All in one study guide (Gibson)

Question 1

How many years of experience are required to earn the Associate of (ISC)2 designation?

Zero

One

Two

Five

Answer 1

A. You don’t need to meet the experience requirement to earn the Associate of (ISC)2 designation, so zero years of experience are acceptable. The SSCP certification requires one year of direct full-time security work experience. If you earn the Associate of (ISC)2 designation, you have two years from the date (ISC)2 notifies you that you have passed the SSCP exam to obtain the required experience and apply to become a fully certified SSCP (which includes submitting the required endorsement form). The CISSP certification requires five years of experience

Question 2

What are the three elements of the security triad?

Authentication, authorization, and accounting

Confidentiality, integrity, and availability

Identification, authentication, and authorization

Confidentiality, integrity, and authorization

Answer 2

B. The CIA security triad includes three fundamental principles of security designed to prevent losses in confidentiality, integrity, and availability. Authentication, authorization, and accounting are the AAAs of security, and identification, authentication, and authorization are required for accountability, but these are not part of the CIA security triad.

Question 3

Who is responsible for ensuring that security controls are in place to protect against the loss of confidentiality, integrity, or availability of their systems and data?

IT administrators

System and information owners

CFO

Everyone

Answer 3

B. System and information owners are responsible for ensuring that these security controls are in place. IT administrators or other IT security personnel might implement and maintain them. While it can be argued that the Chief Executive Officer (CEO) is ultimately responsible for all security, the Chief Financial Officer is responsible for finances, not IT security. Assigning responsibility to everyone results in no one taking responsibility.

Question 4

You are sending an e-mail to a business partner that includes proprietary data. You want to ensure that the partner can access the data but that no one else can. What security principle should you apply?

Authentication

Availability

Confidentiality

Integrity

Answer 4

C. Confidentiality helps prevent the unauthorized disclosure of data to unauthorized personnel, and you can enforce it with encryption in this scenario. Authentication allows a user to claim an identity (such as with a username) and prove the identity (such as with a password). Availability ensures that data is available when needed. Integrity ensures that the data hasn’t been modified.

Question 5

Your organization wants to ensure that attackers are unable to modify data within a database. What security principle is the organization trying to enforce?

Accountability

Availability

Confidentiality

Integrity

Answer 5

D. Integrity ensures that data is not modified, and this includes data within a database. Accountability ensures that systems identify users, track their actions, and monitor their behavior. Availability ensures that IT systems and data are available when needed. Confidentiality protects against the unauthorized disclosure of data.

Question 6

An organization wants to ensure that authorized employees are able to access resources during normal business hours. What security principle is the organization trying to enforce?

Accountability

Availability

Integrity

Confidentiality

Answer 6

B. Availability ensures that IT systems and data are available when needed, such as during normal business hours. Accountability ensures that users are accurately identified and authenticated, and their actions are tracked with logs. Integrity ensures that data is not modified. Confidentiality protects the unauthorized disclosure of data to unauthorized users.

Question 7

An organization has created a disaster recovery plan. What security principle is the organization trying to enforce?

Authentication

Availability

Integrity

Confidentiality

Answer 7

B. Availability ensures that IT systems and data are available when needed. Disaster recovery plans help an organization ensure availability of critical systems after a disaster. Users prove their identity with authentication. Integrity provides assurances that data and systems have not been modified. Confidentiality protects against the unauthorized disclosure of data.

Question 8

Your organization has implemented a least privilege policy. Which of the following choices describes the most likely result of this policy?

It adds multiple layers of security.

No single user has full control over any process.

Users can only access data they need to perform their jobs.

It prevents users from denying they took an action.

Answer 8

C. The principle of least privilege ensures that users have access to the data they need to perform their jobs, but no more. Defense in depth ensures an organization has multiple layers of security. Separation of duties ensures that no single user has full control over any process. Nonrepudiation prevents users from denying they took an action.

Question 9

Your organization wants to implement policies that will deter fraud by dividing job responsibilities. Which of the following policies should they implement?

