states that copies of documents may not be submitted into evidence if the originals are available. The parol evidence rule states that if two parties enter into a written agreement, that written document is assumed to contain all of the terms of the agreement. Testimonial evidence is a type of evidence, not a rule of evidence.
Which of the following is not a valid use for key risk indicators?
a. Provide warnings before issues occur.
b. Provide real-time incident response information.
c. Provide historical views of past risks.
d. Provide insight into risk tolerance for the organization.
B. While key risk indicators can provide useful information for organizational planning and a deeper understanding of how organizations view risk, KRIs are not a great way to handle a real-time security response. Monitoring and detection systems like IPS, SIEM, and other tools are better suited to handling actual attacks.
Which one of the following malware types uses built-in propagation mechanisms that exploit system vulnerabilities to spread?
a. Trojan horse
b. Worm
c. Logic bomb
d. Virus
B. Worms have built-in propagation mechanisms that do not require user interaction, such as scanning for systems containing known vulnerabilities and then exploiting those vulnerabilities to gain access. Viruses and Trojan horses typically require user interaction to spread. Logic bombs do not spread from system to system but lie in wait until certain conditions are met, triggering the delivery of their payload.
Don’s company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use?
a. IaaS
b. PaaS
c. CaaS
d. SaaS
A. In this scenario, the vendor is providing object-based storage, a core infrastructure service. Therefore, this is an example of Infrastructure as a Service (IaaS).
In what model of cloud computing do two or more organizations collaborate to build a shared cloud computing environment that is for their own use?
a. Public cloud
b. Private cloud
c. Community cloud
d. Shared cloud
C. In the community cloud computing model, two or more organizations pool their resources to create a cloud environment that they then share.
Which one of the following is not a principle of the Agile approach to software development?
a. The most efficient method of conveying information is electronic.
b. Working software is the primary measure of progress.
c. Simplicity is essential.
d. Business people and developers must work together daily.
A. The Agile approach to software development states that working software is the primary measure of progress, that simplicity is essential, and that business people and developers must work together daily. It also states that the most efficient method of conveying information is face-to-face, not electronic.
Harry is concerned that accountants within his organization will use data diddling attacks to cover up fraudulent activity in accounts that they normally access. Which one of the following controls would best defend against this type of attack?
a. Encryption
b. Access controls
c. Integrity verification
d. Firewalls
C. Encryption, access controls, and firewalls would not be effective in this example because the accountants have legitimate access to the data. Integrity verification software would protect against this attack by identifying unexpected changes in protected data.
What class of fire extinguisher is capable of fighting electrical fires?
a. Class A
b. Class B
c. Class C
d. Class D
C. Class C fire extinguishers use carbon dioxide or halon suppressants and are useful against electrical fires. Water-based extinguishers should never be used against electrical fires due to the risk of electrocution.
What important factor differentiates Frame Relay from X.25?
a. Frame Relay supports multiple PVCs over a single WAN carrier connection.
b. Frame Relay is a cell switching technology instead of a packet switching technology like X.25.
c. Frame Relay does not provide a Committed Information Rate (CIR).
d. Frame Relay only requires a DTE on the provider side.
A. Frame Relay supports multiple private virtual circuits (PVCs), unlike X.25. It is a packet switching technology that provides a Committed Information Rate, which is a minimum bandwidth guarantee provided by the service provider to customers. Finally, Frame Relay requires a DTE/DCE at each connection point, with the DTE providing access to the Frame Relay network, and a provider supplied DCE which transmits the data over the network.
Using the following table, and your knowledge of the auditing process, answer questions 38–40.
As they prepare to migrate their data center to an Infrastructure as a Service (IaaS) provider, Susan’s company wants to understand the effectiveness of their new provider’s security, integrity, and availability controls. What SOC report would provide them with the most detail?
a. SOC 1
b. SOC 2
c. SOC 3
d. None of the SOC reports are suited to this, and they should request another form of report.
B. SOC 2 reports are released under NDA to select partners or customers, and can provide detail on the controls and any issues they may have. A SOC 1 report would only provide financial control information, and a SOC 3 report provides less information since it is publicly available.
Using the following table, and your knowledge of the auditing process, answer questions 38–40.
