Quizes Flashcards
(159 cards)
1
Q
In the penetration testing arena, overt and covert operations are defined as which of the following?
A- Black Teaming and White Teaming
B- Blue Teaming and Red Teaming
C- Blue Teaming and White Teaming
D- both the second and third option are correct
A
This statement is correct! In the penetration testing arena, overt and covert operations are generally defined as Red Team or Blue Team operations. These teams can work independently on different operations or together on the same operation. The RedTeam functions as an attacker in an effort to gain access to an organization’s infrastructure; generally, Red Team operations are close hold and not known to the network users. Blue Team operations are focused on assessing network defenses and identifying defensive solutions; they are generally conducted in cooperation with the system users.
2
Q
Which of the following are objectives of most penetration testing activities?
A- to determine a subject’s ability to retaliate against an attack
B- to determine the effectiveness of current security measures
C- to identify areas of improvement
D- to determine the effectiveness of current security measures AND to identify areas of improvement
A
This statement is correct! Penetration testing is conducted with the tester acting as an attacker to identify vulnerabilities in the system. It both determines the effectiveness of current security measures and identifies areas for improvement
3
Q
A White-Box tester hopes to achieve which of the following when performing a penetration test?
A- check for unauthorized hosts connected to the organization’s network
B- match allowed services with those defined in the organization’s security policy
C- collect computer forensics for evidence
D- both the first and second answer choice are correct
A
This statement is correct! In White-Box testing, the tester has access to design and implementation details and tools that will help analyze vulnerabilities. White-Box testing checks for unauthorized hosts connected to the organization’s network and also matches allowed services with those defined in the organization’s security policy.
4
Q
Performing a penetration test is recommended for which of the following circumstances?
A- when a breach has occurred within the organization
B- being a system administrator with special privileges
C- when an organization requests a penetration test and provides written authorization
D- when a company requests a penetration test
A
This statement is correct! Because penetration testing is usually expensive and time consuming, it should only be performed when an organization requests a penetration test and provides written authorization.
5
Q
Which of the following characteristics of external penetration firms makes them more effective than internal penetration testers?
A- They are not influenced by any previous system security decisions.
B- They are not influenced by knowledge of the current system environment or future system security plans.
C- They are likely to be more forthcoming to fully report security gaps.
D- All of the above are correct.
A
Correct! External penetration testing firms are not influenced by previous system security decisions, are not usually influenced by knowledge of the current system environment, and are likely to be more forthcoming in fully reporting security gaps.
6
Q
Which of the following is an objective of penetration testing?
A- to provide a list of all unpatched computers
B- to identify attackers and attack vectors used
C- to document all user activities performed on the system
D- to test the system as a whole, including existing defense mechanisms
A
Correct! An objective of penetration testing is to test the system as a whole, including existing defense mechanism.
7
Q
Penetration testers usually perform four steps to perform an attack and gain as much access as possible. The order of the four steps is which of the
following?
A- Step 1: Performing Reconnaissance, Step 2: Scanning and Enumeration, Step 3: Gaining Access, Step 4: Reporting Problems to Management
B- Step 1: Gaining Permission from Management, Step 2: Performing Reconnaissance, Step 3: Scanning and Enumeration, Step 4: Gaining Access
C- Step 1: Performing Reconnaissance, Step 2: Gaining Access, Step 3: Scanning and Enumeration, Step 4: Reporting Problems to Management
D- Step 1: Performing White Hat Testing, Step 2: Gaining Access, Step 3: Scanning and Enumeration, Step 4: Reporting Problems to Management
A
Correct! To perform an attack and gain as much access as possible, penetration testers first gain permission from
management; then perform reconnaissance; do scanning and enumeration; and finally, gain access.
8
Q
Which of the following processes uses fingerprinting and foot printing to gather in-depth information about the target systems, such as open shares, operating systems, and user accounts?
A- interception
B- enumeration
C- manipulation
D- scanning
A
This statement is correct! Enumeration is the process by which hosts/devices are discovered on a network. It may also scan various ports on remote hosts in an attempt to further identify their functions.
9
Q
The CIA triad is a major concept for cybersecurity professionals. Which of the following parts of the triad defines availability?
A- Prevention of unauthorized disclosure of sensitive data
B- Prevention of unauthorized changes to systems and data
C- Prevention of disruption of service and productivity
D- Prevention of lawsuits from contractors and other parties
A
This statement is correct. The prevention of disruption of service and productivity defines the availability component of the CIA triad.
10
Q
The CIA triad concept that relates to appropriate access to sensitive information is which of the following? A- confidentiality B- integrity C- availability D- non repudiation
A
This statement is true. Confidentiality is a set of rules that limits access to information.
11
Q
Hardware maintenance, redundancy, network communications, backups, and upgrades are significant to systems, and which of the following parts of the CIA triad is concerned with these tasks? A- confidentiality B- availability C- nonrepudiation D- authentication
A
This statement is true. Availability guarantees reliable access to the information by authorized people that includes all the tasks listed.
12
Q
Several security models relate to different components of the CIA triad. Which of the models below address the three goals of integrity? A- The Clark–Wilson model B- Biba model C- Bell- LaPadula security model D- Lattice model
A
A
This statement is true. The Clark–Wilson Integrity Model provides a foundation for specifying and analyzing an integrity policy for a computing system and includes the three goals of integrity.
13
Q
Classification categories for access control are based on evaluation of sensitivity or criticality. The generalized format for expressing the security
category, SC, of an information type is:
A- confidentiality, integrity, availability
B- confidentiality, integrity, assurance
C- confidentiality, integration, availability
D- confidentiality, integration, assurance
A
This statement is true. The generalized format for expressing the security category of an information type is as follows: SC information type = {(confidentiality, impact), (integrity, impact),(availability, impact)}
14
Q
Asymmetric key encryption, which uses public and private keys to encrypt and decrypt data, is advantageous due to which of the following:
A- confidentiality, authentication, non repudiation
B- confidentiality, integration, availability
C- confidentiality, integrity, non repudiation
D- confidentiality, integrity, authentication
A
This statement is true. Due to the asymmetric key encryption process, confidentiality, authentication, and non repudiation are addressed.
15
Q
What are two of the main security goals of the CIA triad? A- commercial and federal infrastructure B- confidentiality and integrity C- availability and refutability D- analysis and development
A
This statement is true. The CIA triad is a model of the main information security goals for organizations. This model includes confidentiality, integrity, and availability, and often extends to authentication and nonrepudiation.
16
Q
Which of the following part of the CIA triad defines integrity?
A- prevention of the use of private information
B- prevention of unauthorized changes to company data
C- prevention of destruction of physical services
D- prevention of litigation of users
A
This statement is true. The definition of integrity is the assurance that the information is trustworthy and accurate, which would include the prevention of unauthorized changes to company data.
17
Q
Confidentiality, integrity, and availability (the CIA triad) are important to the security of systems and networks. Several models relate to different components of this triad. Which one of the following models addresses the three goals of integrity? A- Clark–Wilson model B- Biba integrity model C- Bell -LaPadula security model D- all of the above
A
A
Correct! The Clark-Wilson model ensures data integrity through the application of rules and addresses the three goals of integrity.
These goals are to prevent any data modification by unauthorized parties, to prevent unauthorized data modification by authorized parties, and to maintain internal and external consistency.
