Assessment Test

Question 1

1. What kind of recovery facility enables an organization to resume operations as quickly as possible, if not immediately, upon failure of the primary facility?

A. Hot site
B. Warm site
C. Cold site
D. All of the above

Answer 1

Answer: A

Hot sites provide backup facilities maintained in constant working order and fully capable of taking over business operations. Warm sites consist of preconfigured hardware and software to run the business, neither of which possesses the vital business information. Cold sites are simply facilities designed with power and environmental support systems but no configured hardware, software, or services. Disaster recovery services can facilitate and implement any of these sites on behalf of a company.

Question 2

2. What type of detected incident allows the most time for an investigation?

A. Compromise
B. Denial of service
C. Malicious code
D. Scanning

Answer 2

Answer: D

Scanning incidents are generally reconnaissance attacks. The real damage to a system comes in the subsequent attacks, so you may have some time to react if you detect the scanning attack early.

Question 3

3. Which of the following represent natural events that can pose a threat or risk to an organization?

A. Earthquake
B. Flood
C. Tornado
D. All of the above

Answer 3

Answer: D

Natural events that can threaten organizations include earthquakes, floods, hurricanes, tornados, wildfires, and other acts of nature as well. Thus options A, B, and C are correct because they are natural and not man made.

Question 4

4. Which one of the following vulnerabilities would best be countered by adequate parameter checking?

A. Time of check to time of use
B. Buffer overflow
C. SYN flood
D. Distributed denial of service

Answer 4

Answer: B

Parameter checking is used to prevent the possibility of buffer overflow attacks.

Question 5

5. Which of the following is considered a denial of service attack?

A. Pretending to be a technical manager over the phone and asking a receptionist to change their password
B. While surfing the Web, sending to a web server a malformed URL that causes the system to consume 100 percent of the CPU
C. Intercepting network traffic by copying the packets as they pass through a specific subnet
D. Sending message packets to a recipient who did not request them simply to be annoying

Answer 5

Answer: B

Not all instances of DoS are the result of a malicious attack. Errors in coding OSs, services, and applications have resulted in DoS conditions. Some examples of this include a process failing to release control of the CPU or a service consuming system resources out of proportion to the service requests it is handling. Social engineering and sniffing are typically not considered DoS attacks.

Question 6

6. The collection of components in the TCB that work together to implement reference monitor functions is called the _____________.

A. Security perimeter
B. Security Kernel
C. Access matrix
D. Constrained interface

Answer 6

Answer: B

The collection of components in the TCB that work together to implement reference monitor functions is called the security kernel.

Question 7

7. Why are military and intelligence attacks among the most serious computer crimes?

A. The use of information obtained can have far-reaching detrimental strategic effects on national interests in an enemy’s hands.
B. Military information is stored on secure machines, so a successful attack can be embarrassing.
C. The long-term political use of classified information can impact a country’s leadership.
D. The military and intelligence agencies have ensured that the laws protecting their information are the most severe.

Answer 7

Answer: A

The purpose of a military and intelligence attack is to acquire classified information. The detrimental effect of using such information could be nearly unlimited in the hands of an enemy. Attacks of this type are launched by very sophisticated attackers. It is often very difficult to ascertain what documents were successfully obtained. So when a breach of this type occurs, you sometimes cannot know the full extent of the damage.

Question 8

8. What is the length of a message digest produced by the MD5 algorithm?

A. 64 bits
B. 128 bits
C. 256 bits
D. 384 bits

Answer 8

Answer: B

The MD5 algorithm produces a 128-bit message digest for any input.

Question 9

9. Auditing is a required factor to sustain and enforce what?

A. Accountability
B. Confidentiality
C. Accessibility
D. Redundancy

Answer 9

Answer: A

Auditing is a required factor to sustain and enforce accountability.

Question 10

10. Which of the following is not a defense against collusion?

A. Separation of duties
B. Restricted job responsibilities
C. Group user accounts
D. Job rotation

Answer 10

Answer: C

Group user accounts allow for multiple people to log in under a single user account. This allows collusion because it prevents individual accountability.

Question 11

11. What type of malware uses social engineering to trick a victim into installing it?

A. Viruses
B. Worms
C. Trojan horse
D. Logic bomb

Answer 11

Answer: C

A Trojan horse is a form of malware that uses social engineering tactics to trick a victim into installing it—the trick is to make the victim believe that the only thing they have downloaded or obtained is the host file, when it fact it has a malicious hidden payload.

Question 12

12. Which of the following is a procedure designed to test and perhaps bypass a system’s security controls?

A. Logging usage data
B. War dialing
C. Penetration testing
D. Deploying secured desktop workstations

Answer 12

Answer: C

Penetration testing is the attempt to bypass security controls to test overall system security.

Question 13

13. Which of the following is not a composition theory related to security models?

A. Cascading
B. Feedback
C. Iterative
D. Hookup

Answer 13

Answer: C

Iterative is not one of the composition theories related to security models. Cascading, feedback, and hookup are the three composition theories.