Susan wants to ensure that the audit report that her organization requested includes input from an external auditor. What type of report should she request?
a. SOC 2, Type 1
b. SOC 3, Type 1
c. SOC 2, Type 2
d. SOC 3, Type 2
C. A SOC 2, Type 2 report includes information about a data center’s security, availability, processing integrity, confidentiality, and privacy, and includes an auditor’s opinion on the operational effectiveness of the controls. SOC 3 does not have types, and an SOC 2 Type 1 only requires the organization’s own attestation.
Using the following table, and your knowledge of the auditing process, answer questions 38–40.
When Susan requests a SOC2 report, they receive a SAS70 report. What issue should Susan raise?
a. SAS 70 does not include Type 2 reports, so control evaluation is only point in time.
b. SAS 70 has been replaced.
c. SAS 70 is a financial reporting standard and does not cover data centers.
d. SAS 70 only uses a 3-month period for testing.
B. SAS 70 was superseded in 2010 by the SSAE 16 standard with three SOC levels for reporting. SAS 70 included Type 2 reports, covered data centers, and used 6-month testing periods for Type 2 reports.
What two logical network topologies can be physically implemented as a star topology?
a. A bus and a mesh
b. A ring and a mesh
c. A bus and a ring
d. It is not possible to implement other topologies as a star.
C. Both a logical bus and a logical ring can be implemented as a physical star. Ethernet is commonly deployed as a physical star but placing a switch as the center of a star, but Ethernet still operates as a bus. Similarly, Token Ring deployments using multistation access unit (MAU) were deployed as physical stars, but operated as rings.
Bell-LaPadula is an example of what type of access control model?
a. DAC
b. RBAC
c. MAC
d. ABAC
C. Bell-LaPadula uses security labels on objects and clearances for subjects, and is therefore a MAC model. It does not use discretionary, rule-based, role-based, or attribute-based access control.
Martha is the information security officer for a small college and is responsible for safeguarding the privacy of student records. What law most directly applies to her situation?
a. HIPAA
b. HITECH
c. COPPA
d. FERPA
D. The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students in any educational institution that accepts any form of federal funding.
What U.S. law mandates the protection of Protected Health Information?
a. FERPA
b. SAFE Act
c. GLBA
d. HIPAA
D. The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of Protected Health Information (PHI). The SAFE Act deals with mortgages, the Graham Leach Bliley Act (GLBA) covers financial institutions, and FERPA deals with student data.
What type of Windows audit record describes events like an OS shutdown or a service being stopped?
a. An application log
b. A security log
c. A system log
d. A setup log
C. Windows system logs include reboots, shutdowns, and service state changes. Application logs record events generated by programs, security logs track events like logins and uses of rights, and setup logs track application setup.
Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages?
a. The facility code
b. The log priority
c. The security level
d. The severity level
D. Implementations of syslog vary, but most provide a setting for severity level, allowing configuration of a value that determines what messages are sent. Typical severity levels include debug, informational, notice, warning, error, critical, alert, and emergency. The facility code is also supported by syslog, but is associated with which services are being logged. Security level and log priority are not typical syslog settings.
What RAID level is also known as disk mirroring?
a. RAID 0
b. RAID 1
c. RAID 3
d. RAID 5
B. In RAID 1, also known as disk mirroring, systems contain two physical disks. Each disk contains copies of the same data, and either one may be used in the event the other disk fails.
What type of firewall uses multiple proxy servers that filter traffic based on analysis of the protocols used for each service?
a. A static packet filtering firewall
b. An application-level gateway firewall
c. A circuit-level gateway firewall
d. A stateful inspection firewall
B. An application-level gateway firewall uses proxies for each service it filters. Each proxy is designed to analyze traffic for its specific traffic type, allowing it to better understand valid traffic and to prevent attacks. Static packet filters and circuit-level gateways simply look at the source, destination, and ports in use, whereas a stateful packet inspection firewall can track the status of communication and allow or deny traffic based on that understanding.
Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?
a. Code quality
b. Service vulnerabilities
c. Awareness
d. Attack surface
C. Interviews, surveys, and audits are all useful for assessing awareness. Code quality is best judged by code review, service vulnerabilities are tested using vulnerability scanners and related tools, and the attack surface of an organization requires both technical and administrative review.