18
Q
A state machine model demands that no matter what input, output, or processing tasks take place, all states are secured. If all current states are secured, all further states will be secured. Which of the following is considered a state machine model? A- Clark- Wilson B- Bell -LaPadula C- Harrison -Ruzzo -Ullman (HRU) D- Lipner
A
B
Correct! The Bell- LaPadula security model emphasizes
confidentiality and provides a framework for the protection of sensitive or classified information. It is most often used to enforce access control for government and military applications and is considered a state machine model.
19
Q
Which security model divides operations into different parts and requires different users to perform each part? This separation of duties prevents authorized users from making unauthorized modifications to data, thereby protecting data integrity. A- Bell- LaPadula model B- Biba model C- Clark- Wilson model D- noninterference model
A
C
Correct! The Clark-Wilson model ensures data integrity through the application of rules and addresses the three goals of integrity.
It divides operations into different parts and requires different users to perform each part (separation of duties), thereby preventing authorized users from making unauthorized modifications to data.
20
Q
A security model that requires well- formed transactions and the separation of duties is called \_\_\_\_\_\_\_\_\_\_. A- lattice1 B- Brewer and Nash C- non interference D- Clark -Wilson
A
D
Correct! The Clark-Wilson model ensures data integrity through the application of rules and addresses the three goals of integrity.
It divides operations into different parts and requires different users to perform each part (separation of duties), thereby preventing authorized users from making unauthorized modifications to data. This model requires well- formed transactions.
21
Q
What does the * (star) integrity axiom mean in the Biba model? A- no read up B- no write down C- no read down D- no write up
A
D
Correct! In the Biba model, the * (star) integrity axiom states that a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up).
22
Q
What is the Biba security model concerned with? A- confidentiality B- reliability C- availability D- integrity
A
D
Correct! The Biba security model ensures data integrity through the use of access controls.
23
Q
Which security model divides operations into different parts and requires different users to perform each part? This separation of duties prevents authorized users from making unauthorized modifications to data, thereby protecting data integrity. A- Bell- LaPadula model B- Biba model C- Clark -Wilson model D- deducibility model
A
Correct! The Clark-Wilson model ensures data integrity through the application of rules and addresses the three goals of integrity.
It divides operations into different parts and requires different
users to perform each part (separation of duties), thereby preventing authorized users from making unauthorized modifications to data. This model requires well- formed transactions.
24
Q
Which of the following properties mandates no read up, whereby a subject at a given security level must not read an object at a higher security level? This is also known as the confinement property. A- simple security property B- read "star" property C- discretionary security property D- none of the above
A
Correct! The simple security property in the Bell- LaPadula security model states that a subject at a given security level may not read an object at a higher security level (no read up).
25
```
Which of the following models is an information access model primarily concerned with a set of subjects, objects, and rights?
A- Bell- LaPadula model
B- Graham- Denning model
C- Clark -Wilson model
D- non interference model
```
Correct! The Graham-Denning model controls access through the use of rules. It demonstrates how subjects and objects should be created and deleted securely and also addresses how to assign access rights.
26
Which of the following statements about the Bell -LaPadula security model is not true?
A- It is concerned with confidentiality only.
B- It is concerned with the fundamental modes of access: read only, write only, or read and write.
C- It is concerned with integrity only.
D- It is a state machine model for information flow and access control.
Correct! This statement is not true of the Bell-LaPadula security model. The Bell- LaPadula model emphasizes confidentiality, not integrity, and provides a framework for the protection of sensitive or classified information. It is most often used to enforce access control for government and military applications and is considered
a state machine model.
27
Which of the following is true of the Biba model?
A- It is a state machine model for information flow and availability control.
B- It addresses integrity in information systems.
C- It is based on a linear model of confidentiality levels.
D- all of the above
Correct! The Biba integrity model ensures data integrity through the use of access controls.
28
```
To which of the following security models does this definition apply?
A- Bell -LaPadula model
B- Graham- Denning model
C- Chinese Wall model
D- non interference model
```
Correct! The Brewer and Nash model, also known as the Chinese Wall model, limits information flow between subjects and objects such that there is no conflict of interest. It provides access controls that can change dynamically.
29
```
When a systems administrator implements access control lists, he or she is providing which of the following for the system user?
A- Authorization
B- Integrity
C- Confidentiality
D- Authentication
```
A
Correct! Authorization is the process by which rights to access a system or data are granted using access control lists and rules.
30
Which of the following is the least secure password that can be enhanced by
the use of a token to supply better security?
A- one-time password
B- static password
C- dynamic password
D- passphrase password
B
This is correct! A static password is least secure and would benefit from enhancements provided by the use of a token to supply better security.
31
```
When a message is encrypted, it provides for which of the following?
A- confidentiality
B- nonrepudiation
C- authentication
D- authorization
```
A
Correct! An encrypted message provides for confidentiality because it ensures that only authorized users have access to the underlying message.
32
```
If you digitally sign a message, which of the following are covered?
A- authentication
B- nonrepudiation
C- integrity
D- all of the above
```
A
Correct! Authentication (the process by which credentials are presented and validated to enable access), nonrepudiation (ensuring the authenticity such that originators cannot deny their identity), and integrity (assuring that data remains in its intended
state and is only edited by authorized personnel) are all addressed when you digitally sign a message.
33
When employees access the company network via remote access, which of the following provides the most reliable authentication?
A- virtual private networks
B- synchronous token with a one-time password
C- asynchronous token with a one-time password
D- both synchronous tokens and asynchronous tokens with one-time passwords
D
This is correct! Synchronous tokens are synched by time to a server which authenticates in order to create a one-time password. This provides the most reliable authentication because it requires both the token and the server to be independently synchronized.
34
Point-to-point authentication protocols include which of the following?
A- EAP (Extensible Authentication Protocol)
B- CHAP (Challenge Handshake Authentication Protocol)
C- PAP (Password Authentication Protocol)
D- all of the above
A
Correct! EAP (an authentication framework used for the usage and transport of keying materials), CHAP (an authentication protocol which periodically verifies the identity of the client using a three-way handshake), and PAP (an authentication protocol whereby two entities share a password in advance such that the
password serves to authenticate) are all point-to-point
authentication protocols.
35
```
If a password is disclosed giving a hacker unauthorized access to all of a user's system assets, this would be a danger of which of the following user access options?
A- single sign-on
B- single-use passwords
C- strong passphrases
D- multifactor authentication
```
A
Correct! If a single sign-on password is disclosed, it would give a hacker unauthorized access to all of a user's system assets.
36
Two-factor authentication is highly used for access control because of which of the following?
A- It is biometric in nature.
B- It uses single-factor authentication.
C- It requires more than one proof of identity for users.
D- all of the above
Two-factor authentication requires more than one proof of identity for users, making it more secure and used more frequently for access control. This is correct!
37
```
Which of the following provides for integrity and originality of a message and is often accepted just as a handwritten signature?
A- public and private key signatures
B- digital signatures
C- crypto signature
D- multifactor signature
```
Correct! Digital signatures validate the originality of a message and affirm that the message was not altered (integrity).
38
When working with a biometric authentication system, there are instances where valid subjects are falsely rejected. This is defined as which of the following?