Nonrepudiation

Least privilege

Defense in depth

Separation of duties

Answer 9

D. Separation of duties helps prevent fraud by dividing job responsibilities and ensuring that no single person has complete control over an entire process. Nonrepudiation ensures that parties are not able to deny taking an action. The principle of least privilege ensures that users have only the rights and permissions they need to perform their jobs, but no more. Defense in depth provides a layered approach to security.

Question 10

Which one of the following concepts provides the strongest security?

Defense in depth

Nonrepudiation

Security triad

AAAs of security

Answer 10

A. Defense in depth provides a layered approach to security by implementing several different security practices simultaneously and is the best choice of the available answers to provide the strongest security. The security triad (confidentiality, integrity, and availability) identifies the main goals of security. Nonrepudiation prevents an individual from denying that he or she took an action. The AAAs of security are authentication, authorization, and accounting

Question 11

Which of the following would a financial institution use to validate an e-commerce transaction?

Nonrepudiation

Least privilege

Authentication

Signature

Answer 11

A. Digital signatures used by some online institutions to validate transactions and provide nonrepudiation. Least privilege ensures that users have only the rights and permissions they need to perform their jobs, and no more. Authentication verifies a user’s identity. A written signature is not used in e-commerce.

Question 12

What are the AAAs of information security?

Authentication, availability, and authorization

Accounting, authentication, and availability

Authentication, authorization, and accounting

Availability, accountability, and authorization

Answer 12

C. The AAAs of information security are authentication, authorization, and accounting. Availability is part of the CIA security triad (confidentiality, integrity, and availability), but it is not part of the AAAs of information security.

Question 13

You want to ensure that a system can identify individual users, track their activity, and log their actions. What does this provide?

Accountability

Availability

Authentication

Authorization

Answer 13

A. If a system can identify individual users, track their activity, and log their actions, it provides accountability. Availability ensures the system is operational when needed. Authentication identifies the individual using credentials. Authorization identifies resources that a user can access.

Question 14

Which of the following is required to support accountability?

Encryption

Authentication

Hashing

Redundant systems

Answer 14

B. Users prove their identity with authentication, and strong authentication mechanisms are required to support accountability. Encryption helps provide confidentiality. Hashing helps provide integrity. Redundant systems help provide availability.

Question 15

Which of the following statements accurately describes due care?

It is the practice of implementing security policies and procedures to protect resources.

Due care eliminates risk.

A company is not responsible for exercising due care over PII.

Organizations cannot be sued if they fail to exercise due care over resources such as customer data.

Answer 15

A. Due care is the practice of implementing security policies and procedures to protect resources. You cannot eliminate risk. A company is responsible for exercising due care over PII and can be sued if it fails to exercise due care.

Question 16

A user professes an identity by entering a user logon name and then enters a password. What is the purpose of the logon name?

Authentication

Accountability

Identification

Accounting

Answer 16

C. The logon name provides identification for the user. When combined with the username, the password provides authentication. Accountability is possible if a system can identify users and track their activities. Accounting is provided by logging after proper identification and authentication.

Question 17

Access controls protect assets such as files by preventing unauthorized access. What must occur before a system can implement access controls to restrict access to these types of assets?

Identification and authentication

Identification and accountability

Authentication and accounting

Accountability and availability

Answer 17

A. Identification and authentication must occur before a system can implement access controls. Identification is the act of a user professing an identity, and authentication occurs when an authentication system verifies the user’s credentials (such as a username and password). Without proper identification and authentication, it isn’t possible to restrict access to specific subjects. Accountability is not possible if an authentication system does not identify and authenticate users. Similarly, you can’t provide accurate accounting if users haven’t been identified and authenticated.

Question 18

Users are required to enter a different password each time they log on. What type of password is this?

Static password

Cognitive password

Passphrase

Dynamic password

Answer 18

D. A dynamic password is a one-time password that changes for each session. A static password stays the same over a period of time, such as 30 days. A cognitive password includes information that a user would know but isn’t necessarily public knowledge. A passphrase is a static password using a long string of characters that has meaning to the user.