Tom is the general counsel for an Internet service provider and he recently received notice of a lawsuit against the firm because of copyrighted content illegally transmitted over the provider’s circuits by a customer. What law protects Tom’s company in this case?
a. Computer Fraud and Abuse Act
b. Digital Millennium Copyright Act
c. Wiretap Act
d. Copyright Code
B. The Digital Millennium Copyright Act extends common carrier protection to Internet service providers who are not liable for the “transitory activities” of their customers.
A Type 2 authentication factor that generates dynamic passwords based on a time- or algorithm-based system is what type of authenticator?
a. A PIV
b. A smart card
c. A token
d. A CAC
C. Tokens are hardware devices (something you have) that generate a one-time password based on time or an algorithm. They are typically combined with another factor like a password to authenticate users. CAC and PIV cards are US government–issued smart cards.
Fred’s new employer has hired him for a position with access to their trade secrets and confidential internal data. What legal tool should they use to help protect their data if he chooses to leave to work at a competitor?
a. A stop-loss order
b. An NDA
c. An AUP
d. Encryption
B. A non-disclosure agreement (NDA) is a legal agreement between two parties that specifies what data they will not disclose. NDAs are common in industries that have sensitive or trade secret information they do not want employees to take to new jobs. Encryption would only help in transit or at rest, and Fred will likely have access to the data in unencrypted form as part of his job. An AUP is an acceptable use policy, and a stop-loss order is used on the stock market.
Which one of the following computing models allows the execution of multiple processes on a single processor by having the operating system switch between them without requiring modification to the applications?
a. Multitasking
b. Multiprocessing
c. Multiprogramming
d. Multithreading
A. Multitasking handles multiple processes on a single processor by switching between them using the operating system. Multiprocessing uses multiple processors to perform multiple processes simultaneously. Multiprogramming requires modifications to the underlying applications. Multithreading runs multiple threads within a single process.
How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key?
a. 16
b. 128
c. 256
d. 512
C. Binary keyspaces contain a number of keys equal to 2 raised to the power of the number of bits. Two to the eighth power is 256, so an 8-bit keyspace contains 256 possible keys.
What activity is being performed when you apply security controls based on the specific needs of the IT system that they will be applied to?
a. Standardizing
b. Baselining
c. Scoping
d. Tailoring
C. Scoping is the process of reviewing and selecting security controls based on the system that they will be applied to. Tailoring is the process of matching a list of security controls to the mission of an organization. Baselines are used as a base set of security controls, often from a third-party organization that creates them. Standardization isn’t a relevant term here.
During what phase of the electronic discovery process does an organization perform a rough cut of the information gathered to discard irrelevant information?
a. Preservation
b. Identification
c. Collection
d. Processing
D. During the preservation phase, the organization ensures that information related to the matter at hand is protected against intentional or unintentional alteration or deletion. The identification phase locates relevant information but does not preserve it. The collection phase occurs after preservation and gathers responsive information. The processing phase performs a rough cut of the collected information for relevance.
Ben’s job is to ensure that data is labeled with the appropriate sensitivity label. Since Ben works for the US government, he has to apply the labels Unclassified, Confidential, Secret, and Top Secret to systems and media. If Ben is asked to label a system that handles Secret, Confidential, and Unclassified information, how should he label it?
a. Mixed classification
b. Confidential
c. Top Secret
d. Secret
D. Systems and media should be labeled with the highest level of sensitivity that they store or handle. In this case, based on the US government classification scheme, the highest classification level in use on the system is Secret. Mixed classification provides no useful information about the level, whereas Top Secret and Confidential are too high and too low, respectively.
Susan has discovered that the smart card-based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place?
a. Physical
b. Administrative
c. Compensation
d. Recovery
C. She has placed compensation controls in place. Compensation controls are used when controls like the locks in this example are not sufficient. While the alarm is a physical control, the signs she posted are not. Similarly, the alarms are not administrative controls. None of these controls help to recover from an issue and are thus not recovery controls.
Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective?
a. Longer passwords and salting
b. Over-the-wire encryption and use of SHA1 instead of MD5
c. Salting and use of MD5
d. Using shadow passwords and salting
A. Rainbow tables rely on being able to use databases of precomputed hashes to quickly search for matches to known hashes acquired by an attacker. Making passwords longer can greatly increase the size of the rainbow table required to find the matching hash, and adding a salt to the password will make it nearly impossible for the attacker to generate a table that will match unless they can acquire the salt value. MD5 and SHA1 are both poor choices for password hashing compared to modern password hashes, which are designed to make hashing easy and recovery difficult. Rainbow tables are often used against lists of hashes acquired by attacks rather than over-the-wire attacks, so over-the-wire encryption is not particularly useful here. Shadow passwords simply make the traditionally world-readable list of password hashes on Unix and Linux systems available in a location readable only by root. This doesn’t prevent a rainbow table attack once the hashes are obtained.
Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party?
a. Internal auditors
b. Penetration testers
c. External auditors
d. Employees who design, implement, and monitor the controls
C. External auditors can provide an unbiased and impartial view of an organization’s controls to third parties. Internal auditors are useful when reporting to senior management of the organization but are typically not asked to report to third parties. Penetration tests test technical controls but are not as well suited to testing many administrative controls. The employees who build and maintain controls are more likely to bring a bias to the testing of those controls and should not be asked to report on them to third parties.
Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower?
a. Likelihood
b. RTO
c. MTO
d. Impact
A. Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information.
As part of hiring a new employee, Kathleen’s identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called?
a. Registration
b. Provisioning
c. Population
d. Authenticator loading
B. Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.
Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky’s login attempt?
a. Ricky
b. VPN
c. Remote file server
d. Files contained on the remote server
A. In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Ricky is requesting access to the VPN (the object of the request) and is, therefore, the subject.
Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate?
a. 6
b. 12
c. 15
d. 30
C. The formula for determining the number of encryption keys required by a symmetric algorithm is ((n*(n-1))/2). With six users, you will need ((6*5)/2), or 15 keys.
Which one of the following intellectual property protection mechanisms has the shortest duration?
a. Copyright
b. Patent
c. Trademark
d. Trade secret
B. Patents have the shortest duration of the techniques listed: 20 years. Copyrights last for 70 years beyond the death of the author. Trademarks are renewable indefinitely and trade secrets are protected as long as they remain secret.
Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and they are currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?
a. Purchasing earthquake insurance
b. Relocating the data center to a safer area
c. Documenting the decision-making process
d. Reengineering the facility to withstand the shock of an earthquake
C. In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk. Purchasing insurance would be an example of risk transference. Relocating the data center would be risk avoidance. Reengineering the facility is an example of a risk mitigation strategy.
Carol would like to implement a control that protects her organization from the momentary loss of power to the data center. Which control is most appropriate for her needs?
a. Redundant servers
b. RAID
c. UPS
d. Generator
C. Uninterruptible power supplies (UPSs) provide immediate, battery-driven power for a short period of time to cover momentary losses of power. Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. RAID and redundant servers are high-availability controls but do not cover power loss scenarios.
Ben has encountered problems with users in his organization reusing passwords, despite a requirement that they change passwords every 30 days. What type of password setting should Ben employ to help prevent this issue?
a. Longer minimum age
b. Increased password complexity
c. Implement password history
d. Implement password length requirements
C. Password histories retain a list of previous passwords (or, preferably, a list of salted hashed for previous passwords) to ensure that users don’t reuse their previous passwords. Longer minimum age can help prevent users from changing their passwords, then changing them back, but won’t prevent a determined user from eventually getting their old password back. Length requirements and complexity requirements tend to drive users to reuse passwords if they’re not paired with tools like single-sign on, password storage systems, or other tools that decrease the difficulty of password management.
Chris is conducting a risk assessment for his organization and determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Gordon identified?
a. ALE
b. SLE
c. ARO
d. AV
B. The Single Loss Expectancy (SLE) is the amount of damage that a risk is expected to cause each time that it occurs.
The removal of a hard drive from a PC before it is retired and sold as surplus is an example of what type of action?
a. Purging
b. Sanitization
c. Degaussing
d. Destruction
B. Sanitization includes steps like removing the hard drive and other local storage from PCs before they are sold as surplus. Degaussing uses magnetic fields to wipe media; purging is an intense form of clearing used to ensure that data is removed and unrecoverable from media; and removing does not necessarily imply destruction of the drive.