A- false acceptance rate (FAR) or type II error
B- false authentication rate (FAR) or type I error
C- false refusal rate (FRR) or type II error
D- false rejection rate (FRR) or type I error
D
Correct! False rejection rate (FRR) is a biometric performance metric that measures the percentage of valid subjects that are falsely rejected.
39
```
Complete this sentence: ___________ is an open source authentication protocol, and it uses ____________ to encrypt and decrypt keys.
A- ElGamal/cryptography
B- Kerberos/public key
C- Kerberos/passwords
D- ElGamal/private key
```
C
| This is correct! Kerberos is an open source authentication protocol, and it uses passwords to encrypt and decrypt keys.
40
The CHAP protocol acronym that uses a three-way handshake to protect passwords stands for which of the following?
A- Challenge Handshake Application Protocol
B- Challenge Handshake Authority Protocol
C- Challenge Handshake Authentication Protocol
D- Challenge Handshake Authorization Protocol
C
| Challenge Handshake Authentication Protocol is the correct answer.
41
```
Which of the following is a method commonly used for asserting the origination of data or a message with reasonable certainty?
A- digital certificates
B- encryption
C- CHAP
D- all of the above
```
A
Correct! Digital certificates are commonly used to assure the origination of data or a message with reasonable certainty.
42
```
All of the following are in the three categories of authentication except:
A- something the user knows
B- something the user previously owned
C- something the user is
D- something the user has
```
Correct! Authentication is the process by which credentials are presented and validated to enable access. Something the user previously owned is not one of the conditions for authentication.
43
```
When at least two or more factors can be verified for a user in order to verify authentication, this concept is called which of the following?
A- multifactor authentication
B- two-factor authentication
C- strong authentication
D- all of the above
```
A
44
```
Within the area of three factors for authentication, a password falls under which category?
A- something the user knows
B- something the user has
C- something the user is
D- something the user created
```
A
A password is something that a user knows and is one of the three factors for authentication. This is the correct answer!
45
```
When a user can dynamically (or selectively) assign privileges for other users of the system, this is called which of the following access control models?
A- SoD
B- MAC
C- RBAC
D- DAC
```
D
This is correct! Discretionary access control (DAC) enables access to be assigned or restricted based on the identity of subjects and/or their association with specific group(s).
46
```
When a retail company places access control policies in place for its cashiers, it has implement which of the following types of policies?
A- role-based policy
B- identity-based policy
C- mandatory access policy
D- separation of duties policy
```
A
Correct! This is a role-based policy because the retail company is granting access based on the employee's role as a cashier. Role based access control (RBAC) is an approach to restricting system access to authorized users.
47
A sensitivity level attached to an object must contain which of the following in mandatory access control?
A- the item's classification
B- the item's classification and category set
C- the item's category
D- the item's need to know
B
Correct! The item's classification and category set are required in order to implement mandatory access control. This information informs the system, which then determines the type of access allowed for an object based on established policies.
48
When controlling access to an object by a subject, security professionals must set up access rules. The following are the three access control models
that can be used to set up these rules.
A- mandatory, discretionary, nondiscretionary
B- role-based, identity-based, attribute-based
C- MAC, DAC, RBAC
D- none of the above
A
This statement is correct! Mandatory, discretionary, and
nondiscretionary access controls allow the establishment of access rules to restrict or allow access.
49
Rule-based access control (RuBAC) access is determined by rules that are in which of the following categories?
A- discretionary access control (DAC)
B- role-based access control (RBAC)
C- nondiscretionary access control (NDAC)
D- identity-based access control
C
| Correct! Nondiscretionary access control dynamically assigns access based on rules.
50
```
Which of the following is the category with rules that are not established by user preferences and can only be changed administratively?
A- nondiscretionary access control
B- discretionary access control
C- mandatory access control
D- system-based access control
```
A
This statement is correct! Nondiscretionary access control uses a subject's role or a task assigned to the subject to establish rules which grant or deny object access.
51
Which of the following is true of the mandatory access control environment?
A- The system or security administrator will define the permissions for subjects.
B- The administrator does not dictate the user's access.
C- The administrator configures the proper level of access as dictated by the data.
D- all of the above
C
The MAC environment requires the system or security
administrator to define the permissions, and it does not allow the administrator to dictate the user's access but rather requires the administrator to configure the appropriate level of access as determined by the data. This statement is correct.
52
Which of the following is defined as the dominance relationship of the MAC system?
A- The security clearance of the subject is reviewed and compared with the object sensitivity level or classification level.
B- The security clearance of the subject is not important because the system provides authorization.
C- The security clearance of the subject is compared with the separation of duties policy and access is provided.
D- The security clearance of the subject has to be at the highest level of Top Secret.
In mandatory access control, access is determined by matching the security clearance of the subject to the sensitivity or classification level of the object. This statement is correct!
53
```
Which of the following is not an access control technique?
A- remote access controls
B- discretionary access control
C- mandatory access control
D- role-based access control
```
There is no access control technique by this name. This statement is correct!
54
```
In some access control models, the data owner or resource owner can specify access to resources based on identity. Which of the following access control
models does this describe?
A- discretionary access control
B- mandatory access control
C- identity-based access control
D- rule-based access control
```
Correct! Discretionary access control uses the identity of the subject to decide when to grant an access request.
55
```
As the name implies, which of the following access control models is an example of DAC based on the characteristic of the user?
A- role-based access control
B- rule-based access control
C- identity-based access control
D- mandatory access control
```
C
This statement is correct! Identity-based access control uses the identity of the subject to decide when to grant an access request, and it is therefore an example of discretionary access control, which restricts access based on the identity of an individual or group(s) to which they belong.
56
```
There are two types of anonymity on the Internet. Which of the following are these?
A- known and unknown
B- traceable and untraceable
C- authorized and unauthorized
D- public and private
```
Correct! These are the two types of anonymity on the Internet. In traceable anonymity, an entity can remain anonymous, but leaves forensic details that enable the identity to be traced to the owner.
Untraceable anonymity makes it impossible for anyone to identify the entity because the forensic details that would point to the entity are masked or erased.
57
```
Positive behaviors enabled by anonymity on the Internet include all of the following except ________.
A- prosocial behavior
B- sharing of private information
C- cyberbullying
D- whistleblowing
```
This is correct! Internet anonymity enables cyberbullying by protecting the identity of the offender. This is a negative aspect of anonymity on the Internet.
58
All of the following is true regarding a personal proxy EXCEPT that it ________.
A- can be used to visit blocked sites
B- can be used to browse the web fairly anonymously
C- is the same as a proxy server
D- resides between a user's browser and the Internet
Correct! A personal proxy is browser-based and provides anonymity only when one is browsing the Internet. A proxy server (also known as a virtual private network or VPN) is used for all Internet-based services, including programs and applications.
59
Which of the following is true of the TOR web browser?
A- TOR can only be used on the Linux operating system.
B- The TOR acronym stands for The Olive Router.
C- TOR uses a technique known as digital mixing.
D- TOR uses a technique known as digital mastering.
TOR uses a technique known as digital mixing, whereby it encrypts data multiple times and across random relays to mask identity. This is correct!
60
```
What best describes a script kiddie?
A- an advanced hacker
B- an elite hacker
C- beginner hacker
D- none of the above
```
C
This statement is correct! The beginner hacker is less skilled and lacks the expertise to write his or her own scripts or code.