Question 19

Authentication includes three types, or factors. Which of the following best describes these authentication methods?

Something you say, something you think, and something you are

Something you know, something you have, and something you type

Something you know, something you say, and something you are

Something you know, something you have, and something you are

Answer 19

D. The three factors of authentication are something you know, something you have, and something you are. Something you think, something you type, and something you say are not authentication factors.

Question 20

Which of the following choices does NOT ensure that a password is strong?

Ensuring that the password is of a sufficient length

Ensuring that the password is changed frequently

Ensuring that the password has a mixture of different character types

Ensuring that the password does not include any part of the user’s name

Answer 20

B. A password should be changed regularly, but doing so doesn’t ensure the password is strong. For example, if a user changes a password from “1234” to “4321,” it is not strong. The other options all contribute to the strength of a password. Note that this an example of a question that can be switched to a multiple-correct-answer question. For example, it could be “Which of the following choices ensures that a password is strong? (Choose THREE).”

Question 21

What can be used to prevent a user from reusing the same password?

Minimum password age

Maximum password age

Password length

Password history

Answer 21

D. Password history remembers users’ previous passwords and prevents them from reusing passwords. The minimum password age is used with the password history to prevent users from changing their password repeatedly to get back to the original password. It is often set to one day. The maximum password age identifies when users must change their passwords. The password length identifies the minimum number of characters in the password.

Question 22

A user tries to log on to his bank account via the Internet with his username and password. The webpage then displays a message indicating a code was sent to his smartphone and prompts him to enter a six-digit code. What type of authentication is this?

One-factor authentication

Two-step authentication

Three-factor authentication

TOTP-based authentication

Answer 22

B. This is two-step authentication. It is not one-factor authentication because it requires the user to know something (the username and password) and have something (the smartphone) to retrieve the code. It is not three-factor authentication because it not using biometric authentication (something you are). While two-step authentication might use the Time-based One-Time Password (TOTP) protocol, all two-step authentication methods do not use TOTP. Some use the HMAC-based One-Time Password (HOTP) protocol.

Question 23

What form(s) of authentication are individuals using when they authenticate with a hardware token and a password?

Something they have only

Something they know only

Something they have and something they know

Something they have and something they are

Answer 23

C. The two factors of authentication are something they have (the hardware token) and something they know (the password). The third factor of authentication is something you are (using biometrics), but neither a hardware token nor a PIN uses biometrics.

Question 24

An organization uses a biometric system with a one-to-many search method. What does this system provide for the organization?

Authentication

Accountability

Authorization

Identification

Answer 24

D. Biometric systems used for identification use a one-to-many search method. They use the one biometric value (such as a fingerprint) provided by the user and search a database of many similar values (fingerprints) to find a match. Biometric systems used for authentication use a one-to-one search method. They use the biometric value provided by the user, along with the user’s claimed identity, and check to see if the value matches the value stored with the user’s account. Once a system identifies and authenticates a user, biometric systems are not used for accountability or authorization.

Question 25

An organization has been using an iris scanner for authentication but has noticed a significant number of errors. Assuming the iris scanner is a high-quality scanner, which of the following is MOST LIKELY affecting its accuracy?

False Acceptance Rate (FAR)

False Rejection Rate (FRR)

Sunlight shining into the scanner

Faulty laser beam

Answer 25

C. Lighting affects the accuracy of an iris scanner, so sunlight shining into the scanner’s aperture will affect the accuracy. The FAR and FRR indicate specific types of errors. An iris scanner does not use a laser beam.

Question 26

Which of the following metrics identifies the number of valid users that a biometric authentication system falsely rejects?

FAR

FRR

CER

AAA

Answer 26

B. The False Rejection Rate (FRR, also called a type 1 error) refers to the percentage of times a biometric system falsely rejects a known user. The False Acceptance Rate (FAR, also called a type 2 error) refers to the percentage of times a biometric system falsely identifies an unknown user. The Crossover Error Rate (CER) identifies where the FAR matches the FRR. AAA refers to the three As of security—authentication, authorization, and accounting.

Question 27

What is SSO?