During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident?
a. Detection
b. Recovery
c. Remediation
d. Reporting
D. During the Reporting phase, incident responders assess their obligations under laws and regulations to report the incident to government agencies and other regulators.
What OASIS standard markup language is used to generate provisioning requests both within organizations and with third parties?
a. SAML
b. SPML
c. XACML
d. SOA
B. Service Provisioning Markup Language (SPML) is an OASIS developed markup language designed to provide service, user, and resource provisioning between organizations. Security Assertion Markup Language (SAML) is used to exchange user authentication and authorization data. Extensible Access Control Markup Language (XACML) is used to describe access controls. Service-oriented architecture (SOA) is not a markup language.
Which of the following storage mechanisms is not considered secondary storage?
a. Magnetic hard disk
b. Solid state drive
c. DVD
d. RAM
D. RAM is a type of primary storage. Secondary storage includes hard drives, solid state disks, and optical drives.
Susan’s SMTP server does not authenticate senders before accepting and relaying email. What is this security configuration issue known as?
a. An email gateway
b. An SMTP relay
c. An X.400-compliant gateway
d. An open relay
D. SMTP servers that don’t authenticate users before relaying their messages are known as open relays. Open relays that are Internet exposed are typically quickly exploited to send email for spammers.
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs they discovered a breach that appeared to have involved a malicious insider. Use this scenario to answer questions 75 through 77 about logging environments.
When the breach was discovered and the logs were reviewed, it was discovered that the attacker had purged the logs on the system that they compromised. How can this be prevented in the future?
a. Encrypt local logs
b. Require administrative access to change logs
c. Enable log rotation
d. Send logs to a bastion host
D. Sending logs to a secure log server, sometimes called a bastion host, is the most effective way to ensure that logs survive a breach. Encrypting local logs won’t stop an attacker from deleting them, and requiring administrative access won’t stop attackers who have breached a machine and acquired escalated privileges. Log rotation archives logs based on time or file size, and can also purge logs after a threshold is hit. Rotation won’t prevent an attacker from purging logs.
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs they discovered a breach that appeared to have involved a malicious insider. Use this scenario to answer questions 75 through 77 about logging environments.
How can Jack detect issues like this using his organization’s new centralized logging?
a. Deploy and use an IDS
b. Send logs to a central logging server
c. Deploy and use a SIEM
d. Use syslog
C. A Security Information and Event Management tool (SIEM) is designed to provide automated analysis and monitoring of logs and security events. A SIEM that receives access to logs can help detect and alert on events like logs being purged or other breach indicators. An IDS can help detect intrusions, but IDSs are not typically designed to handle central logs. A central logging server can receive and store logs, but won’t help with analysis without taking additional actions. Syslog is simply a log format.
The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs they discovered a breach that appeared to have involved a malicious insider. Use this scenario to answer questions 75 through 77 about logging environments.
How can Jack best ensure accountability for actions taken on systems in his environment?
a. Log review and require digital signatures for each log.
b. Require authentication for all actions taken and capture logs centrally.
c. Log the use of administrative credentials and encrypt log data in transit.
d. Require authorization and capture logs centrally.
B. Requiring authentication can help provide accountability by ensuring that any action taken can be tracked back to a specific user. Storing logs centrally ensures that users can’t erase the evidence of actions that they have taken. Log review can be useful when identifying issues, but digital signatures are not a typical part of a logging environment. Logging the use of administrative credentials helps for those users but won’t cover all users, and encrypting the logs doesn’t help with accountability. Authorization helps, but being able to specifically identify users through authentication is more important.
Ed’s organization has 5 IP addresses allocated to them by their ISP, but needs to connect over 100 computers and network devices to the Internet. What technology can he use to connect his entire network via the limited set of IP addresses he can use?
a. IPSec
b. PAT
c. SDN
d. IPX
B. Port Address Translation (PAT) is used to allow a network to use any IP address set inside without causing a conflict with the public Internet. PAT is often confused with Network Address Translation (NAT), which maps one internal address to one external address. IPSec is a security protocol suite, Software Defined Networking (SDN) is a method of defining networks programmatically, and IPX is a non-IP network protocol.
What type of attack would the following precautions help prevent?