61
```
The leading source of hacking and computer crime is which of the following?
A- black hat hackers
B- insiders
C- script kiddies
D- hacktivists
```
B
This statement is correct! People within an organization such as employees or former employees, referred to as insiders, are the leading source of hacking and computer crime. Insiders use their knowledge of the organization's security practices, data, and computer systems to cause harm.
62
```
Which of the following hacker types exploit systems to obtain intellectual property or trade secrets?
A- hacktivists
B- industrial saboteurs
C- script kiddies
D- insiders
```
B
This statement is correct! Industrial saboteurs exploit computer networks and systems to obtain intellectual property or trade secrets.
63
```
Several easy to-use hacking tools that are readily available have contributed to the growth of which of the following hacker groups?
A- gray hats
B- white hats
C- script kiddies
D- insiders
```
C
This statement is correct! A script kiddie is a person who lacks the skills to write malicious code, and thus uses easy to-use hacking tools that are readily available.
64
```
DDoS attacks and the defacement of websites are most likely caused by the following type of hacker:
A- script kiddie
B- insider
C- hacktivist
D- black hat hacker
```
C
This statement is correct! A hacktivist is a person who has the malicious intent to hack into computer networks and systems to spread or bring exposure to his or her political or social agenda.
They often use a distributed denial-of-service (DDoS) attack, which makes the machine or network resource unavailable to its intended users, as their method of operation.
65
```
Which of the following is often cited as the primary motive for hackers?
A- curiosity
B- financial gain
C- notoriety or fame
D- boredom
```
C
This statement is correct! Computer hackers break into computer systems with a malicious intent or for personal gain. One of their primary motivations is to steal money.
66
State actors such as China, Russia, Iran, and the United States often use a method that allow for reconnaissance, malware insertion, backdoors,
privilege escalation, and expropriation called which of the following?
A- advanced penetration testing
B- advanced persistent threat
C- advanced persistent testing
D- all of the above
B
This statement is correct! An advanced persistent threat (APT) is a type of attack in which an unauthorized person breaks into a computer network without being discovered. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.
67
```
Famous white hat hackers include all of the following except which person?
A- Julian Assange
B- Stephen Wozniak
C- Tim Berners-Lee
D- Tsutomu Shimomura
```
A
| This statement is correct! Julian Assange is the WikiLeaks founder and not a white hat hacker.
68
```
Which of the following tend not to engage in malicious hacking acts, but may use unethical means to discover and report vulnerability, especially if profit is a motivation.
A- black hat hacker
B- white hat hacker
C- gray hat hacker
D- gray box hacker
```
C
This statement is true. Gray hat hackers are experts who exploit vulnerabilities to computer networks and systems, without malicious intent. They may violate laws if the vulnerability results in personal gain such as money, but they do not have the malicious intent typical of a black hat hacker.
69
```
When organizations move employees among positions on a periodic basis, they are employing which of the following processes?
A- least privilege
B- separation of duties
C- mandatory leave
D- job rotation
```
D
| When organizations move employees among positions on a periodic basis, they are employing the job rotation process.
70
```
The security principle that only allows users to have the rights that they need in order to perform their job is which of the following?
A- discretionary access control (DAC)
B- least privilege
C- job rotation
D- mandatory access control (MAC)
```
B
This answer is correct! Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.
71
```
The following model is concerned with data integrity through the use of separation of duties
A- lattice model
B- Clark-Wilson model
C- noninterference model
D- Biba model
```
B
This answer is correct! The Clark-Wilson model focuses on data integrity through the application of rules and addresses the three goals of integrity. It uses division of operations into different parts and requires different users to perform each part (separation of
duties), thereby preventing users from making unauthorized modifications to data.
72
```
Which of the following is an example of a preventative administrative control?
A- separation of duties
B- network security
C- application security
D- wireless security
```
A
This answer is correct! Separation of duties is the concept of having more than one person required to complete a task and is therefore a preventative administrative control.
73
```
If a computer operator is not allowed to modify the system time, this is an example of which of the following controls?
A- least privilege
B- separation of duties
C- job rotation
D- job restrictions
```
B
This answer is correct! Separation of duties is the concept of having more than one person required to complete a task and a person could modify the system time, as they do not have that privilege.
74
The following act protects the privacy of students and their families.
A- the Health Information Technology for Economic and Clinical Health or HITECH Act of 1999 .
B- the Family Education and Privacy Act (FERPA)
C- the Fair Credit Reporting Act of 1970
D- the Gramm-Leach-Bliley Act (GLBA) of 1999
B
| Correct! The Family Education and Privacy Act protects the privacy of students and their families.
75
Which of the following is/are true of Internet privacy and confidentiality?
A- The Internet guarantees the privacy and confidentiality of information through the SSL (Secure Sockets Layer).
B- There is global consensus among countries on the major tenets of Internet privacy.
C- Encrypted materials can be transferred over the Internet without any risk.
D- Privacy is not guaranteed on the Internet.
D
| Correct! Privacy is not guaranteed on the Internet.
76
Which of the following is true of the United States' view of privacy?
A- The framers of the US Constitution explicitly grant privacy to citizens.
B- The framers of the US Constitution do not explicitly grant privacy to citizens.
C- The Constitution guarantees the right to freedom, privacy, and the pursuit of happiness.
D- None of the above.
C
| Correct! The framers of the US Constitution do not explicitly grant privacy to citizens.
77
```
Which of the following privacy laws applies to industries and protects all electronic communication from unauthorized government access?
A- FRCA
B- ECPA
C- GLBA
D- FISA
```
B
Correct! The Electronic Communications Privacy Act (ECPA) applies to industries and protects all electronic communications from unauthorized government access.
78
Privacy laws in Europe are best described as which of the following?
A- Rulings generally skew towards protecting personal information rather than the employer.
B- Rulings are always in line with US privacy laws.
C- Monitoring of employees is highly acceptable.
D- All of the above.
A
| Correct! European privacy laws generally have a bias towards protecting personal information rather than the employer.
79
Among other things, security assurance requires:
A- guidance documents and manuals
B- configuration management and vulnerability assessment
C- life cycle support and assurance maintenance
D- all of the above
A
This answer is correct! Software security assurance requires guidance documents and manuals, configuration management and vulnerability assessment, life cycle support, and assurance maintenance.
80
```
Software assurance is defined by what two items to help define management issues?
A- needs and expectations
B- confidentiality and integrity
C- threats and vulnerabilities
D- All of the above
```
A
This answer is correct! Needs drive technical requirements, and expectations help define management issues to include constraints such as project schedule and cost. Together, needs
and expectations are identified, analyzed and reported as part of the risk management framework authorization package.
81
Which of the following is not true of software assurance?
A- The objectives will impact an organization's risk exposure.
B- The objectives must be developed at the organizational, informational and enterprise levels.
C- The objectives must consider risk tolerance and mitigation strategies.
D- The objectives properly followed will guarantee software security.
D
This answer is correct! The main objective of software assurance is to reduce software vulnerabilities, thereby achieving higher confidence in the software's security. However, software security cannot be guaranteed, even if the objectives are properly followed.
82
Which of the following is the best definition of open-source software (OSS)?