Question 14

14. A VPN can be established over which of the following?

A. Wireless LAN connection
B. Remote access dial-up connection
C. WAN link
D. All of the above

Answer 14

Answer: D

A VPN link can be established over any other network communication connection. This could be a typical LAN cable connection, a wireless LAN connection, a remote access dial-up connection, a WAN link, or even an Internet connection used by a client for access to the office LAN.

Question 15

15. Which of the following statements is true?

A. The less complex a system, the more vulnerabilities it has.
B. The more complex a system, the less assurance it provides.
C. The less complex a system, the less trust it provides.
D. The more complex a system, the less attack surface it generates.

Answer 15

Answer: B

The more complex a system, the less assurance it provides. More complexity means more areas for vulnerabilities to exist and more areas that must be secured against threats. More vulnerabilities and more threats mean that the subsequent security provided by the system is less trustworthy.

Question 16

16. System architecture, system integrity, covert channel analysis, trusted facility management, and trusted recovery are elements of what security criteria?

A. Quality assurance
B. Operational assurance
C. Life cycle assurance
D. Quantity assurance

Answer 16

Answer: B

Assurance is the degree of confidence you can place in the satisfaction of security needs of a computer, network, solution, and so on. Operational assurance focuses on the basic features and architecture of a system that lend themselves to supporting security.

Question 17

17. Which one of the following is a layer of the ring protection scheme that is not normally implemented in practice?

A. Layer 0
B. Layer 1
C. Layer 3
D Layer 4

Answer 17

Answer: B

Layers 1 and 2 contain device drivers but are not normally implemented in practice. Layer 0 always contains the security kernel. Layer 3 contains user applications. Layer 4 does not exist.

Question 18

18. What is the last phase of the TCP/IP three-way handshake sequence?

A. SYN packet
B. ACK packet
C. NAK packet
D. SYN/ACK packet

Answer 18

Answer: B

The SYN packet is first sent from the initiating host to the destination host. The destination host then responds with a SYN/ACK packet. The initiating host sends an ACK packet, and the connection is then established.

Question 19

19. Which type of firewall automatically adjusts its filtering rules based on the content of the traffic of existing sessions?

A. Static packet filtering
B. Application-level gateway
C. Stateful inspection
D. Dynamic packet filtering

Answer 19

Answer: D

Dynamic packet-filtering firewalls enable the real-time modification of the filtering rules based on traffic content.

Question 20

20. Ring 0, from the design architecture security mechanism known as protection rings, can also be referred to as all but which of the following?

A. Privileged mode
B. Supervisory mode
C. System mode
D. User mode

Answer 20

Answer: D

Ring 0 has direct access to the most resources; thus user mode is not an appropriate label because user mode requires restrictions to limit access to resources.

Question 21

21. If Renee receives a digitally signed message from Mike, what key does she use to verify that the message truly came from Mike?

A. Renee’s public key
B. Renee’s private key
C. Mike’s public key
D. Mike’s private key

Answer 21

Answer: C

Any recipient can use Mike’s public key to verify the authenticity of the digital signature.

Question 22

22. Spamming attacks occur when numerous unsolicited messages are sent to a victim. Because enough data is sent to the victim to prevent legitimate activity, it is also known as what?

A. Sniffing
B. Denial of service
C. Brute-force attack
D. Buffer overflow attack

Answer 22

Answer: B

A spamming attack (sending massive amounts of unsolicited email) can be used as a type of denial-of-service attack. It doesn’t use eavesdropping methods so isn’t sniffing. Brute force methods attempt to crack passwords. Buffer overflow attacks send strings of data to a system in an attempt to cause it to fail.

Question 23

23. In what phase of the Capability Maturity Model for Software (SW-CMM) are quantitative measures utilized to gain a detailed understanding of the software development process?

A. Repeatable
B. Defined
C. Managed
D. Optimizing

Answer 23

Answer: C

The Managed phase of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management.

Question 24

24. Audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and cyclic redundancy checks (CRCs) are examples of what?

A. Directive controls
B. Preventive controls
C. Detective controls
D. Corrective controls

Answer 24

Answer: C

Examples of detective controls are audit trails, logs, CCTV, intrusion detection systems, antivirus software, penetration testing, password crackers, performance monitoring, and CRCs.

Question 25

25. In what type of cipher are the letters of the plain-text message rearranged to form the cipher text?

A. Substitution cipher
B. Block cipher
C. Transposition cipher
D. One-time pad

Answer 25

Answer: C

Transposition ciphers use an encryption algorithm to rearrange the letters of the plain-text message to form a cipher text message.

Question 26

26. Define and detail the aspects of password selection that distinguish good password choices from ultimately poor password choices.

A. Difficult to guess or unpredictable
B. Meet minimum length requirements
C. Meet specific complexity requirements
D. All of the above

Answer 26

Answer: D

Strong password choices are difficult to guess, unpredictable, and of specified minimum lengths to ensure that password entries cannot be computationally determined. They may be randomly generated and utilize all the alphabetic, numeric, and punctuation characters; they should never be written down or shared; they should not be stored in publicly accessible or generally readable locations; and they shouldn’t be transmitted in the clear.