Requesting proof of identity
Requiring callback authorizations on voice-only requests
Not changing passwords via voice communications
a. DoS attacks
b. Worms
c. Social engineering
d. Shoulder surfing
C. Each of the precautions listed helps to prevent social engineering by helping prevent exploitation of trust. Avoiding voice-only communications is particularly important, since establishing identity over the phone is difficult. The other listed attacks would not be prevented by these techniques.
Fred’s organization needs to use a non-IP protocol on their VPN. Which of the common VPN protocols should he select to natively handle non-IP protocols?
a. PPTP
b. L2F
c. L2TP
d. IPSec
C. L2TP is the only one of the four common VPN protocols that can natively support non-IP protocols. PPTP, L2F, and IPSec are all IP-only protocols.
Residual data is another term for what type of data left after attempts have been made to erase it?
a. Leftover data
b. MBR
c. Bitrot
d. Remnant data
D. Remnant data is data that is left after attempts have been made to remove or erase it. Bitrot is a term used to describe aging media that decays over time. MBR is the master boot record, a boot sector found on hard drives and other media. Leftover data is not an industry term.
Which one of the following disaster recovery test types involves the actual activation of the disaster recovery facility?
a. Simulation test
b. Tabletop exercise
c. Parallel test
d. Checklist review
C. During a parallel test, the team activates the disaster recovery site for testing but the primary site remains operational. A simulation test involves a roleplay of a prepared scenario overseen by a moderator. Responses are assessed to help improve the organization’s response process. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.
What access control system lets owners decide who has access to the objects they own?
a. Role-based access control
b. Task-based access control
c. Discretionary access control
d. Rule-based access control
C. Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.
Using a trusted channel and link encryption are both ways to prevent what type of access control attack?
a. Brute force
b. Spoofed login screens
c. Man-in-the-middle attacks
d. Dictionary attacks
C. Trusted paths that secure network traffic from capture and link encryption are both ways to help prevent man-in-the-middle attacks. Brute-force and dictionary attacks can both be prevented using back-off algorithms that slow down repeated attacks. Log analysis tools can also create dynamic firewall rules, or an IPS can block attacks like these in real time. Spoofed login screens can be difficult to prevent, although user awareness training can help.
Which one of the following is not one of the canons of the (ISC)2 Code of Ethics?
a. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
b. Act honorably, honestly, justly, responsibly, and legally.
c. Provide diligent and competent service to principals.
d. Maintain competent records of all investigations and assessments.
D. The four canons of the (ISC)2 code of ethics are to protect society, the common good, necessary public trust and confidence, and the infrastructure; act honorably, honestly, justly, responsibly, and legally; provide diligent and competent service to principals; and advance and protect the profession.
Which one of the following components should be included in an organization’s emergency response guidelines?
a. Immediate response procedures
b. Long-term business continuity protocols
c. Activation procedures for the organization’s cold sites
d. Contact information for ordering equipment
A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.
Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?
a. HTML
b. XACML
c. SAML
d. SPML
C. Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.
What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles?
a. Weekly
b. Monthly
c. Semi-annually
d. Annually
D. Individuals with specific business continuity roles should receive training on at least an annual basis.
What is the minimum number of cryptographic keys necessary to achieve strong security when using the 3DES algorithm?
a. 1
b. 2
c. 3
d. 4
B. Triple DES functions by using either two or three encryption keys. When used with only one key, 3DES produces weakly encrypted ciphertext that is the insecure equivalent of DES.
What type of address is 10.11.45.170?
a. A public IP address
b. An RFC 1918 address
c. An APIPA address
d. A loopback address
B. RFC 1918 addresses are in the range 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, and 192.168.0.0–192.168.255.255. APIPA addresses are assigned between 169.254.0.01 and 169.254.255.254, and 127.0.0.1 is a loopback address (although technically the entire 127.x.x.x network is reserved for loopback). Public IP addresses are the rest of the addresses in the space.
Lauren wants to monitor her LDAP servers to identify what types of queries are causing problems. What type of monitoring should she use if she wants to be able to use the production servers and actual traffic for her testing?
a. Active
b. Real-time
c. Passive
d. Replay
C. Since Lauren wants to monitor her production server she should use passive monitoring by employing a network tap, span port, or other means of copying actual traffic to a monitoring system that can identify performance and other problems. This will avoid introducing potentially problematic traffic on purpose while capturing actual traffic problems. Active monitoring relies on synthetic or previously recorded traffic, and both replay and real time are not common industry terms used to describe types of monitoring.