A- software that is available in source code form, with licensing that permits the user to study, use, change, and improve the software
B- operating systems software that that cannot be changed
C- application systems software with the source code available at a minor cost
D- all of the above
A
Correct! OSS is defined as software that is available in source code form, with licensing that permits the user to study, use, change, and improve the software.
83
```
Which of the following outlines the main advantage between open-source software (OSS) and proprietary software from the OSS perspective?
A- customizable source code
B- proprietary source code
C- purchasable source code
D- none of the above
```
A
| Correct! OSS can be customized.
84
An organization has to consider which of the following when making decisions about open-source software (OSS)?
A- cost, functionality, reliability, security
B- cost, lines of code, security, server hosting
C- cost, underlying operating system, programming language, server hosting
D- cost, functionality, programming language, security
A
| Correct! Organizations should consider cost, functionality, reliability, and security when making decisions about OSS.
85
```
Which of the following associations promotes open and free software?
A- Open Software Foundation (OSF)
B- Free Software Foundation (FSF)
C- Electronic Frontier Foundation (EFF)
D- all of the above
```
D
| Correct! All of the organizations listed promote open and free software.
86
```
The NIST framework was established under which of the following orders?
A- FISMA
B- PDD-23
C- EO 13636
D- NIST 800-53
```
C
Correct! Executive Order 13636, signed in February 2013,
focused on critical infrastructure cybersecurity and established the requirement for the NIST cybersecurity framework.
87
Which of the following best describes the NIST framework?
A- It is a mandatory risk-based framework—a set of industry standards and best practices meant to help manage cybersecurity risks.
B- It is a voluntary risk-based framework—a set of industry standards and best practices to meant to help manage cybersecurity risks.
C- It is a voluntary asset-based framework—a set of industry standards and best practices meant to help identify cybersecurity assets at risk.
D- It is a mandatory risk-based framework—a set of government-wide standards and best practices meant to help manage cybersecurity risks.
B
Correct! The NIST framework is a voluntary risk-based framework—a set of industry standards and best practices meant to help manage cybersecurity risks.
88
Which of the following is true of the NIST framework?
A- The framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure.
B- The framework does not address critical infrastructure.
C- The framework is required only for organizations that do business with the US government.
D- The framework is required only for organizations that do business abroad.
A
Correct! The NIST framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure.
89
```
Which of the following captures packets that travel the network and is used to capture users' passwords?
A- DDos attack
B- spoofing
C- sniffers
D- MitM attack
```
C
Correct! Sniffers capture packets that travel the network.
Additionally, sniffers are sometimes able to collect sensitive information such as user account names and passwords.
90
One of the most common ways sniffers collect information is through________.
A- phishing/social engineering
B- the physical attachment of the sniffer to a network device
C- the installation of the sniffer software on a local machine
D- the sniffer website
B
Correct! Sniffers operate at the data-link layer of the network and commonly collect information by attaching to a network device.
91
Which of the following is true of an IP spoofing attack?
A- It convinces a system or user that the system or user is communicating with a trusted source.
B- It modifies the source addresses of trusted sources.
C- It can be used in a Smurf attack.
D- all of the above
D
| Correct! All of the statements listed in this question are true of IP spoofing attacks.
92
```
Which of the following is impacted by a DDoS (distributed denial-of-service) attack?
A- confidentiality
B- integrity
C- nonrepudiation
D- availability
```
D
Correct! In DDoS attacks, critical services or resources can be made unavailable to legitimate users in the network. DDoS attacks can result in the flooding of servers, making services provided by them (e.g., email) unavailable.
93
The difference between a DoS attack and a DDoS attack is which of the following?
A- DoS attacks can impact all parts of the CIA triad, whereas DDoS attacks impact only one part.
B- DoS attacks impact many nodes, whereas DDoS attacks impact only a few.
C- A DDoS attack can be a one-to-many attack, whereas DoS attacks can be only one-to-one.
D- DDoS cannot be detected by network-based IDS, but DoS can be.
C
| Correct! DDoS attacks may be one-to-many, with one source impacting different points of presence.
94
There are several types of countermeasures in the software security arena. Which one can be used to restrict queries to only good or accepted types of
input, defines what is accepted, and rejects queries that do not match the criteria?
A- checking input type
B- encoding inputs
C- pattern matching
D- SQL injection rejection
A
This is correct! Checking input type restricts queries to only good or accepted types of input, defines what is accepted, and rejects queries that do not match the criteria.
95
All of the following can be used as countermeasures against phishing attacks except for which measure?
A- contacting the security administrator
B- using intrusion detection systems (IDSs) to block malicious domains
C- clicking on suspicious links or attachments in e-mails for validity
D- ensuring antivirus (AV) software and definitions are up to date
C
Correct! Clicking on suspicious links or attachments in e-mails for validity should not be used as a countermeasure and, in fact, will put a network at risk.
96
Which of the following is a valid countermeasure against malicious code?
A- immediately opening all e-mails and downloading attachments
B- forwarding all suspicious e-mail to management
C- remaining current with operating system (O/S) service packs and software patches
D- none of the above
C
| Correct! Remaining current with O/S service packs and software patches is a valid countermeasure against malicious code.
97
Which of the following is not a valid countermeasure for protecting passwords?
A- combining letters, numbers, and special characters to create a password
B- using a passphrase
C- saving passwords or login credentials in the browser
D- changing passwords according to your organization's policy
C
| This is correct! It is never secure to save passwords or login credentials in your browser.
98
The Department of Defense (DoD) strongly restricts the use of removable media. Which of the following is allowed by the DoD?
A- following the organization's removable media policy for DoD personnel
B- using flash media when approved by the supervisor
C- using personally owned/nongovernment removable flash media on DoD systems
D- using government removable flash media on non-DoD/personal systems
A
| This is correct! DoD personnel must follow their organization's removable media policy.
99
```
Which of the following is a countermeasure for Bluetooth wireless security?
A- enabling auto discovery
B- disabling auto discovery
C- bluesnarfing
D- uninstalling auto discovery
```
B
Correct! Disabling auto discovery is a countermeasure for Bluetooth wireless security as it requires the user to approve any wireless connections.
100
SQL injection attacks compromise unsecured databases by exploiting user inputs that have not been validated. Which of the following is not a
countermeasure in preventing SQL injection attacks?
A- input-type checking
B- encoding inputs
C- using Rich Site Summary (RSS) feeds on a corporate website
D- pattern matching
C
| Correct! Using RSS feeds on a corporate website does not mitigate SQL injection attacks.
101
```
Which of the following is an effective countermeasure for preventing SQL injection attacks?
A- encoding inputs
B- decoding encrypted text
C- updating the firewall policy
D- storing backup records offsite
```
A
| This is correct! Encoding inputs is an effective countermeasure against SQL injection attacks.
102
```
Which of the following countermeasures prevents user input from being interpreted as SQL statements?
A- encoding inputs
B- pattern matching
C- checking input type
D- installing antivirus (AV) software
```
This is correct! Encoding inputs prevents user input from being interpreted as SQL statements.
103
Which of the following is not a primary cause of cross-site scripting (XSS) attacks?
A- injection through user input
B- injection through server variables
C- defensive programming techniques
D- insufficient policies regarding database backup
D
| Correct! Insufficient policies regarding database backup is not a primary cause of XSS attacks.
104
```
Which of the following are cross-site scripting (XSS) attack targets?