Question 27

27. What is the first step of the business impact assessment process?

A. Identification of priorities
B. Likelihood assessment
C. Risk identification
D. Resource prioritization

Answer 27

Answer: A

Identification of priorities is the first step of the business impact assessment process.

Question 28

28. At which layer of the OSI model does a router operate?

A. Network layer
B. Layer 1
C. Transport layer
D. Layer 5

Answer 28

Answer: A

Network hardware devices, including routers, function at layer 3, the Network layer.

Question 29

29. Which type of intrusion detection system (IDS) can be considered an expert system?

A. Host-based
B. Network-based
C. Knowledge-based
D. Behavior-based

Answer 29

Answer: D

A behavior-based IDS can be labeled an expert system or a pseudo-artificial intelligence system because it can learn and make assumptions about events. In other words, the IDS can act like a human expert by evaluating current events against known events. A knowledge-based IDS uses a database of known attack methods to detect attacks. Both host-based and network-based systems can be either knowledge-based, behavior-based, or a combination of both.

Question 30

30. What is the value of the logical operation shown here?

X: 0 1 1 0 1 0
Y: 0 0 1 1 0 1
___________________________
X ˅ Y: ?

A. 0 1 1 1 1 1
B. 0 1 1 0 1 0
C. 0 0 1 0 0 0
D. 0 0 1 1 0 1

Answer 30

Answer: A

The ~OR symbol represents the OR function, which is true when one or both of the input bits are true.

Question 31

31. What type of evidence refers to written documents that are brought into court to prove a fact?

A. Best evidence
B. Payroll evidence
C. Documentary evidence
D. Testimonial evidence

Answer 31

Answer: C

Written documents brought into court to prove the facts of a case are referred to as documentary evidence.

Question 32

32. A data custodian is responsible for securing resources after _________________ has assigned the resource a security label.

A. Senior management
B. Data owner
C. Auditor
D. Security staff

Answer 32

Answer: B

The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately.

Question 33

33. If you want to restrict access into or out of a facility, which would you choose?

A. Gate
B. Turnstile
C. Fence
D. Mantrap

Answer 33

Answer: B

A turnstile is a form of gate that prevents more than one person from gaining entry at a time and often restricts movement to one direction. It is used to gain entry but not exit, or vice versa.

Question 34

34. Which of the following is most likely to detect DoS attacks?

A. Host-based IDS
B. Network-based IDS
C. Vulnerability scanner
D. Penetration testing

Answer 34

Answer: B

Network-based IDSs are usually able to detect the initiation of an attack or the ongoing attempts to perpetrate an attack (including denial of service, or DoS). They are, however, unable to provide information about whether an attack was successful or which specific systems, user accounts, files, or applications were affected. Host-based IDSs have some difficulty with detecting and tracking down DoS attacks. Vulnerability scanners don’t detect DoS attacks; they test for possible vulnerabilities. Penetration testing may cause a DoS or test for DoS vulnerabilities, but it is not a detection tool.

Question 35

35. What is the formula used to compute the ALE?

A. ALE = AV * EF * ARO
B. ALE = ARO * EF
C. ALE = AV * ARO
D. ALE = EF * ARO

Answer 35

Answer: A

The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE*ARO. The other formulas displayed here do not accurately reflect this calculation.

Question 36

36. Which of the following types of access control seeks to discover evidence of unwanted, unauthorized, or illicit behavior or activity?

A. Preventive
B. Deterrent
C. Detective
D. Corrective

Answer 36

Answer: C

Detective access controls are used to discover (and document) unwanted or unauthorized activity.

Question 37

37. The CIA Triad comprises what elements?

A. Contiguousness, interoperable, arranged
B. Authentication, authorization, accountability
C. Capable, available, integral
D. Availability, confidentiality, integrity

Answer 37

Answer: D

The components of the CIA Triad are confidentiality, availability, and integrity.

Question 38

38. What form of intellectual property is used to protect words, slogans, and logos?

A. Patent
B. Copyright
C. Trademark
D. Trade secret

Answer 38

Answer: C

Trademarks are used to protect the words, slogans, and logos that represent a company and its products or services.

Question 39

39. Which of the following is not a required component in the support of accountability?

A. Auditing
B. Privacy
C. Authentication
D. Authorization

Answer 39

Answer: B

Privacy is not necessary to provide accountability.

Question 40

40. What is the point of a secondary verification system?

A. To verify the identity of a user
B. To verify the activities of a user
C. To verify the completeness of a system
D. To verify the correctness of a system

Answer 40

Answer: D

Secondary verification mechanisms are set in place to establish a means of verifying the correctness of detection systems and sensors. This often means combining several types of sensors or systems (CCTV, heat and motion sensors, and so on) to provide a more complete picture of detected events.