Steve is developing an input validation routine that will protect the database supporting a web application from SQL injection attack. Where should Steve place the input validation code?
a. JavaScript embedded in the web pages
b. Backend code on the web server
c. Stored procedure on the database
d .Code on the user’s web browser
B. For web applications, input validation should always be performed on the web application server. By the time the input reaches the database, it is already part of a SQL command that is properly formatted and input validation would be far more difficult, if it is even possible. Input validation controls should never reside in the client’s browser, as is the case with JavaScript, because the user may remove or tamper with the validation code.
Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which one of the following algorithms would allow him to meet this goal with the least time dedicated to key management?
a. RSA
b. IDEA
c. 3DES
d. Skipjack
A. RSA is an asymmetric encryption algorithm that requires only two keys for each user. IDEA, 3DES, and Skipjack are all symmetric encryption algorithms and would require a key for every unique pair of users in the system.
Grace is considering the use of new identification cards in her organization that will be used for physical access control. She comes across the sample card shown here and is unsure of the technology it uses. What type of card is this?
a. Smart card
b. Phase-two card
c. Proximity card
d. Magnetic stripe card
D. The image clearly shows a black magnetic stripe running across the card, making this an example of a magnetic stripe card.
What type of log file is shown in this figure?
a. Application
b. Web server
c. System
d. Firewall
D. The log entries contained in this example show the allow/deny status for inbound and outbound TCP and UDP sessions. This is, therefore, an example of a firewall log.
Which one of the following activities transforms a zero-day vulnerability into a less dangerous attack vector?
a. Discovery of the vulnerability
b. Implementation of transport-layer encryption
c. Reconfiguration of a firewall
d. Release of a security patch
D. Zero-day vulnerabilities remain in the dangerous zero-day category until the release of a patch that corrects the vulnerability. At that time, it becomes the responsibility of IT professionals to protect their systems by applying the patch. Implementation of other security controls, such as encryption or firewalls, does not change the nature of the zero-day vulnerability.
Which one of the following is an example of a hardening provision that might strengthen an organization’s existing physical facilities and avoid implementation of a business continuity plan?
a. Patching a leaky roof
b. Reviewing and updating firewall access control lists
c. Upgrading operating systems
d. Deploying a network intrusion detection system
A. All of the techniques listed are hardening methods, but only patching the leaky roof is an example of physical infrastructure hardening.
Susan wants to monitor traffic between systems in a VMWare environment. What solution would be her best option to monitor that traffic?
a. Use a traditional hardware-based IPS.
b. Install Wireshark on each virtual system.
c. Set up a virtual span port and capture data using a VM IDS.
d. Use netcat to capture all traffic sent between VMs.
C. Using a virtual machine to monitor a virtual span port allows the same type of visibility that it would in a physical network if implemented properly. Installing Wireshark would allow monitoring on each system but doesn’t scale well. A physical appliance would require all traffic to be sent out of the VM environment, losing many of the benefits of the design. Finally, netcat is a network tool used to send or receive data, but it isn’t a tool that allows packet capture of traffic between systems.
Questions 99–102 refer to the following scenario.
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages.
When Matthew sends Richard a message, what key should he use to encrypt the message?
a. Matthew’s public key
b. Matthew’s private key
c. Richard’s public key
d. Richard’s private key
C. The sender of a message encrypts the message using the public key of the message recipient.
Questions 99–102 refer to the following scenario.
Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages.
When Richard receives the message from Matthew, what key should he use to decrypt the message?
a. Matthew’s public key
b. Matthew’s private key
c. Richard’s public key
d. Richard’s private key
D. The recipient of a message uses his or her own private key to decrypt messages that were encrypted with the recipient’s public key. This ensures that nobody other than the intended recipient can decrypt the message.
Referring to the figure shown here, what is the name of the security control indicated by the arrow?
a. Mantrap
b. Intrusion prevention system
c. Turnstile
d. Portal
C. Turnstiles are unidirectional gates that prevent more than a single person from entering a facility at a time.
What email encryption technique is illustrated in this figure?
a. MD5
b. Thunderbird
c. S/MIME
d. PGP
D. The PGP email system, invented by Phil Zimmerman, uses the “web of trust” approach to secure email. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adams/Stafford Tavares (CAST) encryption/decryption, and SHA hashing.