A- websites
B- e-mail servers
C- databases
D- office automation software
```
A
Correct! XSS attacks typically target websites that have
vulnerable coding or vulnerable web browsers.
105
Which of the following is a control measure to prevent cross-site scripting (XSS) attacks?
A- avoiding the use of ActiveX in a Windows environment
B- using cookies only at the intended websites
C- whitelisting certain websites
D- implementing policies regarding cybersecurity training
B
| Correct! Preventing cookies from being used on other websites is an effective measure against XSS.
106
Cygnus Retail, Inc., is a retail distributor based in Oklahoma. The company has a 200,000-square-foot warehouse that stays open 24 hours a day.
Currently, Cygnus has one guard at the entrance of the warehouse. There are 20 roll-up dock doors that are never closed because the warehouse is open
the whole day. The company has been experiencing inventory loss and wants to reduce this shrinkage. Which system will be most effective for Cygnus?
A- burglar alarm
B- camera system
C- access control
D- fire alarm
B
Correct! A comprehensive camera system will be effective in dealing with the issue of inventory shrinkage. Cameras can be placed at key areas to monitor and record entry, exit, and activity in the warehouse area.
107
```
RTI Finance International is a financial and investment consultancy firm. The company has a large office space that is located within a larger multi-office location. The company's office is organized into numerous divisions, which are physically partitioned. Some of the partitioned areas hold sensitive data. The company is predominantly concerned with employees freely accessing sensitive areas. Which system will be most effective in dealing with RTI's
issue?
A- burglar alarm
B- camera system
C- access control
D- fire alarm
```
C
Correct! Access control is the best solution, because it will allow RTI to control the flow of employees within its office space. Additionally, access control readers on the entry and exit doors can help control who enters the company's space from the common areas of the office building.
108
```
JK and Sons Insurance is a small insurance agency. The agency has an office with two doors, two windows, and a small reception area. The agency has two employees and houses only petty cash and a few computers. Which system will be most effective in securing the agency's office?
A- burglar alarm
B- camera system
C- access control
D- fire alarm
```
A
Correct! A burglar alarm system will work best for this company. Using two door contacts, two window contacts, a glass break detector, and, possibly, a motion detector would adequately protect the office from general vandalism and burglary.
109
```
Betty's Beach Inn is a small boutique hotel that has opened in Malibu, California. The hotel has 10 rooms and a swimming pool and is aimed at budget travelers. The hotel is primarily concerned with preventing loss of life. Which system is most significant for saving life?
A- burglar alarm
B- camera system
C- access control
D- fire alarm
```
D
| Correct! Which system is most significant for saving lives?
110
```
Which of the following U.S. governmental organizations is responsible for advancing measurement science, standards, and technology, including that for computer systems?
A- FTC
B- FISMA
C- NIST
D- ISO
```
C
Correct! The National Institute of Standards and Technology (NIST) is charged with advancing measurement science, standards, and technology (including computer systems) in the United States.
111
Which of the following acts gave the responsibility for developing guidelines for protecting unclassified, but sensitive information in government computers to the National Institute of Standards and Technology (NIST)?
A- Foreign Intelligence Surveillance Act (FISA)
B- Computer Security Act (CSA)
C- Federal Information Security Management Act (FISMA)
D- Internet Engineering Task Force Act (IETFA)
B
This is correct! The CSA provided NIST with the responsibility for developing guidelines for protecting unclassified but sensitive information in government computers.
112
The National Institute of Standards and Technology (NIST) collaborates with which of the following agencies to establish a common foundation for
information security across the federal government?
A- Internet Engineering Task Force (IETF)
B- U.S. Department of Defense (DoD)
C- Committee on National Security Systems (CNSS)
D- none of the above (NIST has full responsibility for this)
C
Correct! The CNSS collaborates with NIST to establish a common foundation for information security across the federal government.
113
Which of the following acts was signed into law as part of the e-Government act of 2002 and requires each agency to inventory its major computer systems; identify and provide appropriate security protections; and develop, document, and implement an agency-wide information security program?
A- Sarbanes-Oxley (SOX)
B- Federal Information Security Management Act (FISMA)
C- Gramm–Leach–Bliley Act (GLBA)
D- Computer Security Act (CSA)
B
Correct! FISMA was signed into law as part of the e-Government act of 2002 that requires each agency to inventory its major computer systems; identify and provide appropriate security protections; and develop, document, and implement an agency wide information security program.
114
Which of the following organizations is the world's largest developer of nonbinding international standards relating to business and technology? One of its standards provides "guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization."
A- National Institute of Standards and Technology (NIST)
B- International Organization for Standardization (ISO)
C- National Institute of Standards and Technology (NIST) AND International
D- Organization for Standardization (ISO)
none of the above
B
Correct! The ISO is the world's largest developer of nonbinding international standards relating to business and technology, including providing "guidelines and general principles for initiating, implementing, maintaining, and improving information
security management in an organization."
115
```
Which parts of the CIA triad does encryption protect?
A- confidentiality and nonrepudiation
B- confidentiality and integrity
C- availability and authentication
D- confidentiality and availability
```
B
Correct! Encryption protects confidentiality and integrity in the CIA (confidentiality, integrity, and availability) triad. Encryption protects confidentiality because it ensures that only authorized users have access to data by converting the data into a form that
can be understood only by authorized recipients. Encryption also ensures that data remains in its intended state and is edited only by authorized personnel, which fits the definition of integrity.
116
Which of the following is true of encryption?
A- Encryption uses symmetric and asymmetric methods.
B- Encryption depends on the sharing of mutually established keys.
C- Encryption is not currently accepted by the NIST.
D- The first two answer choices are both true.
E- The first and third answer choices are both true.
A
Correct! Encryption can use both symmetric and asymmetric methods, and encryption does depend on the sharing of mutually established keys.
117
```
Which of the following encryption schemes are based on the concepts of substitution and permutation?
A- symmetric and asymmetric
B- symmetric and AES
C- asymmetric and AES
D- AES only
```
B
Correct! In symmetric-key—to include AES, which uses symmetric key—substitutions and permutations are conducted by the encryption algorithm.
118
```
Which of the following encryption schemes is based on the concept of solving difficult mathematical problems?
A- symmetric
B- asymmetric
C- MDA
D- RSA
```
B
| Correct! Asymmetric encryption is based on the concept of solving difficult mathematical problems.
119
```
Which of the following is the most commonly used type of symmetric-key cipher?
A- stream cipher
B- RSA cipher
C- block cipher
D- none of the above
```
C
This answer is correct! A block cipher is a symmetric-key cipher that uses fixed-length groups of bits against a symmetric key. Block ciphers are commonly and widely used to encrypt bulk data.
120
```
Which of the following is the most well-known symmetric-key encryption?
A- RSA
B- DES
C- AER
D- RC4
```
B
This answer is correct! The Data Encryption Standard (DES) is a symmetric-key cipher that uses fixed-length plaintext and transforms it into another ciphertext of the same length. The block size is 64-bit. DES is the most well-known symmetric-key
encryption.
121
Stream ciphers encrypt plaintext one bit at a time. Which of the following is NOT true of stream ciphers?
A- The keystream needs to appear to be a stream of random numbers.
B- If the keystream is random, the ciphertext that is generated will also be random.