A system that requires user credentials once and uses the same credentials for the entire session

An authentication system that requires users to use different credentials for each resource they access

A secure system used for operations

Any network that employs secure access controls

Answer 27

A. Single sign-on (SSO) requires users to log on once, and it uses the same credentials for any other resources accessed during the session. Users are not required to use different credentials for each resource with SSO. SSO is not a network.

Question 28

What type of service does Kerberos provide?

Authentication

Accounting

Availability

Accountability

Answer 28

A. Kerberos provides authentication. Accounting and accountability are possible if a system can identify users and track their activities, but Kerberos doesn’t provide logging of user activities. Availability ensures systems are operational when needed. While not listed as one of the answers, Kerberos also contributes to confidentiality and integrity.

Question 29

Of the following choices, what most accurately identifies the major drawback of SSO systems?

It allows users to access multiple systems after logging on once.

It increases the difficulty for users to log on.

It increases the administrative workload.

It risks maximum unauthorized access with compromised accounts.

Answer 29

D. A major concern with SSO systems is that if any single account is compromised, it maximizes the potential unauthorized access. A primary benefit is that SSO allows users to access multiple systems after logging on once. It decreases the difficulty for users to log on and decreases the administrative workload.

Question 30

What type of access control is subject based?

Discretionary

Non-discretionary

ABAC

Biba

Answer 30

A. A Discretionary Access Control (DAC) model assigns permissions to identities (subjects), making it a subject-based model. Not all non-discretionary models assign permissions to identities, so B is not the best answer. Attribute-based Access Control (ABAC) focuses on attributes of subjects, objects, and/or the environment. Biba is a MAC-based model that uses labels assigned to both subjects and objects to enforce integrity.

Question 31

What is the primary goal of the Bell-LaPadula model?

Enforce separation of duties

Enforce two-factor authentication

Enforce confidentiality

Enforce integrity

Answer 31

C. The Bell-LaPadula model has a primary goal of ensuring confidentiality. The Clark-Wilson and Brewer-Nash access control models help enforce the principle of separation of duties. The Biba model enforces integrity. Access control models do not enforce authentication factors.

Question 32

Which of the following models helps enforce the principle of separation of duties?

Brewer-Nash and Clark-Wilson

Brewer-Nash and Biba

Clark-Wilson and Bell-LaPadula

Biba and Bell-LaPadula

Answer 32

A. Both the Clark-Wilson model and the Brewer-Nash model enforce the principle of separation of duties. The Clark-Wilson model also enforces integrity, and the Brewer-Nash model also helps prevent conflicts of interest. Biba enforces integrity. Bell-LaPadula enforces confidentiality

Question 33

Which of the following statements is true?

An access control matrix is object based and a capability table is object based.

An access control matrix is subject based and a capability table is object based.

An access control matrix is object based and a capability table is subject based.

An access control matrix is subject based and a capability table is subject based.

Answer 33

C. An access control matrix is object based and a capability table is subject based. An access control matrix is a list of objects along with the permissions granted for each object. A capability table is a list of subjects along with the capabilities granted to the subjects.

Question 34

Which of the following will disable an account if an attacker tries to guess the password multiple times?

A password policy

An account lockout policy

A password history

De-provisioning accounts

Answer 34

B. An account lockout policy can disable an account if an attacker (or a user) enters the wrong password too many times. The threshold is often set to three or five, causing an account to be locked out after a user enters the wrong password three or five times, respectively. A password policy ensures that users create strong passwords and regularly change their password. Password history prevents users from reusing the same password. De-provisioning refers to disabling and deleting inactive accounts.

Question 35

Which of the following actions is most appropriate if an employee leaves the company?

Delete the user’s account as soon as possible.

Disable the user’s account as soon as possible.

Change the user’s password as soon as possible.

Change the user’s permissions as soon as possible.

Answer 35

B. User accounts should be disabled as soon as possible after the user leaves the company under any circumstances. The account should not be deleted until it’s determined to be no longer needed. Changing the password without disabling the account stills allow the account to be used. Disabling the account removes the access and is more direct than changing permissions.