When Ben lists the files on a Linux system, he sees a set of attributes as shown in the following image.
This letters rwx indicate different levels of what?
a. Identification
b. Authorization
c. Authentication
d. Accountability
B. The permissions granted on files in Linux designate what authorized users can do with those files—read, write, or execute. In the image shown, all users can read, write, and execute index.html, whereas the owner can read, write, and execute example.txt, the group cannot, and everyone can write and execute it.
Ben’s organization is adopting biometric authentication for their high-security building’s access control system. Using this chart, answer questions 153–155 about their adoption of the technology.
Ben’s company is considering configuring their systems to work at the level shown by point A on the diagram. What level are they setting the sensitivity to?
a. The FRR crossover
b. The FAR point
c. The CER
d. The CFR
C. The CER is the point where FAR and FRR cross over, and it is a standard assessment used to compare the accuracy of biometric devices.
Ben’s organization is adopting biometric authentication for their high-security building’s access control system. Using this chart, answer questions 153–155 about their adoption of the technology.
At point B, what problem is likely to occur?
a. False acceptance will be very high.
b. False rejection will be very high.
c. False rejection will be very low.
d. False acceptance will be very low.
A. At point B, the false acceptance rate (FAR) is quite high, whereas the false rejection rate (FRR) is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of point A.
What software development life-cycle model is shown in the following illustration?\
a. Spiral
b. Agile
c. Boehm
d. Waterfall
D. The figure shows the waterfall model, developed by Winston Royce. The key characteristic of this model is a series of sequential steps that include a feedback loop that allows the process to return one step prior to the current step when necessary.
In the ring protection model shown here, what ring does not run in privileged mode?
a. Ring 0
b. Ring 1
c. Ring 2
d. Ring 3
D. The kernel lies within the central ring, Ring 0. Ring 1 contains other operating system components. Ring 2 is used for drivers and protocols. User-level programs and applications run at Ring 3. Rings 0-2 run in privileged mode, whereas Ring 3 runs in user mode.
Use your knowledge of Kerberos authentication and authorization as well as the following diagram to answer questions 208–210.
If the client has already authenticated to the KDC, what does the client workstation send to the KDC at point A when it wants to access a resource?
a. It re-sends the password.
b. . A TGR
c. Its TGT
d. A service ticket
C. The client sends its existing valid TGT to the KDC and requests access to the resource.
Use your knowledge of Kerberos authentication and authorization as well as the following diagram to answer questions 208–210.
What occurs between steps A and B?
a. The KDC verifies the validity of the TGT and whether the user has the right privileges for the requested resource.
b. The KDC updates its access control list based on the data in the TGT.
c. The KDC checks its service listing and prepares an updated TGT based on the service request.
d. The KDC generates a service ticket to issue to the client.
A. The KDC must verify that the TGT is valid and whether the user has the right privileges to access the service it is requesting access to. If it does, it generates a service ticket and sends it to the client (step B).
Use your knowledge of Kerberos authentication and authorization as well as the following diagram to answer questions 208–210.
What system or systems does the service that is being accessed use to validate the ticket?
a. The KDC
b. The client workstation and the KDC
c. The client workstation supplies it in the form of a client-to-server ticket and an authenticator.
d. The KVS
C. The server or service that is being accessed receives all of the data it needs in the service ticket. To do so, the client uses a client-to-server ticket received from the Ticket Granting Service.
In the diagram shown here of security boundaries within a computer system, what component’s name has been replaced with XXX?
a. Kernel
b. Privileged core
c. User monitor
d. Security perimeter
A. The kernel of an operating system is the collection of components that work together to implement a secure, reliable operating system. The kernel contains both the Trusted Computing Base (TCB) and the reference monitor.
In the scenario shown here, Harry is prevented from reading a file at a higher classification level than his security clearance. What security model prevents this behavior?
a. Bell-LaPadula
b. Biba
c. Clark-Wilson
d. Brewer-Nash
A. The Bell-LaPadula model includes the Simple Security Property, which prevents an individual from reading information that is classified at a level higher than the individual’s security clearance.