C- The key needs to be long enough to ward off brute-force attacks—at least 128 bits.
D- A stream cipher with a properly designed pseudorandom number generator cannot be as secure as a block cipher of comparable key length.
This answer is correct! A stream cipher is a symmetric-key cipher that combines plaintext digits with a keystream. In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream to give a digit of the ciphertext stream. A stream cipher with a properly designed pseudorandom number generator can be just as secure as is a block cipher of comparable key length.
122
```
Which of the following uses a stream cipher?
A- SSL
B- TLS
C- WEP and WPA
D- all of the above
```
D
| This answer is correct! All of these technologies use stream ciphers.
123
Cyber offense can be described by which of the following?
A- uses cyber exploits or tools (malware and phishing)
B- tries to disable, damage, and destroy enemy's physical infrastructure
C- resorts to bullets and bombs where necessary
D- employs cyber retaliatory practices
A
| Correct! Cyber offense can be accomplished with the use of exploits and tools such as malware and phishing.
124
In his book Information Warfare, cybersecurity expert Winn Schwartau describes which of the following categories of information warfare?
A- cyberattacks are fought between two individuals.
B- cyber battles are fought between two corporations.
C- cyber wars are fought between two countries.
D- all of the above
D
Correct! According to Winn Schwartau, cyberattacks are fought between two individuals, cyber battles are fought between two corporations, and cyber wars are fought between two countries.
125
Which of the following focuses on guiding the information operations of the US Armed Forces?
A- PDD-63
B- Joint Doctrine for Information Operations (JP 3-13)
C- NIST 802.3
D- PDD-21
B
Correct! Joint Doctrine for Information Operations (JP 3-13) focuses on guiding the information operations of the US Armed Forces.
126
```
Which of the following types of warfare includes guerrilla warfare, subversion, sabotage, intelligence activities, and unconventional assisted
recovery?
A- conventional warfare
B- unconventional warfare
C- acoustic warfare
D- biological warfare
```
B
Correct! Unconventional warfare includes guerrilla warfare, subversion, sabotage, intelligence activities, and unconventional assisted recovery.
127
```
Which of the following was a warrior and wartime strategist who believed that war and politics cannot be separated? In his famous words, "War is the continuation of policy by other means."
A- Colonel J.J. Graham
B- General Carl von Clausewitz
C- Sun Tzu
D- Niccolò Machiavelli
```
B
Correct! General Carl von Clausewitz was a warrior and wartime strategist who believed that war and politics cannot be separated. Among his famous words are "War is the continuation of policy by
other means."
128
```
When an organization tries to intercept and examine a large number of messages that are coming across its network in order to deduce information, the organization is gathering which of the following?
A- surveillance information
B- intelligence
C- reconnaissance
D- none of the above
```
B
Correct! When an organization intercepts and examines a large number of messages that are coming across its network in order to deduce information, the organization is gathering intelligence.
129
Which of the following organizations is a national-level, nonprofit organization that brings together the FBI, state and local law enforcement agencies, academia, and businesses for intelligence sharing?
A- International Crime Scene Investigators Association (ICSIA)
B- InfraGard
C- Internet Crime Complaint Center (IC3)
D- Interpol
B
Correct! InfraGard is a national-level, nonprofit organization that brings together the FBI, state and local law enforcement agencies, academia, and businesses for intelligence and information sharing.
130
Which of the following organizations is a national-level, nonprofit organization that brings together the FBI, state and local law enforcement agencies, academia, and businesses for intelligence sharing?
A- PDD-63
B- Joint Doctrine for Information Operations (JP 3-13)*
C- NIST 802.3
D- Orlando Doctrine
D
| Correct! The Orlando Doctrine, drafted in 2011, provides a forum for cybersecurity leaders to explore cyber operations.
131
Which of the following statements is true about software maintenance?
A- It is the part of the software development life cycle (SDLC) that takes the least amount of overall project time.
B- It is the part of the software development life cycle (SDLC) in which documentation is completed.
C- It is not a mandatory part of the software development life cycle (SDLC).
D- It is usually impacted by the lack of up-to-date documentation.
D
This statement is correct! Software maintenance is a part of the SDLC, which is a continuous process for evaluating a system for relevancy, performance, and compliance with requirements. Software documentation is done throughout the process, as it is essential to software maintenance and needs to be kept up to
date.
132
Due diligence is important to the software development life cycle (SDLC) and is supported by which of the following?
A- missing security policy documents
B- no separation of duties
C- systems current with patch management processes
D- none of the above
C
This statement is correct! Due diligence is the act of ensuring that requirements are appropriately met for any development that has occurred. Using due diligence assessment, systems that are current with patch management processes can be determined.
133
```
Information technology (IT) professionals who document all of the changes made to a system and control updates and maintenance are likely responsible
for which of the following?
A- security control management
B- change management
C- document management
D- program management
```
B
This statement is correct! Change management occurs in the support phase and is the process by which IT professionals document all of the changes made to a system and control updates and maintenance.
134
When a hacker can penetrate a company's system through a zero-day exploit (ZDE), what is likely to be true in the organization?
A- The organization has a strong defense-in-depth system.
B- The hacker read about the company's vulnerabilities.
C- The company has limited defensive measures and limited monitoring of unusual activity.
D- All of the above are likely to be true.
This statement is correct! A zero-day vulnerability is an unknown flaw that becomes known to a hacker in some way. In a ZDE, the hacker quickly takes advantage of the vulnerability before it gets addressed.
135
Which of the following is the goal for a white-box tester performing a penetration test?
A- to check for unauthorized servers that may be connected to the organization's network
B- to collect digital forensics for evidence handling
C- to identify unknown behaviors and services as defined in the organization's security policy
D- to check for unauthorized servers that may be connected to the organization's network AND to identify unknown behaviors and services
as defined in the organization's security policy
D
This statement is correct! Both checking for unauthorized servers that may be connected to the organization's network and identifying unknown behaviors and services as defined in the organization's security policy are goals of penetration testing; therefore, this statement is correct and should be chosen.
136
```
An analyst who has full knowledge when testing a system is performing which of the following?
A- black-box testing
B- zero-based testing
C- infinite testing
D- white-box testing
```
D
This statement is correct! White-box testing (also known as clearbox testing, glass-box testing, transparent-box testing, and structural testing) is a type of testing that explores internal systems for vulnerabilities, as opposed to its functionality. It is
based on the analyst having full knowledge of how the system being tested works.
137
```
Which of the following methods of testing combines both white- and blackbox techniques?
A- penetration (pen) testing
B- gray-box testing
C- white-box testing
D- black-box testing
```
B
This statement is correct! Gray-box testing of a system uses some knowledge of the internals of a system, which is usually constrained to detailed design documents and architecture diagrams. This testing is used as a combination of both black- and white-box testing and combines aspects of each.
138
```
Which kind of testing makes use of software development use-case scenarios to provide feedback on the validity of lines of secure code?
A- penetration testing
B- gray-box testing
C- white-box testing
D- none of the above
```
D
This statement is correct! None of the testing listed makes use of software development use-case scenarios to provide feedback on the validity of lines of secure code.
139
```
Which kind of testing is a combination type, proceeds without using any knowledge of the target environment, and makes use of knowing how an organization is structured?
A- penetration (pen) testing
B- gray-box testing
C- white-box testing
D- black-box testing
```
B
This is a true statement. Gray-box testing of a system uses some knowledge of the internals of the system, which is usually constrained to detailed design documents and architecture diagrams. This testing is used as a combination of both black- and white-box testing and combines aspects of each model. It can
proceed without using any knowledge of the target environment, and it makes use of any knowledge of how an organization is structured.
140
The NIST 800-37 rev. 1 Risk Management Framework guide provides for the following throughout the recommended software development steps:
A- system definition, controls selection, development, implementation, and operation
B- backup, recovery, intrusion detection, system retirement
C- system definition, penetration testing, development, and operation
D- backup, recovery, risk mitigation, and operation
A
This statement is true! The Risk Management Framework uses the following categories: categorize, select, implement, assess, authorize, and monitor selected information monitoring. Therefore, the system definition, controls selection, development, implementation and operation fit in the determination.
141
Which of the following is an example of black-box testing?
A- simple use case testing that end-users perform to test functionality
B- testing the "if, then, else" logic of the program code
C- searching for hidden logic errors
D- none of the above
A
This is a true statement! Black-box testing is a type of testing in which the tester examines functionality. The tester does not explore internal systems, and isn't provided with access rights or code. Black-box testing can be applied to every level of software
142
```
Black-box testing includes using which of the following tools?
A- vulnerability scanning
B- penetration testing
C- interviews
D- all of the above
```
D
| This is a true statement! All areas presented are covered in blackbox testing.
143
Which of the following is an example of white-box testing?
A- Simple use case testing that end-users perform to test functionality.
B- Testing the "if, then, else" logic of the program code
C- Searching for hidden logic errors where there is no access to code or test data
D- None of the above
B
| This is a true statement! "If, then, else" is an area that is used in white-box testing.
144
In gray-box testing, which of the following is not true?
A- User inputs and external interfaces can be tested.
B- Software is examined from a user perspective by providing a wide variety of input scenarios.
C- Removes tester's access to internal codes.
D- Examiners proceed having full knowledge of the target environment.
D
In gray-box testing, which of the following is not true?
User inputs and external interfaces can be tested.
Software is examined from a user perspective by providing a wide variety of input scenarios.
Removes tester's access to internal codes.
Examiners proceed having full knowledge of the target environment.
145
Which of the following is not true about the waterfall model of application development?
A- It was created after the software design that was first used in manufacturing
B- The waterfall model has a hierarchy of phases/steps.
C- The waterfall model is used often for the development of large enterprise software.
D- The waterfall model is not used often.
D
| Correct! The waterfall model is not in fact used often.
146
Which of the following sentences best describes extreme programming (XP)?
A- A development model where requirements definition is not needed.
B- XP is similar to the waterfall model, with shorter phases.
C- A software development model designed for large complex systems.
D- A methodology that only uses JAVA programming.
B
| Correct! The waterfall model and the extreme programming (XP) model are similar, except the XP model has shorter phases.
147
Object-oriented programming (OOP) is best described as which of the following?
A- nonprocedural programming methodology using connected objects
B- procedural programming methodology using connected objects
C- programming language used for the development of graphics
D- none of the above
A
Correct! Object-oriented programming (OOP) is best described as nonprocedural programming methodology using connected objects.
148
```
There are five software development methodologies that we’ve studied that include all except the following?
A- waterfall model
B- remote application development (RAD)
C- joint application development (JAD)
D- agile programming
E- extreme programming
```
B
| Correct! We have not studied remote application development (RAD).
149
Applying software security should be included in which of the following software development methodologies?
A- waterfall model
B- rapid application development (RAD)
C- joint application development (JAD)
D- only waterfall and JAD because RAD is fast-moving
E- all of the above
E
| Correct! Software security should be included in the software development for all methodologies.
150
```
Many life cycle models have been built upon which of the following traditional model frameworks?
A- waterfall model
B- joint application development (JAD)
C- agile programming
D- extreme programming (XP)
```
A
| This is correct! Many life cycle models have been built upon the waterfall model.
151
Which of the following best describes extreme programming (XP)?
A- The phases are similar to the waterfall model.
B- The phases are much shorter than other methodologies.
C- The phases are much longer because of the extensive involvement of programmers.
D- The phases are similar to the waterfall model and they are much shorter than other methodologies.
B
Correct! In extreme programming (XP), the phases are similar to the waterfall model, and the phases are much shorter than other methodologies.
152
The agile software development methodology focuses on all of the following except?
A- focuses on user requirements
B- focuses on customer demands
C- focuses on providing a stable, long-term project
D- none of the above
C
| Correct! The agile software development methodology does not focus on providing a stable, long-term project.
153
```
The traditional software development life cycle (SDLC) has all of the following phases except which of the following?
A- project initiation and planning
B- functional requirements definition
C- system design specifications
D- security operations support
```
D
The SDLC includes a requirements specification phase, design phase, implementation phase, testing phase, release phase, maintenance phase, and replace phase. None of these phases includes system operations support specifications.
154
Which of the following statements is true about end-of-life support?
A- End-of-life support planning starts after the implementation phase of the project.
B- Access control and data security are major concerns with systems that have become obsolete.
C- End-of-life support planning does not include backup and recovery support.
D- Although a system may be outdated or not meeting user needs, end of life implementation is not required.
B
This statement is correct! Access control and data security are major concerns when systems are becoming obsolete and discontinuing and are included in end-of-life support.
155
The software development life cycle (SDLC) should represent which of the following?
A- development model that focuses on security in every phase
B- methodology designed to define and manage software risks
C- programming implementation of such languages as Java and C++
D- rigid methodology with sequential phases
A
This statement is correct! In order to protect software against threats, security should be considered in every phase of the development life cycle.
156
Which of the following statement best describes the design phase of the software development life cycle (SDLC)?
A- The design phase is a logical view of the system.
B- The design phase is a physical view of the system.
C- Design phase security concerns have already been established in the analysis phase.
D- Prototyping tools are not necessary in the design phase as they are used in the development phase.
B
This statement is correct! The design phase in the SDLC creates the engineering design document and the detailed project plan. It identifies system needs and the implementation process.
157
```
Requests for proposals (RFPs) and service-level agreements (SLAs) are important for which of the following?
A- extreme programming (XP)
B- rapid application development (RAD)
C- joint application development (JAD)
D- software procurement
```
D
This statement is correct! Software procurement is a phase of the software development life cycle in which an organization embarks on the purchase of existing software. This phase should begin with an RFP to identify and evaluate vendors, review software,
and work with the organization’s executives to make the final choice. It is also important to consider the software-licensing agreement and the SLA during procurement.
158
Which of the following kinds of attacks exploits web applications redirecting malicious code to the web or an application server when security is not fully
considered in the system development methodology?
A- structured-query language (SQL) injection
B- uniform resource identifier (URL) scripting
C- cross-site scripting (XSS)
D- distributed denial of service (DDoS)
C
This statement is correct! XSS is a type of attack in which
malicious code is sent to a web application, normally via a browser side script, thereby exploiting the web application.
159
Which of the following best describes object-oriented programming (OOP)?
A- non procedural programming methodology using connected objects
B- procedural programming methodology using connected objects
C- programming language used for the development of graphics
D- none of the above
A
| This statement is correct! OOP is best described as nonprocedural programming methodology using connected objects.
